Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2024, 20:28
Behavioral task
behavioral1
Sample
build.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
build.exe
Resource
win10v2004-20240709-en
General
-
Target
build.exe
-
Size
300KB
-
MD5
f58cc1f0f51acdd643b4bde386d71cd7
-
SHA1
82f56a03df780387767be9ced3185f27ebc81363
-
SHA256
3dd0e4f110a174d1cd5c918f3657f9e7285efa296737b3480c5ecae6677fe94e
-
SHA512
f20ab7d3639e78121e4430105d64157dc65dd40c2cc1945aa46a337e111293cf632abd44d82ddf87faeaef5587e521361c56ac4a0d5ad535993cadffd87d6ebd
-
SSDEEP
3072:6cZqf7D34ip/0+mAUkyw/GQEgzwB1fA0PuTVAtkxzG3RseqiOL2bBOA:6cZqf7DISnh9oB1fA0GTV8kIUL
Malware Config
Extracted
redline
Hooker
thomas-partly.gl.at.ply.gg:35433
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4452-1-0x0000000000EB0000-0x0000000000F02000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4452 build.exe 4452 build.exe 4452 build.exe 4452 build.exe 4452 build.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4452 build.exe