Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
98s -
max time network
103s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
15/08/2023, 06:05
Static task
static1
Behavioral task
behavioral1
Sample
e04fa0e503137dfc2219c5c2e0f8644ab236a002d665ca3fb297428548d4580f.exe
Resource
win10-20230703-en
General
-
Target
e04fa0e503137dfc2219c5c2e0f8644ab236a002d665ca3fb297428548d4580f.exe
-
Size
338KB
-
MD5
d637248c2a60ab76b9100534c2d3c1ff
-
SHA1
54b15fcc5ea9b50c7a26e74aa6a7bd8b75cefba4
-
SHA256
e04fa0e503137dfc2219c5c2e0f8644ab236a002d665ca3fb297428548d4580f
-
SHA512
bfb51a5f05beb0d0f0e1b7606a05f5d5c25aabd5984efd03aac108194edb75b620dfe1f25e54e2b70b941cb2e2aa28dc2397256796f97ae27d72e6ef20ab5cce
-
SSDEEP
6144:2GvtXLe2pK+6lTgqxI1/sHymR1b28+hmndP:289q20+KT74eN1bj
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.83.170.21:19447
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 656 e04fa0e503137dfc2219c5c2e0f8644ab236a002d665ca3fb297428548d4580f.exe 656 e04fa0e503137dfc2219c5c2e0f8644ab236a002d665ca3fb297428548d4580f.exe 656 e04fa0e503137dfc2219c5c2e0f8644ab236a002d665ca3fb297428548d4580f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 656 e04fa0e503137dfc2219c5c2e0f8644ab236a002d665ca3fb297428548d4580f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e04fa0e503137dfc2219c5c2e0f8644ab236a002d665ca3fb297428548d4580f.exe"C:\Users\Admin\AppData\Local\Temp\e04fa0e503137dfc2219c5c2e0f8644ab236a002d665ca3fb297428548d4580f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:656