Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
158s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 20:25
Static task
static1
Behavioral task
behavioral1
Sample
0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe
Resource
win10v2004-20230220-en
General
-
Target
0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe
-
Size
479KB
-
MD5
74fc1501b8b739a6a86dc77599ab2ebd
-
SHA1
fe123f17a1229326e2b096dd82fc773a8d120155
-
SHA256
0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d
-
SHA512
bcee2d8c08dca2f5fdf92a10a8f4f09093a488df9294ebed4a56dd20e77b065e3c528148fd7bb64f429c1e38e51e06c79990ddaa771700490ede764fddc5eec3
-
SSDEEP
12288:5MrTy90hOFEENQZuTO3DwCdfm39YWl03S:eyIGuZuIDwh3pkS
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/4840-148-0x0000000007E80000-0x0000000008498000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
pid Process 2076 x7568755.exe 4840 g0095314.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x7568755.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x7568755.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 448 wrote to memory of 2076 448 0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe 83 PID 448 wrote to memory of 2076 448 0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe 83 PID 448 wrote to memory of 2076 448 0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe 83 PID 2076 wrote to memory of 4840 2076 x7568755.exe 84 PID 2076 wrote to memory of 4840 2076 x7568755.exe 84 PID 2076 wrote to memory of 4840 2076 x7568755.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe"C:\Users\Admin\AppData\Local\Temp\0b8cd1fde48304d57568381fe03db7a143822159043a2facd2d31ec405b1326d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7568755.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7568755.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0095314.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0095314.exe3⤵
- Executes dropped EXE
PID:4840
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5d85d9fc996e80ca32dc16e5c61d9b64e
SHA1fb36721ce4f1448a615042dd6cf3500c1e1b5e96
SHA2563314c1cf1b9c658958c2c7afe0411d25d3b23a2782eb00303a8d407de3e7fde3
SHA512a847e07cbf5cda76bd33222d2b845ad466dbed6863278562521c14a278117220b365bd4e7c92ffa0d303f945aee1357f1429d30343a9cfb1e41085bddfe6ef65
-
Filesize
307KB
MD5d85d9fc996e80ca32dc16e5c61d9b64e
SHA1fb36721ce4f1448a615042dd6cf3500c1e1b5e96
SHA2563314c1cf1b9c658958c2c7afe0411d25d3b23a2782eb00303a8d407de3e7fde3
SHA512a847e07cbf5cda76bd33222d2b845ad466dbed6863278562521c14a278117220b365bd4e7c92ffa0d303f945aee1357f1429d30343a9cfb1e41085bddfe6ef65
-
Filesize
136KB
MD51a335f9aa910bcee72ecfb07046b1409
SHA198ed2675d3bb617431d3cc2fbd1431852fb818a4
SHA256ad96a293d8102ba443508a4aca4ca26b44975260d26bba67db9cf0f9327f9eab
SHA5120fccf320f6c4a094331f70a33b30775e1c5fb5ecc19d0e76ce6aa69a6069f2af6ca5c885a04fc31b7f2190e761b5c191e70a19ff84310e16384fc085aa58ce43
-
Filesize
136KB
MD51a335f9aa910bcee72ecfb07046b1409
SHA198ed2675d3bb617431d3cc2fbd1431852fb818a4
SHA256ad96a293d8102ba443508a4aca4ca26b44975260d26bba67db9cf0f9327f9eab
SHA5120fccf320f6c4a094331f70a33b30775e1c5fb5ecc19d0e76ce6aa69a6069f2af6ca5c885a04fc31b7f2190e761b5c191e70a19ff84310e16384fc085aa58ce43