Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    FireyYoy.zip

  • Size

    5.5MB

  • Sample

    240714-gc6vla1clb

  • MD5

    8f4bae7500e656c693398bf8b351ec5e

  • SHA1

    9b0be4cb58a6f1ab0b07c345bfe5925dfb8af61e

  • SHA256

    18bc7eedbc38c08acd67766fdb5b10a363ccf3a7a806837d25d9297a4b765c65

  • SHA512

    4413c1bd3236070032d9254450a2b566468b0e0b41289813b3648ccabe76ccb9d77a33913babee866d6280574776d974556663dd2b7712d3f117e1b59cab7cef

  • SSDEEP

    98304:/aTkBf/5m4ZHHZfCZOuvaaf1fZGsPpRui+zVvM7Qoucb3/XBOd8f15GT+niuvxQb:kk1ZH5fCZSaf7pRuiivYiA3/XAd8f15+

Malware Config

Extracted

Family

redline

C2

185.196.9.26:6302

Targets

    • Target

      ExtremeHeatV1.exe

    • Size

      1.8MB

    • MD5

      21b1abb89858efc1d5e208809bc05484

    • SHA1

      3500a0d0bcb31bcd272ce12aea424d640bdd457e

    • SHA256

      1cd69c6b0dfd033c9867aed55f5ce4fb493dca2196749bd4b17377d85c880030

    • SHA512

      edd390234dbab5b81296f01212d71b7f68e6607feee9d8ddde151800a94c1fa2a5126ef5e5cec9e0b68d73b535c41d4343961f89fa0b34d23098dd1cf5588d5b

    • SSDEEP

      49152:nI7FaW6jNfNXixBuw+azvycdQNkLuJtSviz+NaHD4EpMriA4tfa+cahYdVqm5RTU:n

    Score
    7/10
    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

    • Target

      ExtremeHeatV2.exe

    • Size

      1.4MB

    • MD5

      ed01f3cf478e4790181271c5a3b7109c

    • SHA1

      ddb9fe7c5d9dc6d80408db79ae7375740d834d6d

    • SHA256

      a16cca79c64623d15ccbaa9a0a93e9bcb61e6b08a19fb7137bd03a5f6ba24ec4

    • SHA512

      2639186903f366e744b77c038e4b6c06f5f482bf1b4ad6d8170fd7fd8a17e7d36d75bf19428125ef030cc4daa90b6f96793a082f175ff28c0a3493237526e844

    • SSDEEP

      24576:o/+kQajiTaN0UsfjTcYZqMZQx/OkmuRgsOK1pf/OGQdZUkWNN:nkC0MZQx/OkmuRgsOK1pf/OGQdZUkWNN

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks