Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    072eeac1d272e9e512a2cacef8a9a3f9def1dfaf8ca9161415354995b88d12a1

  • Size

    1.1MB

  • Sample

    230922-g3r45aea3v

  • MD5

    0ad89329839df76bb66e483ae56be239

  • SHA1

    ff37f406b34e95458d08f2876243ba8b5c12a8e1

  • SHA256

    072eeac1d272e9e512a2cacef8a9a3f9def1dfaf8ca9161415354995b88d12a1

  • SHA512

    0bbb54b7478be71943d17f095b4743667900f0b34bc50c9627eaaf9b1db7e41ca846120476334b2ded4102ddc7fc336ec6c86a6a8fa70052adcdccf33565a824

  • SSDEEP

    24576:WywuSZYDHn97qIbvtL7mqEa0WN03En97jnKD1C:lRBbvx7mqlsEn9nY

Malware Config

Extracted

Family

redline

Botnet

trush

C2

77.91.124.82:19071

Attributes
  • auth_value

    c13814867cde8193679cd0cad2d774be

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

rc4.plain
rc4.plain

Targets

    • Target

      072eeac1d272e9e512a2cacef8a9a3f9def1dfaf8ca9161415354995b88d12a1

    • Size

      1.1MB

    • MD5

      0ad89329839df76bb66e483ae56be239

    • SHA1

      ff37f406b34e95458d08f2876243ba8b5c12a8e1

    • SHA256

      072eeac1d272e9e512a2cacef8a9a3f9def1dfaf8ca9161415354995b88d12a1

    • SHA512

      0bbb54b7478be71943d17f095b4743667900f0b34bc50c9627eaaf9b1db7e41ca846120476334b2ded4102ddc7fc336ec6c86a6a8fa70052adcdccf33565a824

    • SSDEEP

      24576:WywuSZYDHn97qIbvtL7mqEa0WN03En97jnKD1C:lRBbvx7mqlsEn9nY

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks