Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
08/06/2023, 10:35 UTC
Static task
static1
Behavioral task
behavioral1
Sample
5de35859694f372a874daeabab283fd0ce60955a210187323dd9bc83dde4fb64.exe
Resource
win10-20230220-en
General
-
Target
5de35859694f372a874daeabab283fd0ce60955a210187323dd9bc83dde4fb64.exe
-
Size
309KB
-
MD5
63315c91cfad4baca419a337767bc9b5
-
SHA1
1bb12367b8b11a7bd54d8b7310b1f67d5a671ec0
-
SHA256
5de35859694f372a874daeabab283fd0ce60955a210187323dd9bc83dde4fb64
-
SHA512
17423cfd5f2cf4e6f7a9d52b5508744fab6c2d7d9fd8309c213bb8e42f77387ef69b8e0df1ae1338ef24294ccfe0d9cb220d9999d3e4eaa56e84c42e1d29d9cc
-
SSDEEP
6144:wD5k3As3xGy6FMqAewvTygXUNVS4MGh1aBFrvz1xcxc7N0:wD20yTqA1yR1aBFrvz1xcxo0
Malware Config
Extracted
redline
sheron
83.97.73.129:19068
-
auth_value
2d067e7e2372227d3a03b335260112e9
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3240 set thread context of 4464 3240 5de35859694f372a874daeabab283fd0ce60955a210187323dd9bc83dde4fb64.exe 67 -
Program crash 1 IoCs
pid pid_target Process procid_target 1340 3240 WerFault.exe 65 -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3240 wrote to memory of 4464 3240 5de35859694f372a874daeabab283fd0ce60955a210187323dd9bc83dde4fb64.exe 67 PID 3240 wrote to memory of 4464 3240 5de35859694f372a874daeabab283fd0ce60955a210187323dd9bc83dde4fb64.exe 67 PID 3240 wrote to memory of 4464 3240 5de35859694f372a874daeabab283fd0ce60955a210187323dd9bc83dde4fb64.exe 67 PID 3240 wrote to memory of 4464 3240 5de35859694f372a874daeabab283fd0ce60955a210187323dd9bc83dde4fb64.exe 67 PID 3240 wrote to memory of 4464 3240 5de35859694f372a874daeabab283fd0ce60955a210187323dd9bc83dde4fb64.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\5de35859694f372a874daeabab283fd0ce60955a210187323dd9bc83dde4fb64.exe"C:\Users\Admin\AppData\Local\Temp\5de35859694f372a874daeabab283fd0ce60955a210187323dd9bc83dde4fb64.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:4464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 1442⤵
- Program crash
PID:1340
-
Network
-
Remote address:8.8.8.8:53Request52.4.107.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.8.109.52.in-addr.arpaIN PTRResponse
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
156 B 120 B 3 3
-
52 B 40 B 1 1