Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    18e3be05be56c8ecda7fcf9357981113b79a95e7d589f734ec9736454c988970

  • Size

    1020KB

  • Sample

    231011-lw3z9shc43

  • MD5

    ef2e8597fb5f1c2738256ca5c2018a3f

  • SHA1

    01feb6c44f65099970fe74aac46088ac5b1322b9

  • SHA256

    8e111e4ed3dbc58242ff9547d7b72c5eabcf2828daa603de412e0dab59dc410d

  • SHA512

    c78869a065bcf706549fbc14a00578e2cdad7d3aeb7b4b6b0727d2b76b280ebf13305392d80bd63e3a5534f3daf1648ff8d11550b724ed8ed4a57261bbda3d43

  • SSDEEP

    24576:XnMyCoW/LhgyzQ1U2aDZnu8IgMsVcb48oL5Ur+C6vNKW9Nh28Uw:37CogGU2aluMMsSbYdUrdrkNM8r

Malware Config

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

rc4.plain
rc4.plain

Targets

    • Target

      18e3be05be56c8ecda7fcf9357981113b79a95e7d589f734ec9736454c988970

    • Size

      1.0MB

    • MD5

      bb4b1795621375c555686f62fe6f231a

    • SHA1

      a7a7099abb39ae02082963e65e9f852edb33115b

    • SHA256

      18e3be05be56c8ecda7fcf9357981113b79a95e7d589f734ec9736454c988970

    • SHA512

      d731ab3670e761cc671e7694bdfe62b6d86ac7b76eac247ddf297ac6b888e8923065a62711656e07407e146af0582a8b8d7c56bde1361e6c9c7b7dbd3f4c06cc

    • SSDEEP

      24576:zyeW/thgybQXUuaDZtY0ugYQBQhyB48oL5Ur+s6vN8z9NhyWf:Geo6Uua3YUYQGIB4dUrfzNkW

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks