Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
556cc22826538cbdd3d0010ddb93bd0d97e443798a546efb99a6220f4dbe76eaN
-
Size
1.8MB
-
Sample
241006-yelqwawfke
-
MD5
b6a30c74cf4ada6ed79f9627af48a3b0
-
SHA1
711bde1c76c6039e04a02ebbf92d54ca19e8b3d0
-
SHA256
556cc22826538cbdd3d0010ddb93bd0d97e443798a546efb99a6220f4dbe76ea
-
SHA512
d602f74e7e19766bbfae09a6aba8c9a58d9936019b26926dff63c2f5718f6489f9a106ca7e742fd11ae97db263308c7a768443cc6d0660b5bcc017136148b2eb
-
SSDEEP
49152:dkSnU+QqCvJ2wn26gD3lMe6ULQpy25bZPa:dW2w26gD3lgYQpyUbR
Static task
static1
Behavioral task
behavioral1
Sample
556cc22826538cbdd3d0010ddb93bd0d97e443798a546efb99a6220f4dbe76eaN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
556cc22826538cbdd3d0010ddb93bd0d97e443798a546efb99a6220f4dbe76eaN.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
LiveTraffic
136.244.88.135:17615
Extracted
stealc
default2
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
stealc
zalupa
http://95.217.92.42:22
-
url_path
/7db38bfff9324bbe.php
Extracted
redline
newbundle2
185.215.113.67:15206
Extracted
redline
TG CLOUD @RLREBORN Admin @FATHEROFCARDERS
89.105.223.196:29862
Extracted
remcos
MIX
liveos.zapto.org:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
music.exe
-
copy_folder
db
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
ire
-
mouse_option
false
-
mutex
Rmc-GHRUZU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
stealc
doma
http://185.215.113.37
-
url_path
/e2b1563c6670f193.php
Extracted
amadey
4.41
1176f2
http://185.215.113.19
-
install_dir
417fd29867
-
install_file
ednfoki.exe
-
strings_key
183201dc3defc4394182b4bff63c4065
-
url_paths
/CoreOPT/index.php
Targets
-
-
Target
556cc22826538cbdd3d0010ddb93bd0d97e443798a546efb99a6220f4dbe76eaN
-
Size
1.8MB
-
MD5
b6a30c74cf4ada6ed79f9627af48a3b0
-
SHA1
711bde1c76c6039e04a02ebbf92d54ca19e8b3d0
-
SHA256
556cc22826538cbdd3d0010ddb93bd0d97e443798a546efb99a6220f4dbe76ea
-
SHA512
d602f74e7e19766bbfae09a6aba8c9a58d9936019b26926dff63c2f5718f6489f9a106ca7e742fd11ae97db263308c7a768443cc6d0660b5bcc017136148b2eb
-
SSDEEP
49152:dkSnU+QqCvJ2wn26gD3lMe6ULQpy25bZPa:dW2w26gD3lgYQpyUbR
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Adds policy Run key to start application
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4