Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    25fc4d5f40ae2e2be38fbdec5403840468d77c43fd91e75dd3d8bf23b1ee9f5e

  • Size

    1.5MB

  • Sample

    231004-my1hlach78

  • MD5

    2cb4614d6ce81b57ac8b9406c5a965e3

  • SHA1

    f6aea677ee8554a01baf17252d4522755b9dee4a

  • SHA256

    b651dce9ae6e7b6ff8664666e8478a0d7e143f0b2f7967d6c529e848688e99d0

  • SHA512

    fb3e4ccecb047ecdb8222ddc302ff21bd14759c157f9edf4bca2c962d0248bc292a9f1e8f9598d71d9d0a2e8da9db3ece2bd2840c7a5e5d6973b9ecbfa6e3a7b

  • SSDEEP

    24576:tj3yVql60WJtHcI/bDlTSw+hfjtLTrxaUqZPCEFWCdY0IfS8kY+vuKOPWNMPzW4Y:dCVsWJmwcxL3xAPCEMZRfS8R+MPWmyNH

Malware Config

Extracted

Family

redline

Botnet

frant

C2

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

rc4.plain
rc4.plain

Targets

    • Target

      25fc4d5f40ae2e2be38fbdec5403840468d77c43fd91e75dd3d8bf23b1ee9f5e

    • Size

      1.5MB

    • MD5

      a72e3c9c7765a8e739b06bd9ba124af4

    • SHA1

      beb0d6e943c3efa39bbe9ba9664efab00fc4a964

    • SHA256

      25fc4d5f40ae2e2be38fbdec5403840468d77c43fd91e75dd3d8bf23b1ee9f5e

    • SHA512

      06b2af7db6ba44e218a943820ef25efe5b8d2de3c01f55063aef7ec830ef7f9284b6b56e1241600df92c5721f68d6a597ca4135300bad73110a3504c6e15605a

    • SSDEEP

      24576:MyNT6xUVc4/bflTcoYTTjpGv93RqZRYEpICPY01XOaY+vzbKsFWNP42KZIe:7tNKA2493uRYEC9i+f+hFWN3Km

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks