Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
20/12/2022, 04:00
Static task
static1
Behavioral task
behavioral1
Sample
cd2436f1cec484076be83744b0d4e87f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
cd2436f1cec484076be83744b0d4e87f.exe
Resource
win10v2004-20221111-en
General
-
Target
cd2436f1cec484076be83744b0d4e87f.exe
-
Size
2.4MB
-
MD5
cd2436f1cec484076be83744b0d4e87f
-
SHA1
425319f0e8add17e8f430087ba590190dfbf5250
-
SHA256
5be845902145831466d3b710541d2c5a53cfc50108126c8802b48226e89e1887
-
SHA512
b465013ef79f6d16dae386c5b05995b3e95167bfdc49363b93679f33e5c46686edf30ce921c6e60aa62526e2c36bf7f529f217a18c496002e028d90306fd9ab1
-
SSDEEP
24576:pE+5OCYAY49zG/F2Mgeo6erV6X16+vHJrQdPFc3w5TTGgLNMuKbl3RuQ55313b:pN59R8vHJitc3w5TTGgpCl3N
Malware Config
Extracted
redline
@forceddd_lzt
5.182.36.101:31305
-
auth_value
91ffc3d776bc56b5c410d1adf5648512
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/144092-56-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/144092-61-0x000000000041ADCE-mapping.dmp family_redline behavioral1/memory/144092-62-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/144092-64-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1388-63-0x0000000000400000-0x0000000000560000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1388 set thread context of 144092 1388 cd2436f1cec484076be83744b0d4e87f.exe 28 -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1388 wrote to memory of 144092 1388 cd2436f1cec484076be83744b0d4e87f.exe 28 PID 1388 wrote to memory of 144092 1388 cd2436f1cec484076be83744b0d4e87f.exe 28 PID 1388 wrote to memory of 144092 1388 cd2436f1cec484076be83744b0d4e87f.exe 28 PID 1388 wrote to memory of 144092 1388 cd2436f1cec484076be83744b0d4e87f.exe 28 PID 1388 wrote to memory of 144092 1388 cd2436f1cec484076be83744b0d4e87f.exe 28 PID 1388 wrote to memory of 144092 1388 cd2436f1cec484076be83744b0d4e87f.exe 28 PID 1388 wrote to memory of 144092 1388 cd2436f1cec484076be83744b0d4e87f.exe 28 PID 1388 wrote to memory of 144092 1388 cd2436f1cec484076be83744b0d4e87f.exe 28 PID 1388 wrote to memory of 144092 1388 cd2436f1cec484076be83744b0d4e87f.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd2436f1cec484076be83744b0d4e87f.exe"C:\Users\Admin\AppData\Local\Temp\cd2436f1cec484076be83744b0d4e87f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:144092
-