Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    c7ed308ad426a12e88150a6a680eb8de202e58760fbeb5b0ea69d1877de7e060

  • Size

    786KB

  • Sample

    230602-jysk7sah7w

  • MD5

    8f91b10adce485d0133d3fe5643bcc72

  • SHA1

    836d2a3a43fa148c934ca12eb38ad1a1aaa6fd99

  • SHA256

    c7ed308ad426a12e88150a6a680eb8de202e58760fbeb5b0ea69d1877de7e060

  • SHA512

    6b7df7d14b9fad5701500fc8d6aa420311c54c015f43b6a87d719af722f9c7732130945d132a33edee62d1c7ae4ef98304d116ce11ac9f368bb76c826f229930

  • SSDEEP

    24576:PyVFM/tyWzDojvkSpLz2/LBcRmuV2ILf:aVFMF/zULb1Q1uV2E

Malware Config

Extracted

Family

redline

Botnet

dars

C2

83.97.73.127:19045

Attributes
  • auth_value

    7cd208e6b6c927262304d5d4d88647fd

Extracted

Family

redline

Botnet

grom

C2

83.97.73.127:19045

Attributes
  • auth_value

    2193aac8692a5e1ec66d9db9fa25ee00

Targets

    • Target

      c7ed308ad426a12e88150a6a680eb8de202e58760fbeb5b0ea69d1877de7e060

    • Size

      786KB

    • MD5

      8f91b10adce485d0133d3fe5643bcc72

    • SHA1

      836d2a3a43fa148c934ca12eb38ad1a1aaa6fd99

    • SHA256

      c7ed308ad426a12e88150a6a680eb8de202e58760fbeb5b0ea69d1877de7e060

    • SHA512

      6b7df7d14b9fad5701500fc8d6aa420311c54c015f43b6a87d719af722f9c7732130945d132a33edee62d1c7ae4ef98304d116ce11ac9f368bb76c826f229930

    • SSDEEP

      24576:PyVFM/tyWzDojvkSpLz2/LBcRmuV2ILf:aVFMF/zULb1Q1uV2E

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks