Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    a882eddca7b8e6dce8a50b87fbd19efa38dc6dfc4c96772fde7be9994b821eec

  • Size

    755KB

  • Sample

    230602-eg6dhshg23

  • MD5

    c26bfff82f4ef6cd819f3ca4f9eca24f

  • SHA1

    14ef056349e712ee1794ef929c1dcdefd6107c28

  • SHA256

    a882eddca7b8e6dce8a50b87fbd19efa38dc6dfc4c96772fde7be9994b821eec

  • SHA512

    d086ecd2cb5a9a8a3a0cb19bc54b5142f570a46602e69923c05b687ea6996d402a1e9c2b4bb5917c582cb116e2d550e84c5ec4a0ff9ab5b2f99a0b7b41c51e70

  • SSDEEP

    12288:FMrKy903u6dVnDgo/VLMmq0u8g6bjTW4IZ+CAgnsvny6Rp5VgX0ienw4R7c68Ep1:7yku6dVnDVLI09fWBsvhj5Umw4Zc68Q1

Malware Config

Extracted

Family

redline

Botnet

dars

C2

83.97.73.127:19045

Attributes
  • auth_value

    7cd208e6b6c927262304d5d4d88647fd

Extracted

Family

redline

Botnet

grom

C2

83.97.73.127:19045

Attributes
  • auth_value

    2193aac8692a5e1ec66d9db9fa25ee00

Targets

    • Target

      a882eddca7b8e6dce8a50b87fbd19efa38dc6dfc4c96772fde7be9994b821eec

    • Size

      755KB

    • MD5

      c26bfff82f4ef6cd819f3ca4f9eca24f

    • SHA1

      14ef056349e712ee1794ef929c1dcdefd6107c28

    • SHA256

      a882eddca7b8e6dce8a50b87fbd19efa38dc6dfc4c96772fde7be9994b821eec

    • SHA512

      d086ecd2cb5a9a8a3a0cb19bc54b5142f570a46602e69923c05b687ea6996d402a1e9c2b4bb5917c582cb116e2d550e84c5ec4a0ff9ab5b2f99a0b7b41c51e70

    • SSDEEP

      12288:FMrKy903u6dVnDgo/VLMmq0u8g6bjTW4IZ+CAgnsvny6Rp5VgX0ienw4R7c68Ep1:7yku6dVnDVLI09fWBsvhj5Umw4Zc68Q1

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks