Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2022, 21:53
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
General
-
Target
tmp.exe
-
Size
137KB
-
MD5
7357ebff6a98df7135b5b4be8ff5451d
-
SHA1
7ea82d17eb6d7b1a4c5a2d5240a1ca63bc9809e1
-
SHA256
54ab734131bcbfaded15776d689015fb747cc7919b70b2d8b1808e103bacebb4
-
SHA512
5a23c49b243610ca82ca0308d1b01341da22a59cdaf62b682ee2333bc2e4465c875f5a78f422a2281d9684d76e116bdebcaad98f31e9717db65e4b6779a85fdd
-
SSDEEP
3072:zYO/ZMTF//4Y7DcN8YOuNZ8AV4DFlyRzqhdSSB6y:zYMZMB//4YkCYOuNaylqhc
Malware Config
Extracted
redline
bred
77.73.134.251:4691
-
auth_value
0e8ad10c690c62fa90b012542647f121
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/1260-132-0x0000000000BA0000-0x0000000000BC8000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1260 tmp.exe 1260 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1260 tmp.exe