Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:38
Static task
static1
Behavioral task
behavioral1
Sample
fa6f44026e1557d9c632d960f6a17c9d46f9cb549580c18878f185de216171b6.exe
Resource
win10v2004-20241007-en
General
-
Target
fa6f44026e1557d9c632d960f6a17c9d46f9cb549580c18878f185de216171b6.exe
-
Size
584KB
-
MD5
247b757f0ef1ccaa8ee96a23cb55b1a3
-
SHA1
af36c49f351829591db36f318fdffb084cd47081
-
SHA256
fa6f44026e1557d9c632d960f6a17c9d46f9cb549580c18878f185de216171b6
-
SHA512
8f2bbae1bc3147d4c97cf1896bc8fb10b46c99713ce1604d84adc1bb6765de6c3f3ff0b8006a6308b824695901af0f09682da17383cb82999c89ae6ffdba6277
-
SSDEEP
12288:6Mr9y90fN/ltI0aQEDn4bsWYN3Eqpa1eMMEHdOHbTa3rRf:Tyc8GsNN3EnHHdOHqrRf
Malware Config
Extracted
redline
ronur
193.233.20.20:4134
-
auth_value
f88f86755a528d4b25f6f3628c460965
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4180-19-0x0000000004C10000-0x0000000004C56000-memory.dmp family_redline behavioral1/memory/4180-21-0x0000000004CA0000-0x0000000004CE4000-memory.dmp family_redline behavioral1/memory/4180-73-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-77-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-85-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-83-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-81-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-79-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-75-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-71-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-69-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-67-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-65-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-63-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-61-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-59-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-57-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-55-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-53-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-51-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-49-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-47-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-45-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-43-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-41-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-39-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-37-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-35-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-33-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-31-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-29-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-27-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-25-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-23-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline behavioral1/memory/4180-22-0x0000000004CA0000-0x0000000004CDE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 3184 dlt9158.exe 4180 nJr41vD.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fa6f44026e1557d9c632d960f6a17c9d46f9cb549580c18878f185de216171b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" dlt9158.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa6f44026e1557d9c632d960f6a17c9d46f9cb549580c18878f185de216171b6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dlt9158.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nJr41vD.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4180 nJr41vD.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1512 wrote to memory of 3184 1512 fa6f44026e1557d9c632d960f6a17c9d46f9cb549580c18878f185de216171b6.exe 83 PID 1512 wrote to memory of 3184 1512 fa6f44026e1557d9c632d960f6a17c9d46f9cb549580c18878f185de216171b6.exe 83 PID 1512 wrote to memory of 3184 1512 fa6f44026e1557d9c632d960f6a17c9d46f9cb549580c18878f185de216171b6.exe 83 PID 3184 wrote to memory of 4180 3184 dlt9158.exe 84 PID 3184 wrote to memory of 4180 3184 dlt9158.exe 84 PID 3184 wrote to memory of 4180 3184 dlt9158.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa6f44026e1557d9c632d960f6a17c9d46f9cb549580c18878f185de216171b6.exe"C:\Users\Admin\AppData\Local\Temp\fa6f44026e1557d9c632d960f6a17c9d46f9cb549580c18878f185de216171b6.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dlt9158.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dlt9158.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nJr41vD.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nJr41vD.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
439KB
MD5b4d401beb505bd4151678ba6b67409cf
SHA1aee293a2f1388cf9314d33a27dc764ffe286cd7a
SHA2561a4d0cc8907653827b823375b8a167126ddd0c2e18214d8fa1a3a24e5fe5d2f5
SHA512b84bd06951698b61e32098bcaee269dec64acedadef89ed83aae63389a8dd946dabd1ffd3fd6f46dda6b6ee36093425ef4eb1312186988b91d79ff132702f4cf
-
Filesize
313KB
MD5478141159f8781bd6901b5c2ec2a6e2f
SHA195732efeb6ff886a38cf81cd310f183587222e04
SHA256785755222a312d20469e673184727d6744809e9fadc13ed126a7c8d127f0d6f9
SHA512737611e19589fbb61b48f03a3de7cd205b73764a8b608c94c8f3eaf84afc00ededf30f7fa6dd16a9f0a1e7a60f48a7c78531b39ecb544c3dd9d94d8e978e9da9