Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

CHEMICAL LIST.exe

windows7-x64

10

CHEMICAL LIST.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04/07/2024, 06:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CHEMICAL LIST.exe

  • Size

    3.0MB

  • MD5

    abf2600458f712d9645e5edbb16440b7

  • SHA1

    60bc8ef5de29369989939b4532a0eed1ec767a34

  • SHA256

    eb8e955c0cda1d5166d4492eeabd1c00b5db7fb2371ce09cd3921ae16c70712e

  • SHA512

    b297b2b6569e9b8c85b8923e61c63f757882f86adda66c6c03ee043d07a387af005faba72e43676ba8ecfdd2cf369a35cfa2d98f9687cc075482864263a1c79a

  • SSDEEP

    12288:ucTJNESVs3XLF4d5LeIFuuffY6o4XQ/tLN5FmH9L1:uAjbVa4dxeIFu8L1X6ZNg9h

Score
10/10
redlinesectoprathalleinfostealerratspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

halle

C2

194.55.186.180:55123

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CHEMICAL LIST.exe
    "C:\Users\Admin\AppData\Local\Temp\CHEMICAL LIST.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2168
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 308 -s 616
      2⤵
        PID:1708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp6215.tmp
      Filesize

      46KB

      MD5

      02d2c46697e3714e49f46b680b9a6b83

      SHA1

      84f98b56d49f01e9b6b76a4e21accf64fd319140

      SHA256

      522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

      SHA512

      60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp622B.tmp
      Filesize

      92KB

      MD5

      5f914a013176785e26d70d07234c605c

      SHA1

      5336e9ed6aeb682b46a0472f4f80ec24c4504210

      SHA256

      72b56bbce7e5e07702bf46a002c75cb3a8994fd390b190b989628d387d21975b

      SHA512

      103eff502bec0df1a36bd19a97ca1d10cc34da2183480fe146434ec916020011c8af003b66ab5f6f4886e95b21749be8d8c3c3ebf3ae1b2e5c6db216e8b4e1b2

      Download Submit

    • memory/308-1-0x0000000000A50000-0x0000000000A6E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/308-2-0x000000001B0A0000-0x000000001B0BE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/308-3-0x00000000009E0000-0x0000000000A50000-memory.dmp

      Filesize

      448KB

      Download

    • memory/308-4-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/308-0-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

      Filesize

      4KB

      Download

    • memory/308-96-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/308-95-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2168-8-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2168-5-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2168-12-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2168-14-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2168-15-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2168-16-0x0000000074B30000-0x000000007521E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2168-6-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2168-7-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2168-10-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2168-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2168-97-0x0000000074B30000-0x000000007521E000-memory.dmp

      Filesize

      6.9MB

      Download