Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    bfe7066be5112770b1f49b37ec95872bb8c3f18097c0d6def9a3c82959a7f1ba

  • Size

    917KB

  • Sample

    231113-lf7nhscc35

  • MD5

    9172efa71e43f3672f9df7fe76962c51

  • SHA1

    19955e871d53ec6307a0b228edc8507cface8118

  • SHA256

    bfe7066be5112770b1f49b37ec95872bb8c3f18097c0d6def9a3c82959a7f1ba

  • SHA512

    a14498d86c8e16b69c9db05410f6b45e1c04decd8ba758a4f8f9fa1acbca8a7b77a283fd02b384174e63ada96231cba56ce84c3f5e92d2e14b22e6f093144974

  • SSDEEP

    24576:ByaO2Qn5gaeuIsKC/GdLYDFyzX/MRf+JS6sjnio:0am55et9EGW5uX/MRwan

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      bfe7066be5112770b1f49b37ec95872bb8c3f18097c0d6def9a3c82959a7f1ba

    • Size

      917KB

    • MD5

      9172efa71e43f3672f9df7fe76962c51

    • SHA1

      19955e871d53ec6307a0b228edc8507cface8118

    • SHA256

      bfe7066be5112770b1f49b37ec95872bb8c3f18097c0d6def9a3c82959a7f1ba

    • SHA512

      a14498d86c8e16b69c9db05410f6b45e1c04decd8ba758a4f8f9fa1acbca8a7b77a283fd02b384174e63ada96231cba56ce84c3f5e92d2e14b22e6f093144974

    • SSDEEP

      24576:ByaO2Qn5gaeuIsKC/GdLYDFyzX/MRf+JS6sjnio:0am55et9EGW5uX/MRwan

    • Detect Mystic stealer payload

    • Detected google phishing page

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks