Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 14:41
Static task
static1
General
-
Target
56046f1a5d086b8b0bf8a9ee523f4bb3662b79f2e574266c3dff084075479d57.exe
-
Size
346KB
-
MD5
209a038e66043e5a6b5e74e9b9ba6bc8
-
SHA1
9addbdaba344fbbec6548981bfdca20c56b73886
-
SHA256
56046f1a5d086b8b0bf8a9ee523f4bb3662b79f2e574266c3dff084075479d57
-
SHA512
90a174baac7490934abcc4a900ca065bc6a37b62c2a09835ded67df820018e3faaa0e0d6efaf2a572f22ceb1bf5b14be14bfa3961b226d15bebf071e53ecf182
-
SSDEEP
6144:rCWLqIhTPL6R89Kk0gysRYqpqpQ4zfYI2q0LyHKsEb4IHkVA9U:On0TPORjk0gysRYw+u4IEi9
Malware Config
Extracted
redline
@Germany
185.11.61.125:22344
-
auth_value
9d15d78194367a949e54a07d6ce02c62
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/4924-139-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-140-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-142-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-144-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-146-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-150-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-152-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-148-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-154-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-156-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-158-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-160-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-162-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-164-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-166-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-168-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-170-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-172-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-176-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-174-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-178-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-180-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-182-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-184-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-186-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-188-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-190-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-192-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-194-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-196-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-198-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-200-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline behavioral1/memory/4924-202-0x0000000004F20000-0x0000000004F72000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3212 4924 WerFault.exe 83 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4924 56046f1a5d086b8b0bf8a9ee523f4bb3662b79f2e574266c3dff084075479d57.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4924 56046f1a5d086b8b0bf8a9ee523f4bb3662b79f2e574266c3dff084075479d57.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56046f1a5d086b8b0bf8a9ee523f4bb3662b79f2e574266c3dff084075479d57.exe"C:\Users\Admin\AppData\Local\Temp\56046f1a5d086b8b0bf8a9ee523f4bb3662b79f2e574266c3dff084075479d57.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 18002⤵
- Program crash
PID:3212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4924 -ip 49241⤵PID:5104