Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 21:02
Static task
static1
Behavioral task
behavioral1
Sample
26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe
Resource
win10v2004-20230220-en
General
-
Target
26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe
-
Size
479KB
-
MD5
0f4968d2050bbc9331fa951525a60178
-
SHA1
8f4cc098762d7a1695474b794990642bdb097152
-
SHA256
26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727
-
SHA512
1fed6cfe88f8275d21e7703a5f59f5081a718b5b2055f4235b6dad2f101a4f78dc626307d12b087d185451a9fdde3f3ccdb43e03bb773e459f70fe2b265075fc
-
SSDEEP
12288:GMrCy90MWLI7BWf2Hbgq3t1VpjTlmS++8OatQ6g:4yYctWObXVpjpT8/Q6g
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/1500-148-0x00000000081D0000-0x00000000087E8000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
pid Process 928 x3296379.exe 1500 g4306620.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x3296379.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x3296379.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1444 wrote to memory of 928 1444 26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe 89 PID 1444 wrote to memory of 928 1444 26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe 89 PID 1444 wrote to memory of 928 1444 26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe 89 PID 928 wrote to memory of 1500 928 x3296379.exe 90 PID 928 wrote to memory of 1500 928 x3296379.exe 90 PID 928 wrote to memory of 1500 928 x3296379.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe"C:\Users\Admin\AppData\Local\Temp\26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3296379.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3296379.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4306620.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4306620.exe3⤵
- Executes dropped EXE
PID:1500
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5c290747cfc29254b6b3492fe93dcf475
SHA1d051d328e6dbd8b62e7b4c787dcc1938625384ab
SHA2569756f72a435ba9761a1e30e751437e48010cd78a59ae236130225da80dbf459b
SHA51251a0bfe04032c4546b1e7fe7e30347b781d61bb8f3091eef2cb3ac093fcb3d3462aa9f717de126471f900b003ca82f63f8480e31ab61a5310ee751dfffc85381
-
Filesize
307KB
MD5c290747cfc29254b6b3492fe93dcf475
SHA1d051d328e6dbd8b62e7b4c787dcc1938625384ab
SHA2569756f72a435ba9761a1e30e751437e48010cd78a59ae236130225da80dbf459b
SHA51251a0bfe04032c4546b1e7fe7e30347b781d61bb8f3091eef2cb3ac093fcb3d3462aa9f717de126471f900b003ca82f63f8480e31ab61a5310ee751dfffc85381
-
Filesize
136KB
MD569a10e80a9a548be02ffdb15be0719aa
SHA18787c7582038886f9cb2f8b488fffe976e94f4b1
SHA25648c5322b8e73d8f692ce2a8f47e19b51572eda7530f52b58c1fc6fdb9b99f1e4
SHA512a8e902c1ec64bed23b004e46709b1d141ea47fbce9ef61cc592747ca7aee87a1a5d1c1e0ce9d1a2b0125861f5085a7d8fcedd147aaefb1efbb2d72b724eaa959
-
Filesize
136KB
MD569a10e80a9a548be02ffdb15be0719aa
SHA18787c7582038886f9cb2f8b488fffe976e94f4b1
SHA25648c5322b8e73d8f692ce2a8f47e19b51572eda7530f52b58c1fc6fdb9b99f1e4
SHA512a8e902c1ec64bed23b004e46709b1d141ea47fbce9ef61cc592747ca7aee87a1a5d1c1e0ce9d1a2b0125861f5085a7d8fcedd147aaefb1efbb2d72b724eaa959