Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    55d1c316fb0793db404128d8b3e52b6c2dbfad1807fa32df9a0bdd4c69612fc3

  • Size

    1.0MB

  • Sample

    231011-rjn88scd6x

  • MD5

    27025db6fefc4915847f7618e064bcb4

  • SHA1

    26ebdfc994dabcacbd71d27a4053d1877c0c6b58

  • SHA256

    c3243ab22f62ec080f4841997788f6f095591c6a0ff4f0396fe11f89d0c19647

  • SHA512

    f3c863ee54c685e9f4e304a8ba77367abba5a6d2e1b4ae01e4b10babf2bb3e54adaf659253775a51432bd259e43c709d0eab58cb599fe1b4a933be124ee775e9

  • SSDEEP

    12288:xC4Jy90S8v7hhasJ5CKJnIgt9tKhrOACNYVy5w/bFIP1EmNkhJjs4w1lgD7/vLfq:84Jya1lKyCvChmzaLOjxwsD77X50

Malware Config

Extracted

Family

redline

Botnet

darts

C2

77.91.124.82:19071

Attributes
  • auth_value

    3c8818da7045365845f15ec0946ebf11

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

rc4.plain
rc4.plain

Targets

    • Target

      55d1c316fb0793db404128d8b3e52b6c2dbfad1807fa32df9a0bdd4c69612fc3

    • Size

      1.1MB

    • MD5

      f854303dbef70748ff335ec73fe52b1d

    • SHA1

      68d0b2dcbdeedcae62603c34ab1f8e87debe1f8b

    • SHA256

      55d1c316fb0793db404128d8b3e52b6c2dbfad1807fa32df9a0bdd4c69612fc3

    • SHA512

      350d678842d1310263309edfcad90cbf38299afb1096a462118c9ab3d5caa02b7c2e022ca96ff03778489b3de8d1841be562bc2716c8686a1ce9e92daf73d37b

    • SSDEEP

      12288:9MrHy90O7L7h/us75ESJy6LzQtFT2hrgACNYLV+67K/bFI71EyNm3663ljs4w1ll:Sy3F51nUOdCCh+z4Rg3PjxwdT9SZj0

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks