Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    a64b66057fea79ab0abd54b7f92fe177596daa8e1d1c993ea7f2f4d4e44f71a3

  • Size

    1.0MB

  • Sample

    231011-ycsfmshc4z

  • MD5

    978b0a883b20d4230655557a4c2b928e

  • SHA1

    64fc259db5e2b097babc8e23403867176c887f1c

  • SHA256

    aad5431b40a2781ed3c9fbc2649c770a5b1ada9d177d2cd13c1d14569801b38c

  • SHA512

    4b5bf83444feb9321e6d3a723f4337f3cc1cedef7a0f9c0d5399c1eb93ef40399b9938c9b16dcc4d080a374e800562d46b08da38f79a3fcf2528f082d68e5228

  • SSDEEP

    24576:GV7yl1UcSGk2fN5yC9kQMMIzlnggnrcYKngbED86HKcmrjEg/u1B:GVuD6G7NIC9LMllguMnFDBmrjESu/

Malware Config

Extracted

Family

redline

Botnet

darts

C2

77.91.124.82:19071

Attributes
  • auth_value

    3c8818da7045365845f15ec0946ebf11

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52/mac/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

rc4.plain

Targets

    • Target

      a64b66057fea79ab0abd54b7f92fe177596daa8e1d1c993ea7f2f4d4e44f71a3

    • Size

      1.1MB

    • MD5

      45abf3cef2066c64769261bf17ed32be

    • SHA1

      aaee422456d014588649be752fe4407786b5b1ed

    • SHA256

      a64b66057fea79ab0abd54b7f92fe177596daa8e1d1c993ea7f2f4d4e44f71a3

    • SHA512

      de04fdebaaa5ef134712f4246f0c49b8b5c43b0ab634e845d2b70cfb160723cfff159ccc4b59ceffb6ee235d2c818614415ffc82a82b8c4712cc5b5fc8f60606

    • SSDEEP

      24576:IyJJGS2fmzMDGCymzkyMMkzJ/gg7fKS4bEDIEHmr/xHrjOgzu1C:PJJGZmzM6mz/MHJoVSNDo/xHrjOAu

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks