Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

connector361.exe

windows7-x64

10

connector361.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2023, 10:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    connector361.exe

  • Size

    1.0MB

  • MD5

    581026913ad722416f7644094188e68a

  • SHA1

    df366a2268e5373f407e73fc80c7f694d31db551

  • SHA256

    cb0d7efc51da225943743f0055cdf3584ad5d4f3a855150eb0bad8697e579433

  • SHA512

    c3f316d248469d932bd10254eccc2f3f3a71f291bd8b068c857247c43ba6d5616672bdb317e404939381e6b1e2452243987b6c7e2205c75b87d29c99ed23b90c

  • SSDEEP

    24576:1yJAzsS6ggVpLLy2qFYDJi1se/qenD6ezp9sXp9G8iZvKwIe:QJLSiVpS2q2i1seCenuezQXiZv

Score
10/10
redlinedizaevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\connector361.exe
    "C:\Users\Admin\AppData\Local\Temp\connector361.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2501370.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2501370.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:552
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9897793.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9897793.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3648
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7190923.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7190923.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5044
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8580593.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8580593.exe
          4⤵
          • Executes dropped EXE
          PID:432

Network

  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    37.146.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    37.146.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    36.146.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    36.146.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    35.146.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    35.146.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    38.146.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    38.146.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.103.197.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.103.197.20.in-addr.arpa
    IN PTR
    Response
  • 185.161.248.37:4138
    l8580593.exe
    260 B
     5
  • 178.79.208.1:80
    322 B
     7
  • 52.242.101.226:443
    260 B
     5
  • 13.89.179.9:443
    322 B
     7
  • 185.161.248.37:4138
    l8580593.exe
    260 B
     5
  • 52.242.101.226:443
    260 B
     5
  • 178.79.208.1:80
    322 B
     7
  • 178.79.208.1:80
    322 B
     7
  • 173.223.113.164:443
    322 B
     7
  • 185.161.248.37:4138
    l8580593.exe
    260 B
     5
  • 52.242.101.226:443
    260 B
     5
  • 52.242.101.226:443
    260 B
     5
  • 185.161.248.37:4138
    l8580593.exe
    260 B
     5
  • 52.242.101.226:443
    260 B
     5
  • 185.161.248.37:4138
    l8580593.exe
    260 B
     5
  • 52.242.101.226:443
    260 B
     5
  • 185.161.248.37:4138
    l8580593.exe
    104 B
     2
  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    37.146.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    37.146.190.20.in-addr.arpa

  • 8.8.8.8:53
    36.146.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    36.146.190.20.in-addr.arpa

  • 8.8.8.8:53
    35.146.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    35.146.190.20.in-addr.arpa

  • 8.8.8.8:53
    38.146.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    38.146.190.20.in-addr.arpa

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    14.103.197.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.103.197.20.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2501370.exe
    Filesize

    750KB

    MD5

    0500fd3e93d3b1d1c668bd1ddb2c335c

    SHA1

    3e78d16bb8c85bb3ec4def142b48efde564c04a9

    SHA256

    20232bc5eb828ddbec60f01c2ab2f7ce250490e01a2dfe33518b5a84674323fe

    SHA512

    5f20b65c60136ab1db0e690e7a339a69f8d9a0537ec704d138aa3ff4707b15e4745903bcdcf517d905b4dfd8ca499c3441565ba5f78e700a2bf036cbe7442adf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2501370.exe
    Filesize

    750KB

    MD5

    0500fd3e93d3b1d1c668bd1ddb2c335c

    SHA1

    3e78d16bb8c85bb3ec4def142b48efde564c04a9

    SHA256

    20232bc5eb828ddbec60f01c2ab2f7ce250490e01a2dfe33518b5a84674323fe

    SHA512

    5f20b65c60136ab1db0e690e7a339a69f8d9a0537ec704d138aa3ff4707b15e4745903bcdcf517d905b4dfd8ca499c3441565ba5f78e700a2bf036cbe7442adf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9897793.exe
    Filesize

    305KB

    MD5

    8ffef05a7c87d31fdf35aa7467119627

    SHA1

    00120a17c8b7c36e5b7c14f91a01a9dba9dd1030

    SHA256

    872df7c6f35a3d2603518d59d6249ea88572c2ef3e635b39998631e183a15c6c

    SHA512

    fcbfa224d0fd0d7b5071e106ef7c7b4be3bca0805e5db6e2dff6de40634d051c3cfcedfec05e922c4ff6807fd48a91ae8134bf3c0d8dbfc23c23e74e221c01b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9897793.exe
    Filesize

    305KB

    MD5

    8ffef05a7c87d31fdf35aa7467119627

    SHA1

    00120a17c8b7c36e5b7c14f91a01a9dba9dd1030

    SHA256

    872df7c6f35a3d2603518d59d6249ea88572c2ef3e635b39998631e183a15c6c

    SHA512

    fcbfa224d0fd0d7b5071e106ef7c7b4be3bca0805e5db6e2dff6de40634d051c3cfcedfec05e922c4ff6807fd48a91ae8134bf3c0d8dbfc23c23e74e221c01b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7190923.exe
    Filesize

    186KB

    MD5

    fca0f1c3037a2b4f0b9871e10e16c038

    SHA1

    80c39dfb8b07c97cdae11d5c7e335c4d96b0aef1

    SHA256

    b86263755a383b136d8da35c23bf5a8e59b6743fb9e5942a4e7378dfab5928ec

    SHA512

    44f428d58a62f45f2e3febfd2bd43f9cc2731ca434f9e319ec6671d6a1dcec9928797896b0a7edd0c34c7a9a14525f53d0a4cc6b79a20597376ef44887473801

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7190923.exe
    Filesize

    186KB

    MD5

    fca0f1c3037a2b4f0b9871e10e16c038

    SHA1

    80c39dfb8b07c97cdae11d5c7e335c4d96b0aef1

    SHA256

    b86263755a383b136d8da35c23bf5a8e59b6743fb9e5942a4e7378dfab5928ec

    SHA512

    44f428d58a62f45f2e3febfd2bd43f9cc2731ca434f9e319ec6671d6a1dcec9928797896b0a7edd0c34c7a9a14525f53d0a4cc6b79a20597376ef44887473801

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8580593.exe
    Filesize

    145KB

    MD5

    030c62470251bad5ea2d288efca95591

    SHA1

    799e7324ba03d96efa7be12d6baf6396e7754918

    SHA256

    4cac0717b5ddf640fbcd467e6b5155372412013f9860aada39177e0003559190

    SHA512

    0e166a99ebedb7021763212182ffce8688286c8530fcbc2a7f411c3bc0dcb89fe8a45890efe258e69a32c0f440d36b3756a6fbaa8a31fb89a9708831e7b80c47

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8580593.exe
    Filesize

    145KB

    MD5

    030c62470251bad5ea2d288efca95591

    SHA1

    799e7324ba03d96efa7be12d6baf6396e7754918

    SHA256

    4cac0717b5ddf640fbcd467e6b5155372412013f9860aada39177e0003559190

    SHA512

    0e166a99ebedb7021763212182ffce8688286c8530fcbc2a7f411c3bc0dcb89fe8a45890efe258e69a32c0f440d36b3756a6fbaa8a31fb89a9708831e7b80c47

    Download Submit

  • memory/432-194-0x0000000005560000-0x0000000005570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/432-192-0x0000000005500000-0x000000000553C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/432-191-0x00000000054A0000-0x00000000054B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/432-190-0x0000000005570000-0x000000000567A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/432-189-0x0000000005A50000-0x0000000006068000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/432-188-0x0000000000C10000-0x0000000000C3A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/432-193-0x0000000005560000-0x0000000005570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5044-156-0x0000000004F20000-0x0000000004F36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5044-167-0x0000000004F20000-0x0000000004F36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5044-173-0x0000000004F20000-0x0000000004F36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5044-175-0x0000000004F20000-0x0000000004F36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5044-177-0x0000000004F20000-0x0000000004F36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5044-179-0x0000000004F20000-0x0000000004F36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5044-181-0x0000000004F20000-0x0000000004F36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5044-183-0x0000000004F20000-0x0000000004F36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5044-169-0x0000000004F20000-0x0000000004F36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5044-171-0x0000000004F20000-0x0000000004F36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5044-165-0x0000000004F20000-0x0000000004F36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5044-163-0x0000000004F20000-0x0000000004F36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5044-161-0x0000000004F20000-0x0000000004F36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5044-159-0x0000000004F20000-0x0000000004F36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5044-157-0x0000000004F20000-0x0000000004F36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5044-155-0x0000000004930000-0x0000000004ED4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5044-154-0x00000000024D0000-0x00000000024E0000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.