Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    5542a8ed0568b09684d8dac0e253c967c5d30cc5144e48c67eb8ee3e2c239d3a

  • Size

    389KB

  • Sample

    230722-wyck7sbf88

  • MD5

    f6d4f11b9946992eddcb602de952e33e

  • SHA1

    3d6f66f50ce06d261df7b3ed63f582ff80a49244

  • SHA256

    5542a8ed0568b09684d8dac0e253c967c5d30cc5144e48c67eb8ee3e2c239d3a

  • SHA512

    1b1a6d0afd0a4f45d2bf078ed7f6b2521b9afceed9d9d8dae17ff031ae3946c81c2f6471273bab3b79449ce08f02c297f7cab6e1f13d9c5791e53b782934fabf

  • SSDEEP

    6144:KGy+bnr+rp0yN90QE7zqQtY53dNyVO12avHnjQd5+tNERzkcHvtb:6Mrjy90VuQtY5VoSnsy2zJHlb

Malware Config

Extracted

Family

amadey

Version

3.85

C2

77.91.68.3/home/love/index.php

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Targets

    • Target

      5542a8ed0568b09684d8dac0e253c967c5d30cc5144e48c67eb8ee3e2c239d3a

    • Size

      389KB

    • MD5

      f6d4f11b9946992eddcb602de952e33e

    • SHA1

      3d6f66f50ce06d261df7b3ed63f582ff80a49244

    • SHA256

      5542a8ed0568b09684d8dac0e253c967c5d30cc5144e48c67eb8ee3e2c239d3a

    • SHA512

      1b1a6d0afd0a4f45d2bf078ed7f6b2521b9afceed9d9d8dae17ff031ae3946c81c2f6471273bab3b79449ce08f02c297f7cab6e1f13d9c5791e53b782934fabf

    • SSDEEP

      6144:KGy+bnr+rp0yN90QE7zqQtY53dNyVO12avHnjQd5+tNERzkcHvtb:6Mrjy90VuQtY5VoSnsy2zJHlb

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks