Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2023, 04:03
Static task
static1
Behavioral task
behavioral1
Sample
3b426d735f6feb6904fa15439b3b327a7e63d6ab508ab26f527e42749423d289.exe
Resource
win10v2004-20230220-en
General
-
Target
3b426d735f6feb6904fa15439b3b327a7e63d6ab508ab26f527e42749423d289.exe
-
Size
301KB
-
MD5
ca3684ab2b96bed49c448be979530ffe
-
SHA1
b5d16d5ef341ce02bb74276d2e684bddab071cff
-
SHA256
3b426d735f6feb6904fa15439b3b327a7e63d6ab508ab26f527e42749423d289
-
SHA512
aea71de085e315c2bad222cfdb013371018b0c38f86b2a6bedc757e0d5bbc44f43e63a8510903d1aebbe09e9a32a2988eeae7c62f044ad657e4fe04675a0969a
-
SSDEEP
6144:WqgM5kJodRWGUnnm1xxwfmKoQRL1+vt7ou8s6KGEgGRULCTUU:WqgMYodRW9YifDXx4vyQULy
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/1520-139-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-140-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-142-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-144-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-146-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-148-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-150-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-152-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-154-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-156-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-158-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-160-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-162-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-164-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-166-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-168-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-170-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-172-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-174-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-176-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-178-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-180-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-182-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-184-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-186-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-188-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-190-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-192-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-196-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-194-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-198-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-200-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline behavioral1/memory/1520-202-0x0000000004CF0000-0x0000000004D42000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1520 3b426d735f6feb6904fa15439b3b327a7e63d6ab508ab26f527e42749423d289.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1520 3b426d735f6feb6904fa15439b3b327a7e63d6ab508ab26f527e42749423d289.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b426d735f6feb6904fa15439b3b327a7e63d6ab508ab26f527e42749423d289.exe"C:\Users\Admin\AppData\Local\Temp\3b426d735f6feb6904fa15439b3b327a7e63d6ab508ab26f527e42749423d289.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520