Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/05/2024, 05:49
Static task
static1
Behavioral task
behavioral1
Sample
0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe
Resource
win11-20240426-en
General
-
Target
0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe
-
Size
267KB
-
MD5
75784927e58273f6ed2fea6bfb71fbef
-
SHA1
5f80cf17578456c4845ecb9eea18ef92fd103bc6
-
SHA256
0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f
-
SHA512
fb6febfc3bea565662462dc02326c8c9045d7db170edaa5052e67f7a043c7a03c7d8c33f8e43d32fc5c53e54072c00582553d06cfcef72879b87e1e4716389fe
-
SSDEEP
6144:XdcllhS4qdxjPxUUsnNJHgYussMG9lpC+2mmKU:Na/SNRWHvussMGbOKU
Malware Config
Extracted
redline
5345987420
https://pastebin.com/raw/KE5Mft0T
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/2524-0-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
flow ioc 216 pastebin.com 291 pastebin.com 308 pastebin.com 879 pastebin.com 985 pastebin.com 1052 pastebin.com 81 pastebin.com 278 pastebin.com 606 pastebin.com 243 pastebin.com 249 pastebin.com 387 pastebin.com 810 pastebin.com 1016 pastebin.com 633 pastebin.com 85 pastebin.com 99 pastebin.com 124 pastebin.com 130 pastebin.com 236 pastebin.com 310 pastebin.com 577 pastebin.com 960 pastebin.com 299 pastebin.com 950 pastebin.com 77 pastebin.com 599 pastebin.com 608 pastebin.com 663 pastebin.com 848 pastebin.com 6 pastebin.com 117 pastebin.com 350 pastebin.com 489 pastebin.com 639 pastebin.com 61 pastebin.com 483 pastebin.com 998 pastebin.com 63 pastebin.com 541 pastebin.com 699 pastebin.com 791 pastebin.com 572 pastebin.com 659 pastebin.com 737 pastebin.com 945 pastebin.com 436 pastebin.com 449 pastebin.com 463 pastebin.com 690 pastebin.com 715 pastebin.com 1061 pastebin.com 7 pastebin.com 29 pastebin.com 52 pastebin.com 551 pastebin.com 605 pastebin.com 920 pastebin.com 467 pastebin.com 748 pastebin.com 757 pastebin.com 911 pastebin.com 150 pastebin.com 613 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2552 set thread context of 2524 2552 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 83 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2524 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2524 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2552 wrote to memory of 2524 2552 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 83 PID 2552 wrote to memory of 2524 2552 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 83 PID 2552 wrote to memory of 2524 2552 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 83 PID 2552 wrote to memory of 2524 2552 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 83 PID 2552 wrote to memory of 2524 2552 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 83 PID 2552 wrote to memory of 2524 2552 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 83 PID 2552 wrote to memory of 2524 2552 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 83 PID 2552 wrote to memory of 2524 2552 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe"C:\Users\Admin\AppData\Local\Temp\0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-