Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
02/12/2021, 12:29
Static task
static1
General
-
Target
2eda567739acd1ef47402909d754e492cee2ea8432ff1b1942e4554473fb8d4d.exe
-
Size
370KB
-
MD5
9fcff3b97db56ac8a0b96096fbe2c765
-
SHA1
ef199b7789de9e9bb43f7e78f6b54aad710586ff
-
SHA256
2eda567739acd1ef47402909d754e492cee2ea8432ff1b1942e4554473fb8d4d
-
SHA512
7324479c933389b779ca5eefc086482485c3eb341e446a04a84e6cd721bace78cf6323167051c6598a9f1f3992b932fad877b0d91d0a0fe0469d083f972fd37b
Malware Config
Extracted
Family
redline
Botnet
1
C2
45.9.20.59:46287
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/3520-122-0x0000000004C60000-0x0000000004C8E000-memory.dmp family_redline behavioral1/memory/3520-124-0x0000000004CE0000-0x0000000004D0C000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3520 2eda567739acd1ef47402909d754e492cee2ea8432ff1b1942e4554473fb8d4d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3520 2eda567739acd1ef47402909d754e492cee2ea8432ff1b1942e4554473fb8d4d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2eda567739acd1ef47402909d754e492cee2ea8432ff1b1942e4554473fb8d4d.exe"C:\Users\Admin\AppData\Local\Temp\2eda567739acd1ef47402909d754e492cee2ea8432ff1b1942e4554473fb8d4d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520