Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3run_exe/BI...s2.dll
windows7-x64
3run_exe/BI...s2.dll
windows10-2004-x64
3run_exe/BI...32.dll
windows7-x64
3run_exe/BI...32.dll
windows10-2004-x64
3run_exe/BI...LE.dll
windows7-x64
1run_exe/BI...LE.dll
windows10-2004-x64
1run_exe/by...te.exe
windows7-x64
10run_exe/by...te.exe
windows10-2004-x64
10run_exe/cjoc.dll
windows7-x64
1run_exe/cjoc.dll
windows10-2004-x64
1run_exe/djua.dll
windows7-x64
1run_exe/djua.dll
windows10-2004-x64
1run_exe/lua51.dll
windows7-x64
1run_exe/lua51.dll
windows10-2004-x64
1run_exe/so...ql.dll
windows10-2004-x64
1run_exe/sqlxmlx.dll
windows10-2004-x64
1Analysis
-
max time kernel
94s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 00:32
Static task
static1
Behavioral task
behavioral1
Sample
run_exe/BIN/Qt5QuickTemplates2.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
run_exe/BIN/Qt5QuickTemplates2.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
run_exe/BIN/libeay32.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
run_exe/BIN/libeay32.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
run_exe/BIN/qtANGLE.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
run_exe/BIN/qtANGLE.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
run_exe/by_execute.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
run_exe/by_execute.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
run_exe/cjoc.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
run_exe/cjoc.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
run_exe/djua.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
run_exe/djua.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
run_exe/lua51.dll
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
run_exe/lua51.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
run_exe/source/msdasql.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral16
Sample
run_exe/sqlxmlx.dll
Resource
win10v2004-20240802-en
General
-
Target
run_exe/by_execute.exe
-
Size
310KB
-
MD5
ffc167fe4bb8867545b207b98445ef06
-
SHA1
fd0ee23647aba5ba511813a08b083594d8318c38
-
SHA256
3cbfe1436db51d0ed707f6a2beaf834561e2ff62e1cd91ed3f46021aeaf26ad6
-
SHA512
c3b554384aa57258079870be27b083955bf757cd24b68ccebc3abf95622f0f965c0351b1ca804fd5f17510f369f4fb9183e08ee7e15cffcbaf4bd6b2fbef29e0
-
SSDEEP
6144:cOE+KwEG34Q7U8k0p4ph+ZiKicfjq060hl3qLiqGaJDnRzIui:cZ+KrG34f8zHjiP066pOiqGaNq
Malware Config
Extracted
redline
185.196.9.26:6302
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral8/memory/4232-3-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4672 set thread context of 4232 4672 by_execute.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language by_execute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4232 RegAsm.exe 4232 RegAsm.exe 4232 RegAsm.exe 4232 RegAsm.exe 4232 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4232 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4672 wrote to memory of 2996 4672 by_execute.exe 83 PID 4672 wrote to memory of 2996 4672 by_execute.exe 83 PID 4672 wrote to memory of 2996 4672 by_execute.exe 83 PID 4672 wrote to memory of 4232 4672 by_execute.exe 84 PID 4672 wrote to memory of 4232 4672 by_execute.exe 84 PID 4672 wrote to memory of 4232 4672 by_execute.exe 84 PID 4672 wrote to memory of 4232 4672 by_execute.exe 84 PID 4672 wrote to memory of 4232 4672 by_execute.exe 84 PID 4672 wrote to memory of 4232 4672 by_execute.exe 84 PID 4672 wrote to memory of 4232 4672 by_execute.exe 84 PID 4672 wrote to memory of 4232 4672 by_execute.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\run_exe\by_execute.exe"C:\Users\Admin\AppData\Local\Temp\run_exe\by_execute.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232
-