Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d3302b81a9086832df8cda2fb407f1a0bb0d78fa63cd08fbc83ce5c399a67a55

  • Size

    1.0MB

  • Sample

    230603-aflv9sfd5w

  • MD5

    b0263760bf5ff8a38db7cc401763d269

  • SHA1

    7518df3da9c6b396e758ee790722ba6cc6148437

  • SHA256

    d3302b81a9086832df8cda2fb407f1a0bb0d78fa63cd08fbc83ce5c399a67a55

  • SHA512

    b4c7a456a7a63f0795441162977377c286d512c04a745b4bad0fe6390b3e076a5103b0f6ae201da38771e29a0466a3aff55e944732fe308699649f4d998eedff

  • SSDEEP

    12288:/MrDy90max4mx1CqdMI8Wum8gOs0SL1/+VZqMNQKxwAUL/0eWpC/DiN/27ncp+8O:Uy9ax/mNtW30K1/+/qMN/xwv0eU2rsO

Malware Config

Extracted

Family

redline

Botnet

lupa

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a764aa41830c77712442516d143bc9c

Extracted

Family

redline

Botnet

metro

C2

83.97.73.126:19046

Attributes
  • auth_value

    f7fd4aa816bdbaad933b45b51d9b6b1a

Extracted

Family

vidar

Version

4.1

Botnet

c784f88cbd0064e2b88a2354266d33ad

C2

https://steamcommunity.com/profiles/76561199510444991

https://t.me/task4manager

Attributes
  • profile_id_v2

    c784f88cbd0064e2b88a2354266d33ad

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Edg/112.0.1722.34

Targets

    • Target

      d3302b81a9086832df8cda2fb407f1a0bb0d78fa63cd08fbc83ce5c399a67a55

    • Size

      1.0MB

    • MD5

      b0263760bf5ff8a38db7cc401763d269

    • SHA1

      7518df3da9c6b396e758ee790722ba6cc6148437

    • SHA256

      d3302b81a9086832df8cda2fb407f1a0bb0d78fa63cd08fbc83ce5c399a67a55

    • SHA512

      b4c7a456a7a63f0795441162977377c286d512c04a745b4bad0fe6390b3e076a5103b0f6ae201da38771e29a0466a3aff55e944732fe308699649f4d998eedff

    • SSDEEP

      12288:/MrDy90max4mx1CqdMI8Wum8gOs0SL1/+VZqMNQKxwAUL/0eWpC/DiN/27ncp+8O:Uy9ax/mNtW30K1/+/qMN/xwv0eU2rsO

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks