Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

1526d5952d...ef.exe

windows7-x64

10

1526d5952d...ef.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef.exe

  • Size

    415KB

  • Sample

    240721-h77aaawdjg

  • MD5

    b54b8cd2e321a3f31a07921940c351fa

  • SHA1

    926253e894b9afb824726e7312ac65220509acf9

  • SHA256

    1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef

  • SHA512

    623c20242072f4ef03aed0eaacf90e9a35fabf04562d9fc6f86e653fb42e2f09df089c839402b652279fdb17dc097299d84dea6658165d54dc4cdf7deda7aa31

  • SSDEEP

    12288:CPXaOtGpmLb84Jjzo6yDBuKuJ+ITOCV0d:C7tGpmf8edychVV0d

Score
10/10
amadeylummaredlinestealc1307newbilde76b71livetrafficqlldiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

C2

http://77.91.77.81

Attributes
  • install_dir

    8254624243

  • install_file

    axplong.exe

  • strings_key

    90049e51fabf09df0d6748e0b271922e

  • url_paths

    /Kiru9gu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

QLL

C2

http://85.28.47.70

Attributes
  • url_path

    /744f169d372be841.php

Extracted

Family

redline

Botnet

1307newbild

C2

185.215.113.67:40960

Extracted

Family

redline

Botnet

LiveTraffic

C2

20.52.165.210:39030

Extracted

Family

lumma

C2

https://edificedcampds.shop/api

https://unseaffarignsk.shop/api

https://shepherdlyopzc.shop/api

https://upknittsoappz.shop/api

https://liernessfornicsa.shop/api

https://outpointsozp.shop/api

https://callosallsaospz.shop/api

https://lariatedzugspd.shop/api

https://indexterityszcoxp.shop/api

https://reinforcedirectorywd.shop/api

Targets

    • Target

      1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef.exe

    • Size

      415KB

    • MD5

      b54b8cd2e321a3f31a07921940c351fa

    • SHA1

      926253e894b9afb824726e7312ac65220509acf9

    • SHA256

      1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef

    • SHA512

      623c20242072f4ef03aed0eaacf90e9a35fabf04562d9fc6f86e653fb42e2f09df089c839402b652279fdb17dc097299d84dea6658165d54dc4cdf7deda7aa31

    • SSDEEP

      12288:CPXaOtGpmLb84Jjzo6yDBuKuJ+ITOCV0d:C7tGpmf8edychVV0d

    Score
    10/10
    amadeye76b71trojanlummaredlinestealc1307newbildlivetrafficqlldiscoveryinfostealerspywarestealer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks