Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    e79d8336d5b68750ee79ea61ef25c814664800bb3a42760ca084b1e19a95b6dc

  • Size

    1.0MB

  • Sample

    231011-ycpdzsah82

  • MD5

    fbf29db40d19c26dae0e390fb5b02467

  • SHA1

    8cfafd7eabdc0eeff70260b9eb291db7800ed343

  • SHA256

    1170b5a205b59f4120f20d3b17ee403d9f4510afec3f3e9606437abab9084ece

  • SHA512

    fe85fcd369b854c7a1985791024ba9f0407a8d9fc691ee5c52f16a58cb232a2939e0d7c4a69e996ac5b225831f41998695c6eaabe8ca3d9d475c2a645c31fc8a

  • SSDEEP

    24576:r6ycLs7L0ttolRP/aPl3pW86S1Jmn5yTDpsS475aVjmm9x:rBGs74oTaPlp6S05yTDpsS4Va1jr

Malware Config

Extracted

Family

redline

Botnet

darts

C2

77.91.124.82:19071

Attributes
  • auth_value

    3c8818da7045365845f15ec0946ebf11

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

rc4.plain
rc4.plain

Targets

    • Target

      e79d8336d5b68750ee79ea61ef25c814664800bb3a42760ca084b1e19a95b6dc

    • Size

      1.1MB

    • MD5

      89be0e5c9bafa7eacae32e04b9171572

    • SHA1

      758d8a89b3133d6c0ebf34e2fdd92158fd4430fc

    • SHA256

      e79d8336d5b68750ee79ea61ef25c814664800bb3a42760ca084b1e19a95b6dc

    • SHA512

      64e7b52603bbb768ec42f6d8e8d561677d3d13a6fe322199574986761c0a10544ca9e5d0072105abb62a5aaab8fe2abdd7196ffc4bd8a1f01ecd071fef76f2d9

    • SSDEEP

      24576:YyedPrr8LLylTP/tP43Y8YS1Jgn5WTDpszNaVjOm5A:fkPrUy9tP6YSK5WTDpspa1b5

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks