Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08/06/2023, 10:35 UTC

General

  • Target

    5de35859694f372a874daeabab283fd0ce60955a210187323dd9bc83dde4fb64.exe

  • Size

    309KB

  • MD5

    63315c91cfad4baca419a337767bc9b5

  • SHA1

    1bb12367b8b11a7bd54d8b7310b1f67d5a671ec0

  • SHA256

    5de35859694f372a874daeabab283fd0ce60955a210187323dd9bc83dde4fb64

  • SHA512

    17423cfd5f2cf4e6f7a9d52b5508744fab6c2d7d9fd8309c213bb8e42f77387ef69b8e0df1ae1338ef24294ccfe0d9cb220d9999d3e4eaa56e84c42e1d29d9cc

  • SSDEEP

    6144:wD5k3As3xGy6FMqAewvTygXUNVS4MGh1aBFrvz1xcxc7N0:wD20yTqA1yR1aBFrvz1xcxo0

Malware Config

Extracted

Family

redline

Botnet

sheron

C2

83.97.73.129:19068

Attributes
  • auth_value

    2d067e7e2372227d3a03b335260112e9

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5de35859694f372a874daeabab283fd0ce60955a210187323dd9bc83dde4fb64.exe
    "C:\Users\Admin\AppData\Local\Temp\5de35859694f372a874daeabab283fd0ce60955a210187323dd9bc83dde4fb64.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3240
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:4464
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 144
        2⤵
        • Program crash
        PID:1340

    Network

    • flag-us
      DNS
      52.4.107.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      52.4.107.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.8.109.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.8.109.52.in-addr.arpa
      IN PTR
      Response
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      156 B
      120 B
      3
      3
    • 83.97.73.129:19068
      AppLaunch.exe
      52 B
      40 B
      1
      1
    • 8.8.8.8:53
      52.4.107.13.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      52.4.107.13.in-addr.arpa

    • 8.8.8.8:53
      86.8.109.52.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      86.8.109.52.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4464-117-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/4464-125-0x0000000005480000-0x0000000005486000-memory.dmp

      Filesize

      24KB

    • memory/4464-126-0x00000000099E0000-0x0000000009FE6000-memory.dmp

      Filesize

      6.0MB

    • memory/4464-127-0x00000000094E0000-0x00000000095EA000-memory.dmp

      Filesize

      1.0MB

    • memory/4464-128-0x0000000006E00000-0x0000000006E12000-memory.dmp

      Filesize

      72KB

    • memory/4464-129-0x00000000093D0000-0x000000000940E000-memory.dmp

      Filesize

      248KB

    • memory/4464-130-0x00000000093C0000-0x00000000093D0000-memory.dmp

      Filesize

      64KB

    • memory/4464-131-0x0000000009410000-0x000000000945B000-memory.dmp

      Filesize

      300KB

    • memory/4464-148-0x00000000093C0000-0x00000000093D0000-memory.dmp

      Filesize

      64KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.