Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 21:00
Static task
static1
Behavioral task
behavioral1
Sample
2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe
Resource
win10v2004-20230220-en
General
-
Target
2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe
-
Size
1.5MB
-
MD5
be60ee130faeea5bb8b5dd7146bf1163
-
SHA1
4addbee09c1a762139aef5efd8541d945462ed78
-
SHA256
2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6
-
SHA512
75dfa717253fdcaf99eb5821c899c249c368a592dd4f0545aef40e55fc2548f7808e9572b9ef719f805b403f54cbeda788eb37f224915d8b17b6a43a251ca010
-
SSDEEP
24576:tysMJY4UgCofCDvSwgGYsftcwKkOQ6W83lm/ZHyvtV6kyuMml7NWXCiCaZ+J2KY:Is66rofCDvSgHmwFOQY1m0V5GQN2Ci5
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3848-169-0x0000000005ED0000-0x00000000064E8000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 4112 i69173910.exe 2588 i90582679.exe 2616 i16152386.exe 2200 i10579467.exe 3848 a10374568.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i69173910.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i69173910.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i90582679.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i16152386.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i16152386.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i10579467.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i90582679.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i10579467.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3004 wrote to memory of 4112 3004 2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe 89 PID 3004 wrote to memory of 4112 3004 2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe 89 PID 3004 wrote to memory of 4112 3004 2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe 89 PID 4112 wrote to memory of 2588 4112 i69173910.exe 90 PID 4112 wrote to memory of 2588 4112 i69173910.exe 90 PID 4112 wrote to memory of 2588 4112 i69173910.exe 90 PID 2588 wrote to memory of 2616 2588 i90582679.exe 91 PID 2588 wrote to memory of 2616 2588 i90582679.exe 91 PID 2588 wrote to memory of 2616 2588 i90582679.exe 91 PID 2616 wrote to memory of 2200 2616 i16152386.exe 92 PID 2616 wrote to memory of 2200 2616 i16152386.exe 92 PID 2616 wrote to memory of 2200 2616 i16152386.exe 92 PID 2200 wrote to memory of 3848 2200 i10579467.exe 93 PID 2200 wrote to memory of 3848 2200 i10579467.exe 93 PID 2200 wrote to memory of 3848 2200 i10579467.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe"C:\Users\Admin\AppData\Local\Temp\2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i69173910.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i69173910.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i90582679.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i90582679.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i16152386.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i16152386.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i10579467.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i10579467.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a10374568.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a10374568.exe6⤵
- Executes dropped EXE
PID:3848
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5bb2b59ab33a41dc3b5e7d4d9b13d174d
SHA134db1905e31f800b1a5a4aff58cdba724380cd26
SHA25624b885c738a8cc6ff4418ebf5415ef6f31f51d77ae1f988dd2923c243b50b892
SHA512db78670019c7c365cfded3dcb36d04cb4841850cad17bff232cea1bcbb6319dad74c24350d0b6ce5d131596f6b638a966bb22653d6e550d2e7dcbf7b99dc6e5c
-
Filesize
1.3MB
MD5bb2b59ab33a41dc3b5e7d4d9b13d174d
SHA134db1905e31f800b1a5a4aff58cdba724380cd26
SHA25624b885c738a8cc6ff4418ebf5415ef6f31f51d77ae1f988dd2923c243b50b892
SHA512db78670019c7c365cfded3dcb36d04cb4841850cad17bff232cea1bcbb6319dad74c24350d0b6ce5d131596f6b638a966bb22653d6e550d2e7dcbf7b99dc6e5c
-
Filesize
1016KB
MD5e1c366cbba480994bd76f0afd8f3659c
SHA19cd70ca26b741613d8859e4cf38b153bd04aec52
SHA25618772b5c3ca6a960f675612d4eb7cc0bb35afac504ef2b357a21b05a87175f6a
SHA5120c8c46e26144ee650866bae7e2438c90cccd8e0a9e7878a455c94b1c16d7d14442b3e74f57762fdcb3a0795aadf0c3f59eb26841f02cc32189cae5616c62815f
-
Filesize
1016KB
MD5e1c366cbba480994bd76f0afd8f3659c
SHA19cd70ca26b741613d8859e4cf38b153bd04aec52
SHA25618772b5c3ca6a960f675612d4eb7cc0bb35afac504ef2b357a21b05a87175f6a
SHA5120c8c46e26144ee650866bae7e2438c90cccd8e0a9e7878a455c94b1c16d7d14442b3e74f57762fdcb3a0795aadf0c3f59eb26841f02cc32189cae5616c62815f
-
Filesize
844KB
MD57487585cd5960a0da85954489c4634cf
SHA11c571e2b469eb047d277c42e647a01e3567065df
SHA256d909bcbc5005ee451889642740f692a62c8a53e844f55cc8d7dba52144bf8989
SHA512290832fdefc46b7c657494e77a56df32bd3f015e9a43629bc60a22b0882edd02b3aae4090fba7220852b0b5b6f05d722dfef4e646785ecc2865599814f497b91
-
Filesize
844KB
MD57487585cd5960a0da85954489c4634cf
SHA11c571e2b469eb047d277c42e647a01e3567065df
SHA256d909bcbc5005ee451889642740f692a62c8a53e844f55cc8d7dba52144bf8989
SHA512290832fdefc46b7c657494e77a56df32bd3f015e9a43629bc60a22b0882edd02b3aae4090fba7220852b0b5b6f05d722dfef4e646785ecc2865599814f497b91
-
Filesize
371KB
MD550bf9c55683f6a027f1cbd0023fb3846
SHA13bc9168e58a22760687aa0b72045cd8bcaf803c5
SHA25696fcb85061caa444870b5fce7e64a5fae5efdf13987e7f279289a412df76fdad
SHA5121ab08539d1e66ba3de2dbffcaf75677b95b7e793487334e2f2d72bd9b4451277bf6b82da1f06ad1393c9839e5fd299a1df274542388e6c6bbe9fd7ed782b548e
-
Filesize
371KB
MD550bf9c55683f6a027f1cbd0023fb3846
SHA13bc9168e58a22760687aa0b72045cd8bcaf803c5
SHA25696fcb85061caa444870b5fce7e64a5fae5efdf13987e7f279289a412df76fdad
SHA5121ab08539d1e66ba3de2dbffcaf75677b95b7e793487334e2f2d72bd9b4451277bf6b82da1f06ad1393c9839e5fd299a1df274542388e6c6bbe9fd7ed782b548e
-
Filesize
169KB
MD59ea74742d587b3bb252c19881d555237
SHA1b312fc2fda1834e24adcd1cc43961b183161e1cf
SHA25634f752937ccdb31d2e75a118cb2dd67e43aea9f57f2289457d9dbeab3654f40f
SHA5124acf40fbbb0680090e52ff455143140aea3166bc45ed3ebbb38338bcbb7e149205bd49094d90cc9684722904e743984c3b05d0cdb881312365a16e982fa0cafb
-
Filesize
169KB
MD59ea74742d587b3bb252c19881d555237
SHA1b312fc2fda1834e24adcd1cc43961b183161e1cf
SHA25634f752937ccdb31d2e75a118cb2dd67e43aea9f57f2289457d9dbeab3654f40f
SHA5124acf40fbbb0680090e52ff455143140aea3166bc45ed3ebbb38338bcbb7e149205bd49094d90cc9684722904e743984c3b05d0cdb881312365a16e982fa0cafb