Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a2f9f5a099...57.exe

windows10-ltsc 2021-x64

10

setup_installer.exe

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    redline.zip.zip

  • Size

    7.7MB

  • Sample

    250313-zd736avny5

  • MD5

    9e2641df5ef585fdf326b3911b6d0c02

  • SHA1

    bb22f8d78c97bc825e7a06a9767f60fc0acbba1f

  • SHA256

    b3b62cb04437802ec78718be852b36c1fee33e8aed8538ccaf069edc57676b23

  • SHA512

    9b7d5afd70e725e6f8770110ab89c15e7b2b5addfa5592e8e7c3b4eb2610a2dabaaa6ae551760682d0795fb1c0c79b6393d382b8455e6a818f4e04b53df86f0a

  • SSDEEP

    196608:bUVzlwt/pRzOFPLwIiQQK8TNxlQIq9No8/e9viS3xvb/:EwZDsTPBud9Meliej/

Score
10/10
fabookienullmixerraccoonredlinesocelarsvidar164fb74855c13a4287d8fe7ac579a35bdf7002ab915media19nv3user1aspackv2discoverydropperexecutioninfostealerpersistencespywarestealerupx

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

redline

Botnet

media19n

C2

65.108.69.168:13293

Attributes
  • auth_value

    d6d1029ee103315c8e2d6f15b37e84fc

Extracted

Family

redline

Botnet

v3user1

C2

159.69.246.184:13127

Attributes
  • auth_value

    54df5250af9cbc5099c3e1e6f9e897c0

Extracted

Family

nullmixer

C2

http://kelenxz.xyz/

Extracted

Family

raccoon

Botnet

164fb74855c13a4287d8fe7ac579a35bdf7002ab

Attributes
  • url4cnc

    http://194.180.174.53/takecareandkeepitup

    http://91.219.236.18/takecareandkeepitup

    http://194.180.174.41/takecareandkeepitup

    http://91.219.236.148/takecareandkeepitup

    https://t.me/takecareandkeepitup

rc4.plain
rc4.plain

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47
Attributes
  • profile_id

    915

Targets

    • Target

      a2f9f5a099a6b1c2ba6789effefa150aec52c5587e85df9a6963fd03b55d4d57.exe

    • Size

      7.7MB

    • MD5

      0af9c941d86c3914df0d442d51536bd8

    • SHA1

      86ccef66be89113b7deef5a09e3354cdd13b0585

    • SHA256

      a2f9f5a099a6b1c2ba6789effefa150aec52c5587e85df9a6963fd03b55d4d57

    • SHA512

      02d281a14423d066d2bfac8460eff3607aa3aa5c5d8b6c2cf1c3d08e53a15c05eec4a0019ad73cb1b59caef1257236432a19759350ae0d40e65b176b2f4dc62b

    • SSDEEP

      196608:JKtR9T1HusScfQ2BFDg6E801cUMDDYNvyuBbBcb:JwpHbLf9USYNKuUb

    Score
    10/10
    fabookienullmixerraccoonredlinesocelarsvidar164fb74855c13a4287d8fe7ac579a35bdf7002ab915media19nv3user1aspackv2discoverydropperexecutioninfostealerpersistencespywarestealerupx

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer V1 payload

    • Raccoon family

      raccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Vidar Stealer

      stealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

    • Target

      setup_installer.exe

    • Size

      7.7MB

    • MD5

      6d74d7fdedfd638c81a396151a32de81

    • SHA1

      8c9a62cd9f92beaf135ef6bc56d13d300af41207

    • SHA256

      ad0d5e12252297d905e3b73eb4bf007bf26b5b3dfcae99b5d0e52c6165d0cb26

    • SHA512

      63e9c099d35399b7cb278d01ee66f630f090d55d4bda21e37a09b6a12e5bd4ad035440fb6064f0e880d999dc08c6e9d429237112723c4d9ec08c564f4a391e13

    • SSDEEP

      196608:xPLUCgfWXHx55I2cRKWI885YLO2Rmk8p3xqibcxhJeN3UNhDkMDDhA:xTdgf855IRVIR5Yq2gzxuGy++K

    Score
    10/10
    fabookienullmixerraccoonredlinesocelarsvidar164fb74855c13a4287d8fe7ac579a35bdf7002ab915media19nv3user1aspackv2discoverydropperexecutioninfostealerpersistencespywarestealerupx

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer V1 payload

    • Raccoon family

      raccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Vidar Stealer

      stealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral2

MITRE ATT&CK Enterprise v15

Tasks