Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08/05/2024, 00:37 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf3b53988f8ac41ceb4e2941d1ae3f36dcd34766f527e1c51f7513869d8b4a15.exe

  • Size

    314KB

  • MD5

    d17e839ac938c0fe1b5ae61e458e2879

  • SHA1

    5f5d2368b3c5d91560af9ba4a3dc6a8907c4d81d

  • SHA256

    cf3b53988f8ac41ceb4e2941d1ae3f36dcd34766f527e1c51f7513869d8b4a15

  • SHA512

    0a3b91c8fbb04aa49716a3fef14e6828376c5004607138b74bc3c422e1dc5e70d7c0d9b4ad56b0d94d3e1d15082ad577922d3d9878741efd01a88d2fc765b261

  • SSDEEP

    6144:l5npI60nbM8uPZy3+8KID1BurfcqslPdDMQ44I1XrZXHS:7n+60nbnuuBcvQp54vNHS

Score
10/10
redline5637482599discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

5637482599

C2

https://pastebin.com/raw/NgsUAPya

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf3b53988f8ac41ceb4e2941d1ae3f36dcd34766f527e1c51f7513869d8b4a15.exe
    "C:\Users\Admin\AppData\Local\Temp\cf3b53988f8ac41ceb4e2941d1ae3f36dcd34766f527e1c51f7513869d8b4a15.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4628
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2024

Network

  • flag-us
    DNS
    pastebin.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.3.235
    pastebin.com
    IN A
    104.20.4.235
    pastebin.com
    IN A
    172.67.19.24
  • flag-us
    DNS
    235.3.20.104.in-addr.arpa
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    235.3.20.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    aifiller.sbs
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    aifiller.sbs
    IN A
    Response
    aifiller.sbs
    IN A
    116.203.6.63
  • flag-us
    DNS
    63.6.203.116.in-addr.arpa
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    63.6.203.116.in-addr.arpa
    IN PTR
    Response
    63.6.203.116.in-addr.arpa
    IN PTR
    static636203116clients your-serverde
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.227.11
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    self.events.data.microsoft.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    self.events.data.microsoft.com
    IN A
    Response
    self.events.data.microsoft.com
    IN CNAME
    self-events-data.trafficmanager.net
    self-events-data.trafficmanager.net
    IN CNAME
    onedscolprdcus19.centralus.cloudapp.azure.com
    onedscolprdcus19.centralus.cloudapp.azure.com
    IN A
    52.182.143.214
  • flag-us
    DNS
    214.143.182.52.in-addr.arpa
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    214.143.182.52.in-addr.arpa
    IN PTR
    Response
  • 104.20.3.235:443
    pastebin.com
    tls
    RegAsm.exe
    805 B
     6.0kB
     8
    8
  • 116.203.6.63:443
    aifiller.sbs
    https
    RegAsm.exe
    1.0MB
     19.9kB
     754
    313
  • 8.8.8.8:53
    pastebin.com
    dns
    RegAsm.exe
    555 B
     1.1kB
     8
    8

    DNS Request

    pastebin.com

    DNS Response

    104.20.3.235
    104.20.4.235
    172.67.19.24

    DNS Request

    235.3.20.104.in-addr.arpa

    DNS Request

    aifiller.sbs

    DNS Response

    116.203.6.63

    DNS Request

    63.6.203.116.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.227.11

    DNS Request

    11.227.111.52.in-addr.arpa

    DNS Request

    self.events.data.microsoft.com

    DNS Response

    52.182.143.214

    DNS Request

    214.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2024-8-0x00000000061E0000-0x000000000621C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2024-10-0x0000000006550000-0x0000000006712000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2024-2-0x000000007499E000-0x000000007499F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2024-3-0x0000000004E50000-0x0000000004EB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2024-4-0x0000000005980000-0x0000000005F98000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2024-5-0x00000000053E0000-0x00000000053F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2024-6-0x0000000005510000-0x000000000561A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2024-7-0x0000000074990000-0x0000000075141000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2024-18-0x0000000074990000-0x0000000075141000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2024-0-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2024-9-0x0000000006220000-0x000000000626C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2024-11-0x0000000006C50000-0x000000000717C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2024-13-0x0000000006720000-0x00000000067B2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2024-12-0x0000000007730000-0x0000000007CD6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2024-14-0x0000000006840000-0x00000000068B6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2024-15-0x0000000006800000-0x000000000681E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2024-16-0x0000000007180000-0x00000000071D0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4628-1-0x0000000000840000-0x0000000000841000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.