Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    devexec.zip

  • Size

    38.1MB

  • Sample

    240929-tqhfda1cpj

  • MD5

    99c2b6dfb4e472e398623a28a3ce09cb

  • SHA1

    d5631461421dd89ba441090c3950111665c65b69

  • SHA256

    403b1c1beea21cf4f778efd7ad30faf14ecefcd192e99912c9676401c7695a9e

  • SHA512

    33142e73b45bebcc626fccfbdef33d9240b8f01d2f5b58d93296f249af091c002687f633a00ceb1a8a304e7e2c066ea86614fe8ff1d466f818f2a7c44c5d578e

  • SSDEEP

    786432:Y9JMLusOkhflEH9JMLusOkhflRVNyVDNTGsVVsNh3brIXpa+XqDCyGzsmtruuwCa:Y9WqknI9WqknUZKsVVsNh/IXpEeBzsms

Malware Config

Extracted

Family

redline

C2

185.196.9.26:6302

Targets

    • Target

      devexec.zip

    • Size

      38.1MB

    • MD5

      99c2b6dfb4e472e398623a28a3ce09cb

    • SHA1

      d5631461421dd89ba441090c3950111665c65b69

    • SHA256

      403b1c1beea21cf4f778efd7ad30faf14ecefcd192e99912c9676401c7695a9e

    • SHA512

      33142e73b45bebcc626fccfbdef33d9240b8f01d2f5b58d93296f249af091c002687f633a00ceb1a8a304e7e2c066ea86614fe8ff1d466f818f2a7c44c5d578e

    • SSDEEP

      786432:Y9JMLusOkhflEH9JMLusOkhflRVNyVDNTGsVVsNh3brIXpa+XqDCyGzsmtruuwCa:Y9WqknI9WqknUZKsVVsNh/IXpEeBzsms

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Suspicious use of SetThreadContext

    • Target

      devexec/Bootstrapper 1.07.exe

    • Size

      310KB

    • MD5

      66e2659120cbf66a1d60e63e76c941d6

    • SHA1

      d38f3933adb3e70a4f4878fd9388d1f6941981dc

    • SHA256

      816b9928538d75d5eabc68327879e3e205bfe820495a20fa06696865282be378

    • SHA512

      734271b93cbac615b2b8811c2848bbb5b8818414292e5f8261c45ee54dd3f1310002441193e76c83b686ca16be09cc1b0a3d948533ac1b6a23568cfe5018c8c2

    • SSDEEP

      6144:T6hThwAw9HYOzx6BsO/HxISYVFOFM5gdrOpCubFQEXYYSjxSHZbk:T+tmHYuO/RxYy650OpCaF8YSlSHZbk

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • Target

      devexec/bin/api

    • Size

      18.7MB

    • MD5

      88fd7dbf04bcf75123d02009aea3f7f7

    • SHA1

      cecf16bdad71e54afc941179ea2b7438a04efa1d

    • SHA256

      01481b9a862936fbc090bda4033f22d7ffa5a7bfe5dc32f47c7794332b34eec4

    • SHA512

      2c6298b5adf91b51f0042d48e0846f5b196d52a588fd4fc577bf19ec26ad8e547382279a15f8bf131b08b0d7c140534aff25f82d5e8998818b812e72c9493917

    • SSDEEP

      393216:hqA/D2IIyzg8DolBo6i0KoI6Di42sC1/syU3DXNs6hq8:hqcaZyV0fC1JOpjhq8

    Score
    3/10
    • Target

      devexec/devexec/Bootstrapper 1.07.exe

    • Size

      310KB

    • MD5

      66e2659120cbf66a1d60e63e76c941d6

    • SHA1

      d38f3933adb3e70a4f4878fd9388d1f6941981dc

    • SHA256

      816b9928538d75d5eabc68327879e3e205bfe820495a20fa06696865282be378

    • SHA512

      734271b93cbac615b2b8811c2848bbb5b8818414292e5f8261c45ee54dd3f1310002441193e76c83b686ca16be09cc1b0a3d948533ac1b6a23568cfe5018c8c2

    • SSDEEP

      6144:T6hThwAw9HYOzx6BsO/HxISYVFOFM5gdrOpCubFQEXYYSjxSHZbk:T+tmHYuO/RxYy650OpCaF8YSlSHZbk

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • Target

      devexec/devexec/bin/api

    • Size

      18.7MB

    • MD5

      88fd7dbf04bcf75123d02009aea3f7f7

    • SHA1

      cecf16bdad71e54afc941179ea2b7438a04efa1d

    • SHA256

      01481b9a862936fbc090bda4033f22d7ffa5a7bfe5dc32f47c7794332b34eec4

    • SHA512

      2c6298b5adf91b51f0042d48e0846f5b196d52a588fd4fc577bf19ec26ad8e547382279a15f8bf131b08b0d7c140534aff25f82d5e8998818b812e72c9493917

    • SSDEEP

      393216:hqA/D2IIyzg8DolBo6i0KoI6Di42sC1/syU3DXNs6hq8:hqcaZyV0fC1JOpjhq8

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks