Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    NEAS.3fbb9d4961787745bed247e60f6bb7c0.cab

  • Size

    388KB

  • Sample

    231112-17ybgsdc84

  • MD5

    3fbb9d4961787745bed247e60f6bb7c0

  • SHA1

    7a44f213d8b2466d0b4c004a7e978b8e4f3938c2

  • SHA256

    e4d23e5f9a847c2e1310d9417e32480667e43114022bc029c43b15c9bcf8327c

  • SHA512

    936ac04a72eeabb614691155dee0414e40a7bbd4263139ccea56aea596a5e965795bace63b5e5d354eef29196bba7c6cd0df781d25bef9de955b2a58c448f271

  • SSDEEP

    6144:K2/dzA/+8YQ5gVuLfxiDrakvXoN5GR+6TjpPKl1aInE/scz/dL+kq85/Tt:3NNQ57kekvu5q+IjpPK/fIsczVDrt

Malware Config

Extracted

Family

redline

Botnet

j03

C2

aritashl.xyz:80

Targets

    • Target

      0

    • Size

      222KB

    • MD5

      847674f996283eb11f244a75f14f69ab

    • SHA1

      49c335e9c453bc039b1ebf80d443218073cc0732

    • SHA256

      3947dd20b0b4db6ef221606bd63bba5cb9ae476c485123b2ed2490fb41d42af6

    • SHA512

      842a558b1df82f66cb1af52507c73476e36d399a8bccb1560e42f07109f4d41086cced25061709b16e41ad86a77a0c5ff7e3558c71007fea2884a9d0a129b079

    • SSDEEP

      6144:UKObz+evZ2rltMBCLU6TF5efiitf3EW/Sj2t44S/:Uhbz+evZe9cf3EWe2e1

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks whether UAC is enabled

    • Target

      1

    • Size

      337KB

    • MD5

      38774a207db652bfadbfdff6be9638c2

    • SHA1

      c635f7b26c8f3a8bd4b4ff6a931d3e90912d97ff

    • SHA256

      e3800f69ce0cb2730df759efccd81f946b88484a062ccc09fb4009ebc30dee5f

    • SHA512

      a3c9fd1ed0c222f8dbc8f66856311e57b03b83ffb335235767fafb56b953e4c68446bf77d9a71454ef9cd2bef393a29d28d48c356c7a0e2c72ca4ae3ab975b1c

    • SSDEEP

      3072:E8Nvly0Asuj7hA6m2RYUg8M+u5wN4S2Lxgwzi/BR10gvghwXS1HC5pBflaLrFDY:EmY0AsEA21g8WCN4S22wO/jegvqufetY

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Suspicious use of SetThreadContext

    • Target

      2

    • Size

      110KB

    • MD5

      fad37a728b290b93c9295725824094e1

    • SHA1

      e45fb3919c33e22603aa5e897e982f435ae4d653

    • SHA256

      8702bf990104b688074d180214b06291b8d39b905d341261322ab1ce7acfbfc6

    • SHA512

      a20f9e6f80e0b548b1261c2f5b0b0a2b95c845efa305d5c6cd1d546458c985c60b22fb95b8f5b6bf86982d3f0e7069290f540f62611b7c582b359e5907809455

    • SSDEEP

      1536:xO/z6hPABUjO/Zd1716EoLiL4l1HdIaqQPDm0xK8i6f0Zn9PRVW8sW45o40Kv:+zgjO/Zd1RePDmZ8tf05iW4u40K

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Enterprise v15

Tasks