Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
48s -
max time network
59s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
03/03/2023, 22:21
Static task
static1
Behavioral task
behavioral1
Sample
b065492a3db152aa1c1651c0afdcf92b18a6909e958adcf32a6caf29391e4162.exe
Resource
win10-20230220-en
General
-
Target
b065492a3db152aa1c1651c0afdcf92b18a6909e958adcf32a6caf29391e4162.exe
-
Size
286KB
-
MD5
ca3418e0f3511d6c886e852e3e0fb49f
-
SHA1
25dfdbecaf797f5392df3044e496ce46eae80363
-
SHA256
b065492a3db152aa1c1651c0afdcf92b18a6909e958adcf32a6caf29391e4162
-
SHA512
59807ae1fba19a9fc092b7feb406e4f80a4684dbb222588808646ca639108a28bfb3bec285e93e61c0813f0ccf14c8e3f4ff555f40e6dbdcb24c8d6d3ea2b982
-
SSDEEP
3072:3a/uOGxnTL2iOUAJLdvb7mlq3DcT5S2BTvshixEux2AzgrjtBEYDKaLuyA0UkPbs:3l7xTL2iebqlk/Igq7xjzUR+aa+dc8j
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4032-123-0x0000000002570000-0x00000000025CA000-memory.dmp family_redline behavioral1/memory/4032-127-0x00000000025E0000-0x0000000002638000-memory.dmp family_redline behavioral1/memory/4032-128-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-129-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-131-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-133-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-135-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-137-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-139-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-141-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-143-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-145-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-147-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-149-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-153-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-151-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-155-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-157-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-159-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-161-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-163-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-165-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-169-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-167-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-171-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-173-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-175-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-177-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-179-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-181-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-183-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-185-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-189-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-187-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline behavioral1/memory/4032-191-0x00000000025E0000-0x0000000002632000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4032 b065492a3db152aa1c1651c0afdcf92b18a6909e958adcf32a6caf29391e4162.exe 4032 b065492a3db152aa1c1651c0afdcf92b18a6909e958adcf32a6caf29391e4162.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4032 b065492a3db152aa1c1651c0afdcf92b18a6909e958adcf32a6caf29391e4162.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b065492a3db152aa1c1651c0afdcf92b18a6909e958adcf32a6caf29391e4162.exe"C:\Users\Admin\AppData\Local\Temp\b065492a3db152aa1c1651c0afdcf92b18a6909e958adcf32a6caf29391e4162.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032