Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 05:49
Static task
static1
Behavioral task
behavioral1
Sample
0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe
Resource
win11-20240426-en
General
-
Target
0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe
-
Size
267KB
-
MD5
75784927e58273f6ed2fea6bfb71fbef
-
SHA1
5f80cf17578456c4845ecb9eea18ef92fd103bc6
-
SHA256
0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f
-
SHA512
fb6febfc3bea565662462dc02326c8c9045d7db170edaa5052e67f7a043c7a03c7d8c33f8e43d32fc5c53e54072c00582553d06cfcef72879b87e1e4716389fe
-
SSDEEP
6144:XdcllhS4qdxjPxUUsnNJHgYussMG9lpC+2mmKU:Na/SNRWHvussMGbOKU
Malware Config
Extracted
redline
5345987420
https://pastebin.com/raw/KE5Mft0T
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/4400-0-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
flow ioc 266 pastebin.com 683 pastebin.com 802 pastebin.com 699 pastebin.com 792 pastebin.com 1014 pastebin.com 369 pastebin.com 455 pastebin.com 841 pastebin.com 1135 pastebin.com 362 pastebin.com 723 pastebin.com 782 pastebin.com 892 pastebin.com 810 pastebin.com 148 pastebin.com 692 pastebin.com 731 pastebin.com 795 pastebin.com 191 pastebin.com 747 pastebin.com 781 pastebin.com 721 pastebin.com 801 pastebin.com 86 pastebin.com 177 pastebin.com 425 pastebin.com 903 pastebin.com 463 pastebin.com 526 pastebin.com 800 pastebin.com 619 pastebin.com 142 pastebin.com 472 pastebin.com 524 pastebin.com 946 pastebin.com 1037 pastebin.com 105 pastebin.com 178 pastebin.com 788 pastebin.com 956 pastebin.com 971 pastebin.com 1104 pastebin.com 123 pastebin.com 234 pastebin.com 473 pastebin.com 139 pastebin.com 386 pastebin.com 999 pastebin.com 460 pastebin.com 50 pastebin.com 58 pastebin.com 415 pastebin.com 408 pastebin.com 109 pastebin.com 256 pastebin.com 318 pastebin.com 438 pastebin.com 566 pastebin.com 941 pastebin.com 23 pastebin.com 571 pastebin.com 725 pastebin.com 765 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4724 set thread context of 4400 4724 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 87 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4400 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4400 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4724 wrote to memory of 3364 4724 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 86 PID 4724 wrote to memory of 3364 4724 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 86 PID 4724 wrote to memory of 3364 4724 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 86 PID 4724 wrote to memory of 4400 4724 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 87 PID 4724 wrote to memory of 4400 4724 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 87 PID 4724 wrote to memory of 4400 4724 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 87 PID 4724 wrote to memory of 4400 4724 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 87 PID 4724 wrote to memory of 4400 4724 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 87 PID 4724 wrote to memory of 4400 4724 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 87 PID 4724 wrote to memory of 4400 4724 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 87 PID 4724 wrote to memory of 4400 4724 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe"C:\Users\Admin\AppData\Local\Temp\0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3364
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400
-