Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 20:42
Static task
static1
Behavioral task
behavioral1
Sample
18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe
Resource
win10v2004-20230220-en
General
-
Target
18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe
-
Size
480KB
-
MD5
4d91be6f3eddafadb1db23c080a37e27
-
SHA1
66503ff75a31b7c642342bb8801ba7d94202de9a
-
SHA256
18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72
-
SHA512
f78dadb950b7c2424b9a75216e87ac7dccb341203a63a90c44afe6a433b7f0e2eca2c372158196754fb96fe43b5586de84d75b6bf73908f012654eb7056404ff
-
SSDEEP
12288:/Mrjy90iOT7wS/gn499YZXDKrJyw+T/U53SBe9n:Uy4d/gn49zf+453Dn
Malware Config
Extracted
redline
daris
217.196.96.56:4138
-
auth_value
3491f24ae0250969cd45ce4b3fe77549
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/2712-148-0x0000000005D80000-0x0000000006398000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
pid Process 2076 y0469988.exe 2712 k3623346.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y0469988.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y0469988.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 448 wrote to memory of 2076 448 18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe 85 PID 448 wrote to memory of 2076 448 18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe 85 PID 448 wrote to memory of 2076 448 18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe 85 PID 2076 wrote to memory of 2712 2076 y0469988.exe 86 PID 2076 wrote to memory of 2712 2076 y0469988.exe 86 PID 2076 wrote to memory of 2712 2076 y0469988.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe"C:\Users\Admin\AppData\Local\Temp\18c718e9a0037146b44d968bfab4c7c0ab195396e0a8c9f4394f6b82d0f8ab72.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0469988.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0469988.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3623346.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3623346.exe3⤵
- Executes dropped EXE
PID:2712
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD5315c260d34d0ab8035ce78e94b4759ce
SHA19acf11e4193ddf7f33a0abaeb1f13559be9edc15
SHA25660b0c6b8999a7134e3ae06e2239ccfcf189a93e7a7c8bc7dfb5e79f59dff1686
SHA512807cb2522821dacc7e5539047e55f24f7ad346b4458ae75c7b3228a95dcf9aaec266b4f6a22692f6d6572157d0cf4ba19660403ef72cfc166d54df42064019e9
-
Filesize
308KB
MD5315c260d34d0ab8035ce78e94b4759ce
SHA19acf11e4193ddf7f33a0abaeb1f13559be9edc15
SHA25660b0c6b8999a7134e3ae06e2239ccfcf189a93e7a7c8bc7dfb5e79f59dff1686
SHA512807cb2522821dacc7e5539047e55f24f7ad346b4458ae75c7b3228a95dcf9aaec266b4f6a22692f6d6572157d0cf4ba19660403ef72cfc166d54df42064019e9
-
Filesize
168KB
MD5d452015d400894e78add7879356a931a
SHA1baada8b9c86c8d780865b9e2e89ee21cb6b23dca
SHA256d323ff8cc40530853d8a9b06caf6ac44d0d1cac155dcf2112d27c4b951998552
SHA512f79556d22061e1362683b7a9cb0a447f144c998f477d363a7695ab9f13709b9a0a32ff88a3607507631231f0723a57bc842a8eecb6dfcd91d48c2c724c3ac130
-
Filesize
168KB
MD5d452015d400894e78add7879356a931a
SHA1baada8b9c86c8d780865b9e2e89ee21cb6b23dca
SHA256d323ff8cc40530853d8a9b06caf6ac44d0d1cac155dcf2112d27c4b951998552
SHA512f79556d22061e1362683b7a9cb0a447f144c998f477d363a7695ab9f13709b9a0a32ff88a3607507631231f0723a57bc842a8eecb6dfcd91d48c2c724c3ac130