Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3FF 777v2.rar
windows10-2004-x64
3FlightFact...-1.png
windows10-2004-x64
3FlightFact...-2.png
windows10-2004-x64
3FlightFact...-3.png
windows10-2004-x64
3FlightFact...-4.png
windows10-2004-x64
3FlightFact...er.exe
windows10-2004-x64
10FlightFact...on.txt
windows10-2004-x64
1Analysis
-
max time kernel
62s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 08:46
Static task
static1
Behavioral task
behavioral1
Sample
FF 777v2.rar
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
FlightFactor 777 v2 (dev)/777-1.png
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
FlightFactor 777 v2 (dev)/777-2.png
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
FlightFactor 777 v2 (dev)/777-3.png
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
FlightFactor 777 v2 (dev)/777-4.png
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
FlightFactor 777 v2 (dev)/FlightFactor Manager.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
FlightFactor 777 v2 (dev)/Installation.txt
Resource
win10v2004-20240508-en
General
-
Target
FlightFactor 777 v2 (dev)/FlightFactor Manager.exe
-
Size
586KB
-
MD5
1e4b0bfdd0d5c57acb489cf0996e3e3c
-
SHA1
ee05c9ac87f3046171248f7f7c223c2cecea4a98
-
SHA256
87b09676a68307e1fd0b4f345d800dae21ba3ac310e2cc98a8dfb94d65e9d73b
-
SHA512
858dbaee4f260be42f47e04b7abd1f7e4429d07f30f7bf3b021310ad3c14fd43dd8f28b95f3f61ea52f584cf0f960e9ffcc24fbf1a809fd7f957299e87fd1b5f
-
SSDEEP
12288:/0WM9BNp+Y27AgN/HaDl7qXdH3GHbvKJdx/WRGZwS5NHW40Chd8Qc0qbO+cxQol2:/0Wge37AGK
Malware Config
Extracted
redline
642876484_99
https://pastebin.com/raw/8baCJyMF
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral6/memory/1412-7-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Loads dropped DLL 1 IoCs
pid Process 3984 FlightFactor Manager.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 pastebin.com 7 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3984 set thread context of 1412 3984 FlightFactor Manager.exe 83 -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1412 MSBuild.exe 1412 MSBuild.exe 1412 MSBuild.exe 1412 MSBuild.exe 1412 MSBuild.exe 1412 MSBuild.exe 1412 MSBuild.exe 1412 MSBuild.exe 1412 MSBuild.exe 1412 MSBuild.exe 1412 MSBuild.exe 1412 MSBuild.exe 1412 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1412 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3984 wrote to memory of 1412 3984 FlightFactor Manager.exe 83 PID 3984 wrote to memory of 1412 3984 FlightFactor Manager.exe 83 PID 3984 wrote to memory of 1412 3984 FlightFactor Manager.exe 83 PID 3984 wrote to memory of 1412 3984 FlightFactor Manager.exe 83 PID 3984 wrote to memory of 1412 3984 FlightFactor Manager.exe 83 PID 3984 wrote to memory of 1412 3984 FlightFactor Manager.exe 83 PID 3984 wrote to memory of 1412 3984 FlightFactor Manager.exe 83 PID 3984 wrote to memory of 1412 3984 FlightFactor Manager.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\FlightFactor Manager.exe"C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\FlightFactor Manager.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD5ad87b00856b26942f6cd0decd2c453d0
SHA14f342d942e5db016ee01bbffada31b4b11d09991
SHA2568cba4c6c99d0882c72eaba3724253e57c8071ff358ac4065ba2ee229f0307168
SHA5122f19d8ab00566d54692ffa42880dc2610bfde24dad2469dd59957c6caef5b215ade45c435f401bc0796a003b80949e8d7383572099cb6fa438f7afdc8892a7c4