Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02/01/2023, 18:55
Static task
static1
Behavioral task
behavioral1
Sample
287573018d6b07b5b32fcffc63b9aa017740e4bf.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
287573018d6b07b5b32fcffc63b9aa017740e4bf.exe
Resource
win10v2004-20220901-en
General
-
Target
287573018d6b07b5b32fcffc63b9aa017740e4bf.exe
-
Size
6.2MB
-
MD5
7854eb17b45359996f52750494cb074c
-
SHA1
287573018d6b07b5b32fcffc63b9aa017740e4bf
-
SHA256
7a62100d2ed5e4d93d235b30136ef5bad3ab08d0618354aacb521206ff268ff7
-
SHA512
b21d2e62e0d1c9da1ee084d2dfd137540493d1974a962853a40b95854c5c37ccfe1ae5ad29adbf0341afaeedd86ffceff81f0aaa608f41e4c8a7cb9ac17a3830
-
SSDEEP
98304:hPVjSBqqI7eS4zgoy8KiB7+7G/spBBjYjoECUqbtMv:Tr4y8DxAG/sBBj9HUOK
Malware Config
Extracted
redline
UniverseCity101
80.89.228.168:5007
-
auth_value
638ab234d171305d6eb5c29368e6c632
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4512 set thread context of 4992 4512 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 80 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4992 InstallUtil.exe 4992 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4992 InstallUtil.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4512 wrote to memory of 4992 4512 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 80 PID 4512 wrote to memory of 4992 4512 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 80 PID 4512 wrote to memory of 4992 4512 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 80 PID 4512 wrote to memory of 4992 4512 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 80 PID 4512 wrote to memory of 4992 4512 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 80 PID 4512 wrote to memory of 4992 4512 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 80 PID 4512 wrote to memory of 4992 4512 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 80 PID 4512 wrote to memory of 4992 4512 287573018d6b07b5b32fcffc63b9aa017740e4bf.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\287573018d6b07b5b32fcffc63b9aa017740e4bf.exe"C:\Users\Admin\AppData\Local\Temp\287573018d6b07b5b32fcffc63b9aa017740e4bf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992
-