Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    40e19666c393f1c97703635ee1c75282f304fa8392926361f70a26d6f29e29f7

  • Size

    1.4MB

  • Sample

    231012-rc5bwadc2y

  • MD5

    6e24e3a049e654de8c7f47df5de93cce

  • SHA1

    59bfe17dfd0252b8fffecaf18951447742427391

  • SHA256

    40e19666c393f1c97703635ee1c75282f304fa8392926361f70a26d6f29e29f7

  • SHA512

    2128dd6f0d307652f2fa0c6f83dc05c3d3897440350957658270e071cec5e679b299a353024d120659c34d80f9fb18bd85aca3749e503d7cf639b2a7c652447c

  • SSDEEP

    24576:ilFu5KIjel9OUJY1wjiur7OvUpoyxJj9OeJC6gOk0ZSYfssQospWs:P57jel9OkNjl/nmyr9O6gO79fgpWs

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

prets

C2

77.91.124.82:19071

Attributes
  • auth_value

    44ee9617e145f5ca73d49c1a4a0c2e34

Targets

    • Target

      40e19666c393f1c97703635ee1c75282f304fa8392926361f70a26d6f29e29f7

    • Size

      1.4MB

    • MD5

      6e24e3a049e654de8c7f47df5de93cce

    • SHA1

      59bfe17dfd0252b8fffecaf18951447742427391

    • SHA256

      40e19666c393f1c97703635ee1c75282f304fa8392926361f70a26d6f29e29f7

    • SHA512

      2128dd6f0d307652f2fa0c6f83dc05c3d3897440350957658270e071cec5e679b299a353024d120659c34d80f9fb18bd85aca3749e503d7cf639b2a7c652447c

    • SSDEEP

      24576:ilFu5KIjel9OUJY1wjiur7OvUpoyxJj9OeJC6gOk0ZSYfssQospWs:P57jel9OkNjl/nmyr9O6gO79fgpWs

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks