Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ROBLOX EXECUTOR.zip

  • Size

    13.8MB

  • Sample

    240723-zbptssxbnk

  • MD5

    770187f013607fbc7cbf81f65d9fb342

  • SHA1

    2bda35137289e4aa0107f8c313a545facf7e9c70

  • SHA256

    97b4583f626bf10fa9702567ef2b0c1fb4720291ef02f131b84a5c473dae439b

  • SHA512

    b78d376692039c51ad2010bc4a567405c7932d15add3dd89807b61caa772f8f7563197307b896073b02928f25772f6dcb7a1152c9653a7f66883ae15cfbac133

  • SSDEEP

    196608:z/WyOahwRAnmftmDGh2eam8Dc2Gehjs7qqz5pP3b8oEdV6Fc4gmyzmSkFR:z/W0wR94JeameVGek/Y0g1ij

Malware Config

Extracted

Family

lumma

C2

https://celosiapatroen.shop/api

Extracted

Family

redline

C2

185.196.9.26:6302

Targets

    • Target

      SoftWare V2.1.0.exe

    • Size

      938KB

    • MD5

      945cd2758d8c6ad39758a9be9bc9d183

    • SHA1

      c0856c9df43f598af9e5ec7be51e0172fe47d9c3

    • SHA256

      c248a06cda93d7d5dc8cf79bd4b00007110139a67a3f1ecd68cc9ea5db84b69d

    • SHA512

      c564b8a9c01418c8141fe1933bd739fe514de81f9d60590ab31cabfd58a4c7b6c719b97c8d3a69d81ab1059051e75ff7c89f79f06b598b79dafc49915f393e92

    • SSDEEP

      24576:hwvsLw7d1MaGrLkhilsrf719nfLSWAqixqhCjj:apMaGrLkhP/fLNXPCv

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Suspicious use of SetThreadContext

    • Target

      SoftWare V2.1.7.exe

    • Size

      620KB

    • MD5

      553d2164ba72fd00fc1583e6c1537491

    • SHA1

      0f58db9c4639f61324278b87fb4976f23ee4c5fe

    • SHA256

      15be6cc47f2dfda06ccac645c1bade87bd59028ec2a572eb905b7f5a81e8c0e4

    • SHA512

      096972b9333ccb379a82378036f4e1fc1b404d4768b430dce89035e6bce04311ff4e4c7498fd4a12e4409f86d5710546263218bfcf6a23ca217e48b4d0cc81fa

    • SSDEEP

      12288:r82UNTMlKa8IjOv43y9THoifOZ3V81Sh9ZCHwok5ujLVPKS9vdldPgDiJzzZM1H9:wdTMDvjOv4KH/OZyue

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks