Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

25/06/2024, 12:01

240625-n62aja1gmj 10

25/06/2024, 11:59

240625-n54n9s1frr 10

General

  • Target

    OBS-Studio-30.1.2-Full-Installer-x64.exe

  • Size

    128.3MB

  • Sample

    240625-n62aja1gmj

  • MD5

    bce9a48d09577df4232002803be8b7e7

  • SHA1

    89651d5a375fbe6c0b03e03d7bbd62dac314e2f2

  • SHA256

    a4a57464834be9fcea74d15fe5712dcf86e7c673d82706cdf8cfbc5aa9fea17f

  • SHA512

    1d31e7b8a356db0d48f614b2f17ad760a9e4a0cd1e358613c328bf5a66c45094618ee520f5d2b1cfce9d5eeb5bd52b95bbe31a1390ead30c699c4cdf1a1084d9

  • SSDEEP

    3145728:AxJfr5z+wXxayKEFtlKvbA7Nj3bfmSRcgQ/zjpcazd7jpk:UfVzHFt0U7NTD+ljpcaRZ

Malware Config

Extracted

Family

redline

Botnet

xXx

C2

185.236.228.125:15140

Targets

    • Target

      OBS-Studio-30.1.2-Full-Installer-x64.exe

    • Size

      128.3MB

    • MD5

      bce9a48d09577df4232002803be8b7e7

    • SHA1

      89651d5a375fbe6c0b03e03d7bbd62dac314e2f2

    • SHA256

      a4a57464834be9fcea74d15fe5712dcf86e7c673d82706cdf8cfbc5aa9fea17f

    • SHA512

      1d31e7b8a356db0d48f614b2f17ad760a9e4a0cd1e358613c328bf5a66c45094618ee520f5d2b1cfce9d5eeb5bd52b95bbe31a1390ead30c699c4cdf1a1084d9

    • SSDEEP

      3145728:AxJfr5z+wXxayKEFtlKvbA7Nj3bfmSRcgQ/zjpcazd7jpk:UfVzHFt0U7NTD+ljpcaRZ

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks