Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 16:24
Static task
static1
Behavioral task
behavioral1
Sample
PatronLaunch.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
PatronLaunch.exe
Resource
win10v2004-20240226-en
General
-
Target
PatronLaunch.exe
-
Size
2.1MB
-
MD5
ff1d96499dab76405e7a1a36c288bb52
-
SHA1
35040f2bcb352395548efd8e6ec8a4037ce8a923
-
SHA256
485dd83e372fa43f118370047bc58c0945df1c6aeed915dcbd666e01ec84ce1e
-
SHA512
5d6c66f75613ce23709b753150fb8d8cf02ffeb08d226755f00a0aa09d40e60117c5ca69a21ffee11581c0bfd9e3de852446d1ad77a3f6bd710ebcf2da77233d
-
SSDEEP
24576:3NvgNRDrGA5/pCgaFwXUaUIvJiQ9ecH40F4gMFci4L:p6rp5/pY6kAQQ9ecHn4dyn
Malware Config
Extracted
redline
1249754941_99
https://pastebin.com/raw/8baCJyMF
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/1068-0-0x0000000002390000-0x00000000023B2000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 15 pastebin.com 16 pastebin.com -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1068 PatronLaunch.exe 1068 PatronLaunch.exe 1068 PatronLaunch.exe 1068 PatronLaunch.exe 1068 PatronLaunch.exe 1068 PatronLaunch.exe 1068 PatronLaunch.exe 1068 PatronLaunch.exe 1068 PatronLaunch.exe 1068 PatronLaunch.exe 1068 PatronLaunch.exe 1068 PatronLaunch.exe 1068 PatronLaunch.exe 1068 PatronLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1068 PatronLaunch.exe