Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    1412560x00000000038000000.dmp

  • Size

    208KB

  • Sample

    230704-ns3lfadg3t

  • MD5

    870cd03c57605650d014341f59067a5a

  • SHA1

    39e22c3a6a64c857c76c4ce743f82a3dbb696c74

  • SHA256

    033a98a30d65ee55f12bfd51fc282e6abbc111b1f8c8c1d5d4871abc6b0a0ceb

  • SHA512

    9f5a0275b14a76cef86acf29578bb8f7c0d276e16321b56435ce3bcc718690103783e4716136f4ec99814570bda03b6c55b93f6a7c74f2bc76eed9859a425fd9

  • SSDEEP

    3072:d8S4s69gQu2l1/+lEH52BIPUVQ+RwM+IB+SaDtsA4+rSzPDJ8e8h0h:KS4s6Pl1/jUhtcSMtsASRB

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

C2

146.59.161.7:48080

Attributes
  • auth_value

    c2955ed3813a798683a185a82e949f88

Targets

    • Target

      1412560x00000000038000000.dmp

    • Size

      208KB

    • MD5

      870cd03c57605650d014341f59067a5a

    • SHA1

      39e22c3a6a64c857c76c4ce743f82a3dbb696c74

    • SHA256

      033a98a30d65ee55f12bfd51fc282e6abbc111b1f8c8c1d5d4871abc6b0a0ceb

    • SHA512

      9f5a0275b14a76cef86acf29578bb8f7c0d276e16321b56435ce3bcc718690103783e4716136f4ec99814570bda03b6c55b93f6a7c74f2bc76eed9859a425fd9

    • SSDEEP

      3072:d8S4s69gQu2l1/+lEH52BIPUVQ+RwM+IB+SaDtsA4+rSzPDJ8e8h0h:KS4s6Pl1/jUhtcSMtsASRB

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks