Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
51s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2023, 16:21
Static task
static1
Behavioral task
behavioral1
Sample
BgxLoader.exe
Resource
win10v2004-20230220-en
6 signatures
60 seconds
General
-
Target
BgxLoader.exe
-
Size
356KB
-
MD5
a76cd83e441767ddcec3cb1968ef2ea9
-
SHA1
18e6f88dc281fbd802d717c27434c3f696ff046a
-
SHA256
00698421b9308556993240b3560a6e85ecfc982467b72b9ccc5ec71f297ea59b
-
SHA512
4b0ffc51be1512d70861b3441bc682570aaaa7fe36dbfe3def0cb74b9adb23fae254203bfd7b3caa335f5900c52dc825db8c94395892b850bf68f1becbe849bd
-
SSDEEP
6144:Sfz1lIMaVvfDKcpcgCM1MBUB08Yv7E8o9p3i7B+:wPItR7Kcpcgv1n+vAJRik
Score
10/10
Malware Config
Extracted
Family
redline
C2
5.42.65.101:40676
Attributes
-
auth_value
c4cca4b82dd435b79cda31c2f661f1e7
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3084 set thread context of 436 3084 BgxLoader.exe 84 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 436 AppLaunch.exe 436 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 436 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3084 wrote to memory of 436 3084 BgxLoader.exe 84 PID 3084 wrote to memory of 436 3084 BgxLoader.exe 84 PID 3084 wrote to memory of 436 3084 BgxLoader.exe 84 PID 3084 wrote to memory of 436 3084 BgxLoader.exe 84 PID 3084 wrote to memory of 436 3084 BgxLoader.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\BgxLoader.exe"C:\Users\Admin\AppData\Local\Temp\BgxLoader.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436
-