Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

23fbee8f0f...JC.exe

windows7-x64

10

23fbee8f0f...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/08/2023, 09:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23fbee8f0fc05dc38f50f341c80cd5f5f40e9d546b8f7a3e3ddf3608322f78b9_JC.exe

  • Size

    2.5MB

  • MD5

    73f6aab3ac44197983d1744638262aa6

  • SHA1

    e393c0efad3facaccf78cd3dfea8c850d1fcabc5

  • SHA256

    23fbee8f0fc05dc38f50f341c80cd5f5f40e9d546b8f7a3e3ddf3608322f78b9

  • SHA512

    5254105cb31a545d0d99d82cbf6cd6a70198cf6a7b269cc408cf56a8989a7cafa1c8993930f90d1dbc24df5e8ca94ded8551dc12024710a1c03860ccaaa88903

  • SSDEEP

    24576:zvfDdstXT4e+MXrgWlDg8MnmBJyQVvDEH:z2XT4e+OdrLBBxEH

Score
10/10
redlineinfostealerspyware

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23fbee8f0fc05dc38f50f341c80cd5f5f40e9d546b8f7a3e3ddf3608322f78b9_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\23fbee8f0fc05dc38f50f341c80cd5f5f40e9d546b8f7a3e3ddf3608322f78b9_JC.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4268
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 428
      2⤵
      • Program crash
      PID:3212
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3668 -ip 3668
    1⤵
      PID:3700

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3668-133-0x00000000004F0000-0x00000000007BF000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/3668-135-0x00000000004F0000-0x00000000007BF000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/4268-134-0x0000000000800000-0x000000000085A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4268-140-0x0000000074BC0000-0x0000000075370000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4268-141-0x00000000078E0000-0x0000000007E84000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4268-142-0x00000000073D0000-0x0000000007462000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4268-143-0x00000000075A0000-0x00000000075B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4268-144-0x0000000007340000-0x000000000734A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4268-145-0x00000000084B0000-0x0000000008AC8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4268-146-0x00000000075B0000-0x00000000075C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4268-147-0x0000000007790000-0x000000000789A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4268-148-0x0000000007610000-0x000000000764C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4268-149-0x0000000007F00000-0x0000000007F66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4268-150-0x0000000008CD0000-0x0000000008D20000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4268-151-0x0000000008DA0000-0x0000000008E16000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4268-152-0x0000000000EC0000-0x0000000000EDE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4268-153-0x0000000009DC0000-0x0000000009F82000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4268-154-0x000000000A4C0000-0x000000000A9EC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4268-156-0x0000000074BC0000-0x0000000075370000-memory.dmp

      Filesize

      7.7MB

      Download