Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

287573018d...bf.exe

windows7-x64

10

287573018d...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/01/2023, 18:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    287573018d6b07b5b32fcffc63b9aa017740e4bf.exe

  • Size

    6.2MB

  • MD5

    7854eb17b45359996f52750494cb074c

  • SHA1

    287573018d6b07b5b32fcffc63b9aa017740e4bf

  • SHA256

    7a62100d2ed5e4d93d235b30136ef5bad3ab08d0618354aacb521206ff268ff7

  • SHA512

    b21d2e62e0d1c9da1ee084d2dfd137540493d1974a962853a40b95854c5c37ccfe1ae5ad29adbf0341afaeedd86ffceff81f0aaa608f41e4c8a7cb9ac17a3830

  • SSDEEP

    98304:hPVjSBqqI7eS4zgoy8KiB7+7G/spBBjYjoECUqbtMv:Tr4y8DxAG/sBBj9HUOK

Score
10/10
redlineuniversecity101infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

UniverseCity101

C2

80.89.228.168:5007

Attributes
  • auth_value

    638ab234d171305d6eb5c29368e6c632

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\287573018d6b07b5b32fcffc63b9aa017740e4bf.exe
    "C:\Users\Admin\AppData\Local\Temp\287573018d6b07b5b32fcffc63b9aa017740e4bf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4992

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4512-137-0x00007FFE18DE0000-0x00007FFE198A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4512-133-0x00007FFE18DE0000-0x00007FFE198A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4512-132-0x0000000000300000-0x0000000000944000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/4992-140-0x0000000004E50000-0x0000000004E8C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4992-136-0x00000000053A0000-0x00000000059B8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4992-138-0x0000000004DF0000-0x0000000004E02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4992-139-0x0000000004F20000-0x000000000502A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4992-134-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/4992-141-0x0000000005F70000-0x0000000006514000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4992-142-0x0000000005210000-0x00000000052A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4992-143-0x00000000052B0000-0x0000000005316000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4992-144-0x00000000066F0000-0x00000000068B2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4992-145-0x0000000006DF0000-0x000000000731C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4992-146-0x0000000006A40000-0x0000000006AB6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4992-147-0x00000000069C0000-0x00000000069DE000-memory.dmp

    Filesize

    120KB

    Download