Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
14/07/2024, 20:19
Static task
static1
Behavioral task
behavioral1
Sample
d6e0ea74ffbe6a29bb8583e30260af7ae0e49515a5487a58eafd2f33e8288e4a.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
d6e0ea74ffbe6a29bb8583e30260af7ae0e49515a5487a58eafd2f33e8288e4a.exe
Resource
win11-20240709-en
General
-
Target
d6e0ea74ffbe6a29bb8583e30260af7ae0e49515a5487a58eafd2f33e8288e4a.exe
-
Size
338KB
-
MD5
18eb374b2cfb4a6b21cd67856a69c366
-
SHA1
ba351f402b8660b175278f87c6ea4073c97c2afe
-
SHA256
d6e0ea74ffbe6a29bb8583e30260af7ae0e49515a5487a58eafd2f33e8288e4a
-
SHA512
c648b1d752e4c6d5ea2c4a9f07377465962ae4a7d22286a6144d4e59fcb128018b6dfbc4cea03cf41d696e6f74c79ffab253890227063ab0544c890ffe281c9b
-
SSDEEP
6144:TwLSe/ppP+AegMMtRvu3LqBO/QWr487T8O5vg8Difi/2di8nEO:T4pP6gMEyU87TJMfxi8nEO
Malware Config
Extracted
redline
6951125327
https://t.me/+7Lir0e4Gw381MDhi*https://steamcommunity.com/profiles/76561199038841443
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4540-0-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2112 set thread context of 4540 2112 d6e0ea74ffbe6a29bb8583e30260af7ae0e49515a5487a58eafd2f33e8288e4a.exe 79 -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 4540 RegAsm.exe 4540 RegAsm.exe 4540 RegAsm.exe 4540 RegAsm.exe 4540 RegAsm.exe 4540 RegAsm.exe 4540 RegAsm.exe 4540 RegAsm.exe 4540 RegAsm.exe 4540 RegAsm.exe 4540 RegAsm.exe 4540 RegAsm.exe 4540 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4540 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2112 wrote to memory of 4540 2112 d6e0ea74ffbe6a29bb8583e30260af7ae0e49515a5487a58eafd2f33e8288e4a.exe 79 PID 2112 wrote to memory of 4540 2112 d6e0ea74ffbe6a29bb8583e30260af7ae0e49515a5487a58eafd2f33e8288e4a.exe 79 PID 2112 wrote to memory of 4540 2112 d6e0ea74ffbe6a29bb8583e30260af7ae0e49515a5487a58eafd2f33e8288e4a.exe 79 PID 2112 wrote to memory of 4540 2112 d6e0ea74ffbe6a29bb8583e30260af7ae0e49515a5487a58eafd2f33e8288e4a.exe 79 PID 2112 wrote to memory of 4540 2112 d6e0ea74ffbe6a29bb8583e30260af7ae0e49515a5487a58eafd2f33e8288e4a.exe 79 PID 2112 wrote to memory of 4540 2112 d6e0ea74ffbe6a29bb8583e30260af7ae0e49515a5487a58eafd2f33e8288e4a.exe 79 PID 2112 wrote to memory of 4540 2112 d6e0ea74ffbe6a29bb8583e30260af7ae0e49515a5487a58eafd2f33e8288e4a.exe 79 PID 2112 wrote to memory of 4540 2112 d6e0ea74ffbe6a29bb8583e30260af7ae0e49515a5487a58eafd2f33e8288e4a.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6e0ea74ffbe6a29bb8583e30260af7ae0e49515a5487a58eafd2f33e8288e4a.exe"C:\Users\Admin\AppData\Local\Temp\d6e0ea74ffbe6a29bb8583e30260af7ae0e49515a5487a58eafd2f33e8288e4a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540
-