Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 18:57
Static task
static1
Behavioral task
behavioral1
Sample
e88c37f1bb15fcbe857ee8c4d526153f.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e88c37f1bb15fcbe857ee8c4d526153f.exe
Resource
win10v2004-20230220-en
General
-
Target
e88c37f1bb15fcbe857ee8c4d526153f.exe
-
Size
1.9MB
-
MD5
e88c37f1bb15fcbe857ee8c4d526153f
-
SHA1
c52537d8b02f5c9c9ea40f78a7e2c9f8dc78225b
-
SHA256
9fbc398697579871e9ed351b5874acacb8b435178b32ff6506a03e5738b2e75f
-
SHA512
8065ee3b4fd2130549f016c5accb5f8347812b2b0cf6cc97bf712e6b34d30d3dd893dbcf250db60bd0d17550e36462dce4d3ae33858007af2e19e7ad71e44164
-
SSDEEP
49152:IBJ/2XAf/cdSy4ihSiudHKWw7YYlMDFUjcgbeR:ywXI0c5icLKJEYlIFicWe
Malware Config
Extracted
redline
RED
79.137.202.0:81
-
auth_value
49e32ec54afd3f75dadad05dbf2e524f
Extracted
laplas
http://79.137.199.252
-
api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/4604-151-0x0000000005490000-0x0000000005AA8000-memory.dmp redline_stealer behavioral2/memory/4604-1663-0x00000000060A0000-0x0000000006106000-memory.dmp redline_stealer behavioral2/memory/4604-1713-0x0000000006C00000-0x0000000006DC2000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation e88c37f1bb15fcbe857ee8c4d526153f.exe Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation e32Lke3.exe -
Executes dropped EXE 4 IoCs
pid Process 4464 cqb3grs.exe 1352 o02kvf1u.exe 1884 e32Lke3.exe 6968 svcservice.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe" e32Lke3.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4464 set thread context of 4604 4464 cqb3grs.exe 87 PID 1352 set thread context of 400 1352 o02kvf1u.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4252 4464 WerFault.exe 84 4692 1352 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4604 RegSvcs.exe 4604 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4604 RegSvcs.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4768 wrote to memory of 4464 4768 e88c37f1bb15fcbe857ee8c4d526153f.exe 84 PID 4768 wrote to memory of 4464 4768 e88c37f1bb15fcbe857ee8c4d526153f.exe 84 PID 4768 wrote to memory of 4464 4768 e88c37f1bb15fcbe857ee8c4d526153f.exe 84 PID 4464 wrote to memory of 4604 4464 cqb3grs.exe 87 PID 4464 wrote to memory of 4604 4464 cqb3grs.exe 87 PID 4464 wrote to memory of 4604 4464 cqb3grs.exe 87 PID 4464 wrote to memory of 4604 4464 cqb3grs.exe 87 PID 4464 wrote to memory of 4604 4464 cqb3grs.exe 87 PID 4768 wrote to memory of 1352 4768 e88c37f1bb15fcbe857ee8c4d526153f.exe 91 PID 4768 wrote to memory of 1352 4768 e88c37f1bb15fcbe857ee8c4d526153f.exe 91 PID 4768 wrote to memory of 1352 4768 e88c37f1bb15fcbe857ee8c4d526153f.exe 91 PID 1352 wrote to memory of 4456 1352 o02kvf1u.exe 94 PID 1352 wrote to memory of 4456 1352 o02kvf1u.exe 94 PID 1352 wrote to memory of 4456 1352 o02kvf1u.exe 94 PID 1352 wrote to memory of 1820 1352 o02kvf1u.exe 95 PID 1352 wrote to memory of 1820 1352 o02kvf1u.exe 95 PID 1352 wrote to memory of 1820 1352 o02kvf1u.exe 95 PID 1352 wrote to memory of 400 1352 o02kvf1u.exe 96 PID 1352 wrote to memory of 400 1352 o02kvf1u.exe 96 PID 1352 wrote to memory of 400 1352 o02kvf1u.exe 96 PID 1352 wrote to memory of 400 1352 o02kvf1u.exe 96 PID 1352 wrote to memory of 400 1352 o02kvf1u.exe 96 PID 4768 wrote to memory of 1884 4768 e88c37f1bb15fcbe857ee8c4d526153f.exe 100 PID 4768 wrote to memory of 1884 4768 e88c37f1bb15fcbe857ee8c4d526153f.exe 100 PID 4768 wrote to memory of 1884 4768 e88c37f1bb15fcbe857ee8c4d526153f.exe 100 PID 1884 wrote to memory of 6968 1884 e32Lke3.exe 101 PID 1884 wrote to memory of 6968 1884 e32Lke3.exe 101 PID 1884 wrote to memory of 6968 1884 e32Lke3.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\e88c37f1bb15fcbe857ee8c4d526153f.exe"C:\Users\Admin\AppData\Local\Temp\e88c37f1bb15fcbe857ee8c4d526153f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1563⤵
- Program crash
PID:4252
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\o02kvf1u.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\o02kvf1u.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:4456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:1820
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:400
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1483⤵
- Program crash
PID:4692
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\e32Lke3.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\e32Lke3.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"3⤵
- Executes dropped EXE
PID:6968
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 44641⤵PID:840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1352 -ip 13521⤵PID:4936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD53681076e0468f402f6a12e9d586c24b1
SHA192d9039e76ad9166b00d38100994f86ad712818d
SHA256e6c6df931d2d1b58840c66475e55e659146cc677dd1a90adbbb160911169329f
SHA5125615fc46b28796034a2120a69113e5e18d94545b88370384ae0807090300b1c73a130a9e8e3ce8fe6f6e9148f6944a5f0fc0bccece84206b94b25be30cd73828
-
Filesize
1.3MB
MD53681076e0468f402f6a12e9d586c24b1
SHA192d9039e76ad9166b00d38100994f86ad712818d
SHA256e6c6df931d2d1b58840c66475e55e659146cc677dd1a90adbbb160911169329f
SHA5125615fc46b28796034a2120a69113e5e18d94545b88370384ae0807090300b1c73a130a9e8e3ce8fe6f6e9148f6944a5f0fc0bccece84206b94b25be30cd73828
-
Filesize
1.3MB
MD53681076e0468f402f6a12e9d586c24b1
SHA192d9039e76ad9166b00d38100994f86ad712818d
SHA256e6c6df931d2d1b58840c66475e55e659146cc677dd1a90adbbb160911169329f
SHA5125615fc46b28796034a2120a69113e5e18d94545b88370384ae0807090300b1c73a130a9e8e3ce8fe6f6e9148f6944a5f0fc0bccece84206b94b25be30cd73828
-
Filesize
1.1MB
MD5a76d136239408f63bf5b2af3d4dffc0e
SHA17434e0882f2825ba265f69db57e1117a4375636a
SHA256c1d245ae8ca47c4e04608217d82fc94c1c77d10a81ab057f8c605dbfc24b8ccf
SHA512189c0e9ca5975ceaf36806020622ae3a77875039cf68c0c3aa2aa2f6e3fd8da1be559bfa1c6fb30538809d6220a00ffa000f9d17aa5f9d5f79199c1f90998dbe
-
Filesize
1.1MB
MD5a76d136239408f63bf5b2af3d4dffc0e
SHA17434e0882f2825ba265f69db57e1117a4375636a
SHA256c1d245ae8ca47c4e04608217d82fc94c1c77d10a81ab057f8c605dbfc24b8ccf
SHA512189c0e9ca5975ceaf36806020622ae3a77875039cf68c0c3aa2aa2f6e3fd8da1be559bfa1c6fb30538809d6220a00ffa000f9d17aa5f9d5f79199c1f90998dbe
-
Filesize
1.1MB
MD5a76d136239408f63bf5b2af3d4dffc0e
SHA17434e0882f2825ba265f69db57e1117a4375636a
SHA256c1d245ae8ca47c4e04608217d82fc94c1c77d10a81ab057f8c605dbfc24b8ccf
SHA512189c0e9ca5975ceaf36806020622ae3a77875039cf68c0c3aa2aa2f6e3fd8da1be559bfa1c6fb30538809d6220a00ffa000f9d17aa5f9d5f79199c1f90998dbe
-
Filesize
3.6MB
MD59acf9c7921ee24285901751af52097b0
SHA10e6725a2fdc4e1f1bbf6a73f46393cbba4552e12
SHA25698c1105d2e0d9467d2cb9cbd3747b79d7471ecbc22a290653fddc8db3f49b04c
SHA5127f369214f16aca9dcd8c390ab729a1edaffe27f3fce6dc887df7bb39bc6f55ba938ea7c69f3f1dd739da00b899435a0e65750e5cd7cb0fb45272ad32d6e24792
-
Filesize
3.6MB
MD59acf9c7921ee24285901751af52097b0
SHA10e6725a2fdc4e1f1bbf6a73f46393cbba4552e12
SHA25698c1105d2e0d9467d2cb9cbd3747b79d7471ecbc22a290653fddc8db3f49b04c
SHA5127f369214f16aca9dcd8c390ab729a1edaffe27f3fce6dc887df7bb39bc6f55ba938ea7c69f3f1dd739da00b899435a0e65750e5cd7cb0fb45272ad32d6e24792
-
Filesize
3.6MB
MD59acf9c7921ee24285901751af52097b0
SHA10e6725a2fdc4e1f1bbf6a73f46393cbba4552e12
SHA25698c1105d2e0d9467d2cb9cbd3747b79d7471ecbc22a290653fddc8db3f49b04c
SHA5127f369214f16aca9dcd8c390ab729a1edaffe27f3fce6dc887df7bb39bc6f55ba938ea7c69f3f1dd739da00b899435a0e65750e5cd7cb0fb45272ad32d6e24792
-
Filesize
210.7MB
MD564116c0a78286c9c21bb3e2099ce3fa3
SHA1e9e75d5c538cacbe7d8de2ff332a05bb34fca571
SHA256d08ac6703c7538396b0257aec09ed4500850053054a9b92422a774f12a597870
SHA512da8314ff85f23af949638e2b828a18593f985c628b9c45eab8c0f4c7c54d5daf3990be1dc0b5294bc489a816a06b70d3bc968cb152ca1467e82a31996b6b7514
-
Filesize
211.3MB
MD5b747fc12254532766f7623222dc8b94a
SHA1981901e7355e9d6d742e2a3397f1df5cd51b893f
SHA2566d6a53c7b98497f26f084cd620922aa908d384f39700304c6d7c9045835233c8
SHA5126f2776deee4637d61e4300cdddf44b120ab27ab88af3258d4cc98a7d3dc33b87051c9975d61a15c94c77c3de857e9ce2c72719685f327f2c7c902b4b44320f6e