Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    dc6005a225949af9e6c8b9c7f7ccca72b8a23bacb5c58fe54db8307138714052

  • Size

    729KB

  • Sample

    230531-lm3yxaea39

  • MD5

    58050a1ebf8c3e4b23f3761673cd91af

  • SHA1

    7939756aeb4aba6321df0f41dafa06695b6838d9

  • SHA256

    dc6005a225949af9e6c8b9c7f7ccca72b8a23bacb5c58fe54db8307138714052

  • SHA512

    bd278b076baa4b264fe6fe5e9bd9ec88886562be0b46b7fb23a3b6d1ee41af37c9453ffe4ce1cada1eebbf25ab6578209e089a77c5573c1d2cc01fd25cd9ef25

  • SSDEEP

    12288:nMr4y90L27behJsC4Vd3XSa1GDem0khcOdJ0Q03cSQZ/w1spkngKVO3zvAI:nyzne4C4Vdp4R30Q0TQZ/asuV6zvAI

Malware Config

Extracted

Family

redline

Botnet

musa

C2

83.97.73.127:19045

Attributes
  • auth_value

    745cd242a52ab79c9c9026155d62f359

Extracted

Family

redline

Botnet

tinda

C2

83.97.73.127:19045

Attributes
  • auth_value

    88da3924455f4ba3a1b76cd03af918bb

Targets

    • Target

      dc6005a225949af9e6c8b9c7f7ccca72b8a23bacb5c58fe54db8307138714052

    • Size

      729KB

    • MD5

      58050a1ebf8c3e4b23f3761673cd91af

    • SHA1

      7939756aeb4aba6321df0f41dafa06695b6838d9

    • SHA256

      dc6005a225949af9e6c8b9c7f7ccca72b8a23bacb5c58fe54db8307138714052

    • SHA512

      bd278b076baa4b264fe6fe5e9bd9ec88886562be0b46b7fb23a3b6d1ee41af37c9453ffe4ce1cada1eebbf25ab6578209e089a77c5573c1d2cc01fd25cd9ef25

    • SSDEEP

      12288:nMr4y90L27behJsC4Vd3XSa1GDem0khcOdJ0Q03cSQZ/w1spkngKVO3zvAI:nyzne4C4Vdp4R30Q0TQZ/asuV6zvAI

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks