Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
d3302b81a9086832df8cda2fb407f1a0bb0d78fa63cd08fbc83ce5c399a67a55
-
Size
1.0MB
-
Sample
230603-aflv9sfd5w
-
MD5
b0263760bf5ff8a38db7cc401763d269
-
SHA1
7518df3da9c6b396e758ee790722ba6cc6148437
-
SHA256
d3302b81a9086832df8cda2fb407f1a0bb0d78fa63cd08fbc83ce5c399a67a55
-
SHA512
b4c7a456a7a63f0795441162977377c286d512c04a745b4bad0fe6390b3e076a5103b0f6ae201da38771e29a0466a3aff55e944732fe308699649f4d998eedff
-
SSDEEP
12288:/MrDy90max4mx1CqdMI8Wum8gOs0SL1/+VZqMNQKxwAUL/0eWpC/DiN/27ncp+8O:Uy9ax/mNtW30K1/+/qMN/xwv0eU2rsO
Static task
static1
Behavioral task
behavioral1
Sample
d3302b81a9086832df8cda2fb407f1a0bb0d78fa63cd08fbc83ce5c399a67a55.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
redline
lupa
83.97.73.126:19046
-
auth_value
6a764aa41830c77712442516d143bc9c
Extracted
redline
metro
83.97.73.126:19046
-
auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a
Extracted
vidar
4.1
c784f88cbd0064e2b88a2354266d33ad
https://steamcommunity.com/profiles/76561199510444991
https://t.me/task4manager
-
profile_id_v2
c784f88cbd0064e2b88a2354266d33ad
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Edg/112.0.1722.34
Targets
-
-
Target
d3302b81a9086832df8cda2fb407f1a0bb0d78fa63cd08fbc83ce5c399a67a55
-
Size
1.0MB
-
MD5
b0263760bf5ff8a38db7cc401763d269
-
SHA1
7518df3da9c6b396e758ee790722ba6cc6148437
-
SHA256
d3302b81a9086832df8cda2fb407f1a0bb0d78fa63cd08fbc83ce5c399a67a55
-
SHA512
b4c7a456a7a63f0795441162977377c286d512c04a745b4bad0fe6390b3e076a5103b0f6ae201da38771e29a0466a3aff55e944732fe308699649f4d998eedff
-
SSDEEP
12288:/MrDy90max4mx1CqdMI8Wum8gOs0SL1/+VZqMNQKxwAUL/0eWpC/DiN/27ncp+8O:Uy9ax/mNtW30K1/+/qMN/xwv0eU2rsO
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-