Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2022, 15:24
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
2.4MB
-
MD5
5822501defeaba5c16980f624a6055ac
-
SHA1
afe6ad1d05d03196bfc481d4b0e88c8e3fbfae5e
-
SHA256
4432a90f67c985a48c470e7b04d59728a766818bf0237b0bc40c0b9837768bef
-
SHA512
722f3d6bc96d722618951da637412ee53f45f703cc81244eac8dc1051f34a23f5c95a9598f7a4727d11ffb93b514364fc82e4ca12cf2a51ddba789358009a7d5
-
SSDEEP
49152:z9b2lFsaTG3exSTiJfgst2CTRbZw2yUZp7s0HN0eUNKwiFEud:z9b2lFsaUiJ72EDwgZpnHN5xwiFhd
Malware Config
Extracted
redline
1310
79.137.192.57:48771
-
auth_value
feb5f5c29913f32658637e553762a40e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/101764-133-0x0000000000570000-0x0000000000598000-memory.dmp family_redline -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5096 set thread context of 101764 5096 file.exe 83 -
Program crash 1 IoCs
pid pid_target Process procid_target 101912 5096 WerFault.exe 81 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 101764 vbc.exe 101764 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 101764 vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 5096 wrote to memory of 101764 5096 file.exe 83 PID 5096 wrote to memory of 101764 5096 file.exe 83 PID 5096 wrote to memory of 101764 5096 file.exe 83 PID 5096 wrote to memory of 101764 5096 file.exe 83 PID 5096 wrote to memory of 101764 5096 file.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:101764
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 986962⤵
- Program crash
PID:101912
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5096 -ip 50961⤵PID:101800