Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2e25be38675349b68ee86da38b70010f.bin

  • Size

    779KB

  • Sample

    230605-mqkr6sga34

  • MD5

    2e25be38675349b68ee86da38b70010f

  • SHA1

    503dd2f959bc7337d83c929e4dd39de987f3fdb7

  • SHA256

    80a5640ed15a2e851c5202648f4be37f06faa27bc0337310a8a39852bad47860

  • SHA512

    1fad5627f7127ee6200d28c7bc3544b9a30447fffc93a13c5282f38d7b6ccd58549d37e2ef059af4cbaaef2a34bed325c04617bcaedc592c2e972f4f69e8c6da

  • SSDEEP

    12288:SMrDy90G6VzOfL/Pl0CksV4xdP+Pw91SfHAnYMG/M72zJPPjlDVA+SQVSPY:5yU10l0f9+0wYnYMJ2JRq+HSw

Malware Config

Extracted

Family

redline

Botnet

musa

C2

83.97.73.126:19046

Attributes
  • auth_value

    745cd242a52ab79c9c9026155d62f359

Extracted

Family

redline

Botnet

brain

C2

83.97.73.126:19046

Attributes
  • auth_value

    5fb8269baadec0c49899b9a7a0c8851f

Targets

    • Target

      2e25be38675349b68ee86da38b70010f.bin

    • Size

      779KB

    • MD5

      2e25be38675349b68ee86da38b70010f

    • SHA1

      503dd2f959bc7337d83c929e4dd39de987f3fdb7

    • SHA256

      80a5640ed15a2e851c5202648f4be37f06faa27bc0337310a8a39852bad47860

    • SHA512

      1fad5627f7127ee6200d28c7bc3544b9a30447fffc93a13c5282f38d7b6ccd58549d37e2ef059af4cbaaef2a34bed325c04617bcaedc592c2e972f4f69e8c6da

    • SSDEEP

      12288:SMrDy90G6VzOfL/Pl0CksV4xdP+Pw91SfHAnYMG/M72zJPPjlDVA+SQVSPY:5yU10l0f9+0wYnYMJ2JRq+HSw

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks