Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

8218e24698...41.exe

windows7-x64

10

8218e24698...41.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/08/2023, 05:46 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8218e24698a7118d8377e60c30d92341.exe

  • Size

    201KB

  • MD5

    8218e24698a7118d8377e60c30d92341

  • SHA1

    0219cab4c3d1203badfc6666ab632ac5c29946f1

  • SHA256

    5459835af56f5d5fd3bf0a3abb1cedc126a63c57eef8c0bcbd797366177a8f0d

  • SHA512

    21354dd4d9d8df643f8117e7a029361a2368d5ae7f6edace27e8bdb2797aba453b0b003820bfe9391783c847438438ff7b45afe872640dc3befcf1357005d7f6

  • SSDEEP

    3072:KxLeZ1gif5JlqfrtfugOQU7sJn9XQHwKSMHkZtERVsJtyAip0QMvB:eLNJDVSfkZQQKSmetE+tUp0QMv

Score
10/10
redlineinfostealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8218e24698a7118d8377e60c30d92341.exe
    "C:\Users\Admin\AppData\Local\Temp\8218e24698a7118d8377e60c30d92341.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Users\Admin\AppData\Local\Temp\8218e24698a7118d8377e60c30d92341.exe
      C:\Users\Admin\AppData\Local\Temp\8218e24698a7118d8377e60c30d92341.exe
      2⤵
        PID:2896
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 792
          3⤵
          • Program crash
          PID:4076
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2896 -ip 2896
      1⤵
        PID:2724

      Network

      • flag-us
        DNS
        146.78.124.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        146.78.124.51.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        254.129.241.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        254.129.241.8.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        133.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        133.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        2.136.104.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        2.136.104.51.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        26.165.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        26.165.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        15.164.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        15.164.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        8.3.197.209.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.3.197.209.in-addr.arpa
        IN PTR
        Response
        8.3.197.209.in-addr.arpa
        IN PTR
        vip0x008map2sslhwcdnnet
      • flag-us
        DNS
        43.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        43.229.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        226.162.46.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        226.162.46.104.in-addr.arpa
        IN PTR
        Response
      No results found
      • 8.8.8.8:53
        146.78.124.51.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        146.78.124.51.in-addr.arpa

      • 8.8.8.8:53
        254.129.241.8.in-addr.arpa
        dns
        72 B
         126 B
         1
        1

        DNS Request

        254.129.241.8.in-addr.arpa

      • 8.8.8.8:53
        133.32.126.40.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        133.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        2.136.104.51.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        2.136.104.51.in-addr.arpa

      • 8.8.8.8:53
        26.165.165.52.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        26.165.165.52.in-addr.arpa

      • 8.8.8.8:53
        15.164.165.52.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        15.164.165.52.in-addr.arpa

      • 8.8.8.8:53
        8.3.197.209.in-addr.arpa
        dns
        70 B
         111 B
         1
        1

        DNS Request

        8.3.197.209.in-addr.arpa

      • 8.8.8.8:53
        43.229.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        43.229.111.52.in-addr.arpa

      • 8.8.8.8:53
        226.162.46.104.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        226.162.46.104.in-addr.arpa

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8218e24698a7118d8377e60c30d92341.exe.log
        Filesize

        425B

        MD5

        4eaca4566b22b01cd3bc115b9b0b2196

        SHA1

        e743e0792c19f71740416e7b3c061d9f1336bf94

        SHA256

        34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

        SHA512

        bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

        Download Submit

      • memory/1796-133-0x00000000001C0000-0x00000000001F8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1796-134-0x0000000075390000-0x0000000075B40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1796-139-0x0000000075390000-0x0000000075B40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2896-135-0x0000000000400000-0x000000000045A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/2896-138-0x0000000075390000-0x0000000075B40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2896-140-0x0000000075390000-0x0000000075B40000-memory.dmp

        Filesize

        7.7MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.