Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
292s -
max time network
299s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
18/09/2023, 01:34
Static task
static1
Behavioral task
behavioral1
Sample
j1850751.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
j1850751.exe
Resource
win10-20230915-en
General
-
Target
j1850751.exe
-
Size
393KB
-
MD5
515d22083483fb4fb2f5ca6455754723
-
SHA1
0c44ef2831de6999248610ed5a8869c5ff2b3db7
-
SHA256
fb787607b521c23bd9f7c9235f383b5a58f0c14b86e9f754c8c06ee0c7c4dacd
-
SHA512
29fac4649976c0481323577cbadf48eee06655d5bbf87da202ae0c4886d44d2528bd03531fa3e005402e840ee0d54484031a2a8a8f158532af076b0b4489f08a
-
SSDEEP
6144:facaGEZt20ZSwbz8+Dxe8kVAOYlQsNAH0ZnzInOrj6TZR9YKulbHSY1h8Ey:faFzZtT78Ti2QpP1h8Ey
Malware Config
Extracted
redline
monik
77.91.124.82:19071
-
auth_value
da7d9ea0878f5901f1f8319d34bdccea
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1508 set thread context of 4556 1508 j1850751.exe 71 -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1508 wrote to memory of 4556 1508 j1850751.exe 71 PID 1508 wrote to memory of 4556 1508 j1850751.exe 71 PID 1508 wrote to memory of 4556 1508 j1850751.exe 71 PID 1508 wrote to memory of 4556 1508 j1850751.exe 71 PID 1508 wrote to memory of 4556 1508 j1850751.exe 71 PID 1508 wrote to memory of 4556 1508 j1850751.exe 71 PID 1508 wrote to memory of 4556 1508 j1850751.exe 71 PID 1508 wrote to memory of 4556 1508 j1850751.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\j1850751.exe"C:\Users\Admin\AppData\Local\Temp\j1850751.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:4556
-