Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    cac2e20fd99e79c8582e405e5915685039af3b1e4754f11b56484ea5505f3f62

  • Size

    793KB

  • Sample

    230603-aaxetaeh55

  • MD5

    68ee98fefee356ae35517d4c97965b9a

  • SHA1

    92399476e42fae9e22e7c3440b1295b01bc21941

  • SHA256

    cac2e20fd99e79c8582e405e5915685039af3b1e4754f11b56484ea5505f3f62

  • SHA512

    298cbfac2987fdd1f86c28cba63d2005ba5445e8d7c0d8472d643b72f85e82152f3d434f7a6985bf77587e64efb6863e5d3f17bb751d1b230c75b82573621355

  • SSDEEP

    12288:PMr+y90o+utm0lYc1+ld7c9ntTS4e3PJDM2fCIiRFDM4YtfBgbBSDrorDWzDkdLU:dyT+6eNsnve3PHfCHHmbgbiKW8dY

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

redline

Botnet

metro

C2

83.97.73.126:19046

Attributes
  • auth_value

    f7fd4aa816bdbaad933b45b51d9b6b1a

Targets

    • Target

      cac2e20fd99e79c8582e405e5915685039af3b1e4754f11b56484ea5505f3f62

    • Size

      793KB

    • MD5

      68ee98fefee356ae35517d4c97965b9a

    • SHA1

      92399476e42fae9e22e7c3440b1295b01bc21941

    • SHA256

      cac2e20fd99e79c8582e405e5915685039af3b1e4754f11b56484ea5505f3f62

    • SHA512

      298cbfac2987fdd1f86c28cba63d2005ba5445e8d7c0d8472d643b72f85e82152f3d434f7a6985bf77587e64efb6863e5d3f17bb751d1b230c75b82573621355

    • SSDEEP

      12288:PMr+y90o+utm0lYc1+ld7c9ntTS4e3PJDM2fCIiRFDM4YtfBgbBSDrorDWzDkdLU:dyT+6eNsnve3PHfCHHmbgbiKW8dY

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks