Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 21:29
Static task
static1
Behavioral task
behavioral1
Sample
3e96cacc0b42bfee49ee4d2a117a5c532e2502ce16c88862648818350b7d05bd.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3e96cacc0b42bfee49ee4d2a117a5c532e2502ce16c88862648818350b7d05bd.exe
Resource
win10v2004-20230220-en
General
-
Target
3e96cacc0b42bfee49ee4d2a117a5c532e2502ce16c88862648818350b7d05bd.exe
-
Size
643KB
-
MD5
b323bfe49269db423166a3928b492412
-
SHA1
e343a5738eae7632e1f441305d5342f811f93896
-
SHA256
3e96cacc0b42bfee49ee4d2a117a5c532e2502ce16c88862648818350b7d05bd
-
SHA512
324322decd4497bba94f1fd72f66978f3343466f466c8817ebb5c54e95581ef19479b9e3730585697e7c19087b1c0ae426795854a0be66cf2229a6ece4874377
-
SSDEEP
12288:iMr3y90/vqOVtAfMWyiBJDhYWfR8atuayvUUA/sOFy22zgB:VymvzAUWyiBJDbJ8R7vhudB
Malware Config
Extracted
redline
darm
217.196.96.56:4138
-
auth_value
d88ac8ccc04ab9979b04b46313db1648
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/4764-148-0x0000000005550000-0x0000000005B68000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
pid Process 4192 x9854565.exe 4764 g4540713.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x9854565.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9854565.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 3e96cacc0b42bfee49ee4d2a117a5c532e2502ce16c88862648818350b7d05bd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3e96cacc0b42bfee49ee4d2a117a5c532e2502ce16c88862648818350b7d05bd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1936 wrote to memory of 4192 1936 3e96cacc0b42bfee49ee4d2a117a5c532e2502ce16c88862648818350b7d05bd.exe 84 PID 1936 wrote to memory of 4192 1936 3e96cacc0b42bfee49ee4d2a117a5c532e2502ce16c88862648818350b7d05bd.exe 84 PID 1936 wrote to memory of 4192 1936 3e96cacc0b42bfee49ee4d2a117a5c532e2502ce16c88862648818350b7d05bd.exe 84 PID 4192 wrote to memory of 4764 4192 x9854565.exe 85 PID 4192 wrote to memory of 4764 4192 x9854565.exe 85 PID 4192 wrote to memory of 4764 4192 x9854565.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e96cacc0b42bfee49ee4d2a117a5c532e2502ce16c88862648818350b7d05bd.exe"C:\Users\Admin\AppData\Local\Temp\3e96cacc0b42bfee49ee4d2a117a5c532e2502ce16c88862648818350b7d05bd.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854565.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854565.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4540713.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4540713.exe3⤵
- Executes dropped EXE
PID:4764
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
383KB
MD5d88cb1576e07111690e9011c19211331
SHA1f110d0f00e6abd8602c4ddd997ce7d16062f097c
SHA256ccd3cc1652a488c21ddec17778af5d57e674eec819282e6a8ae2feabffa17354
SHA512e1fdfa585f932f64b257134af0e646aba7c818a43778a2d0d1181a9dfec9d11905e9b480aa8e50881200d462d1c92cebb84a32a39a7343863fb2e41e3ae9ba82
-
Filesize
383KB
MD5d88cb1576e07111690e9011c19211331
SHA1f110d0f00e6abd8602c4ddd997ce7d16062f097c
SHA256ccd3cc1652a488c21ddec17778af5d57e674eec819282e6a8ae2feabffa17354
SHA512e1fdfa585f932f64b257134af0e646aba7c818a43778a2d0d1181a9dfec9d11905e9b480aa8e50881200d462d1c92cebb84a32a39a7343863fb2e41e3ae9ba82
-
Filesize
168KB
MD51c1e8581db7c561022e9da9001177d40
SHA106b5a144ace0e13c5e0f505bdd156ff47983b580
SHA25634b8736c4f47855c1dd12d1e9e94c5156c9b618f531fcbf16ac977054e57c622
SHA512c5687c47c62d46e4dfa372c286a1c461df1319236aa13c43bacdc07b03d1b4163886d6da95bc6225501c9ba3e5cc76f6f28baea4b82af45d52d491d3a58e8a9f
-
Filesize
168KB
MD51c1e8581db7c561022e9da9001177d40
SHA106b5a144ace0e13c5e0f505bdd156ff47983b580
SHA25634b8736c4f47855c1dd12d1e9e94c5156c9b618f531fcbf16ac977054e57c622
SHA512c5687c47c62d46e4dfa372c286a1c461df1319236aa13c43bacdc07b03d1b4163886d6da95bc6225501c9ba3e5cc76f6f28baea4b82af45d52d491d3a58e8a9f