Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    a55cbb1c28104a4d9791901ddf2d2c21ac966000f47cfbd7e78419732be8bd5a

  • Size

    625KB

  • Sample

    230604-s55nsacf23

  • MD5

    c50387e1c866ea4e8a6eb06f96148e62

  • SHA1

    bfecc48232e9ef78f38f80c13e5d44089e4696d6

  • SHA256

    a55cbb1c28104a4d9791901ddf2d2c21ac966000f47cfbd7e78419732be8bd5a

  • SHA512

    6eee78ebb2dfe6bbacac742b84359b2da478bd48f3b8c546dfa465faef1ab0cf0f98dcb123468c98afd81223c7ec6211a0e2fc880c8d0c24372fc958b5214fe3

  • SSDEEP

    12288:QMrDy90QX1iehyRnW6gz2uMxaPnMTu/dIQmnbepzhh140:DytX1iehyRW3MxqnMsunWJ

Malware Config

Extracted

Family

redline

Botnet

musa

C2

83.97.73.126:19046

Attributes
  • auth_value

    745cd242a52ab79c9c9026155d62f359

Extracted

Family

redline

Botnet

brain

C2

83.97.73.126:19046

Attributes
  • auth_value

    5fb8269baadec0c49899b9a7a0c8851f

Targets

    • Target

      a55cbb1c28104a4d9791901ddf2d2c21ac966000f47cfbd7e78419732be8bd5a

    • Size

      625KB

    • MD5

      c50387e1c866ea4e8a6eb06f96148e62

    • SHA1

      bfecc48232e9ef78f38f80c13e5d44089e4696d6

    • SHA256

      a55cbb1c28104a4d9791901ddf2d2c21ac966000f47cfbd7e78419732be8bd5a

    • SHA512

      6eee78ebb2dfe6bbacac742b84359b2da478bd48f3b8c546dfa465faef1ab0cf0f98dcb123468c98afd81223c7ec6211a0e2fc880c8d0c24372fc958b5214fe3

    • SSDEEP

      12288:QMrDy90QX1iehyRnW6gz2uMxaPnMTu/dIQmnbepzhh140:DytX1iehyRW3MxqnMsunWJ

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks