Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    972f03ab2defe5bc60bb1ff4708de7f1dc74d0d1c84cad98b63e7710dba9f699

  • Size

    390KB

  • Sample

    230717-g93jfabc2s

  • MD5

    daae7c9db59632b8d97fc6cfa528932f

  • SHA1

    82eea3606cfb1c6eb3e2985e6c152341017f4ccc

  • SHA256

    972f03ab2defe5bc60bb1ff4708de7f1dc74d0d1c84cad98b63e7710dba9f699

  • SHA512

    5121bac1b4a3096c90bf5fa0f75ba0c36eb64e2a2ecea5326aefc10de04c282e6019e1fc9f1a3ed4317b925847ace2e11e74246fe6f1d972094979a6c7e7a777

  • SSDEEP

    6144:Kmy+bnr+up0yN90QErG0rqHFeyZUg4q9JX5fdYZ4QhMaHQTwSTDzW7pTz6pB+JXU:SMrOy90jy34CJJg4QVQTJzOTMB+C

Malware Config

Extracted

Family

amadey

Version

3.85

C2

77.91.68.3/home/love/index.php

Extracted

Family

redline

Botnet

zahar

C2

77.91.68.56:19071

Attributes
  • auth_value

    94c55a31fcf1761f07eeb4a0c6fb74fa

Targets

    • Target

      972f03ab2defe5bc60bb1ff4708de7f1dc74d0d1c84cad98b63e7710dba9f699

    • Size

      390KB

    • MD5

      daae7c9db59632b8d97fc6cfa528932f

    • SHA1

      82eea3606cfb1c6eb3e2985e6c152341017f4ccc

    • SHA256

      972f03ab2defe5bc60bb1ff4708de7f1dc74d0d1c84cad98b63e7710dba9f699

    • SHA512

      5121bac1b4a3096c90bf5fa0f75ba0c36eb64e2a2ecea5326aefc10de04c282e6019e1fc9f1a3ed4317b925847ace2e11e74246fe6f1d972094979a6c7e7a777

    • SSDEEP

      6144:Kmy+bnr+up0yN90QErG0rqHFeyZUg4q9JX5fdYZ4QhMaHQTwSTDzW7pTz6pB+JXU:SMrOy90jy34CJJg4QVQTJzOTMB+C

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks