Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2023, 07:26
Static task
static1
Behavioral task
behavioral1
Sample
6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe
Resource
win10v2004-20230703-en
General
-
Target
6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe
-
Size
7.3MB
-
MD5
7278b6ce3ddda7dba2473e0392e54ea6
-
SHA1
3b406f221237fe9bfce48daa9033eda93ecc9b94
-
SHA256
6b11e77eee3f401356c240303da1b819ec0b12fb82bfb6ac5f3a1b08a00f3d49
-
SHA512
02a8d04d327757e3d9df6de2d14b5e2143e01798bf25a51e32555afeac494ae64f66fd5493a9ce28ce850be48c6febe264c61330e67391c694fd910a99247f72
-
SSDEEP
196608:+dgX4LVznF3zQgkIRflnOzSc4pGRo9Jvy:3UzdzqIRtnYSi6zvy
Malware Config
Extracted
redline
metafile
91.103.252.39:7899
-
auth_value
9ac6dc6d653e5268fd38b21a0ec2b458
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2668 set thread context of 4984 2668 6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe 82 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4984 vbc.exe 4984 vbc.exe 4984 vbc.exe 4984 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4984 vbc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2668 wrote to memory of 4984 2668 6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe 82 PID 2668 wrote to memory of 4984 2668 6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe 82 PID 2668 wrote to memory of 4984 2668 6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe 82 PID 2668 wrote to memory of 4984 2668 6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe 82 PID 2668 wrote to memory of 4984 2668 6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe 82 PID 2668 wrote to memory of 4984 2668 6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe 82 PID 2668 wrote to memory of 4984 2668 6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe 82 PID 2668 wrote to memory of 4984 2668 6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe"C:\Users\Admin\AppData\Local\Temp\6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984
-