Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 10:28
Behavioral task
behavioral1
Sample
8fe46d1b77b1081bd4d1a0449d8f526d14bc6fef6ce4778eb6124694c4614ff7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8fe46d1b77b1081bd4d1a0449d8f526d14bc6fef6ce4778eb6124694c4614ff7.exe
Resource
win10v2004-20241007-en
General
-
Target
8fe46d1b77b1081bd4d1a0449d8f526d14bc6fef6ce4778eb6124694c4614ff7.exe
-
Size
272KB
-
MD5
14d4b95bd7f471453765f5a9dbc9e82a
-
SHA1
74d2e44861fbedcf10e3eb58a83c6ec9cdc1b53a
-
SHA256
8fe46d1b77b1081bd4d1a0449d8f526d14bc6fef6ce4778eb6124694c4614ff7
-
SHA512
b87655a584af065aa68611dccd39e2789fbf5d47ae30917e3b9e614cc7222af25496d3a44275713f357d4ce7aa31bc7dfdfa92c8a7d4f86bfb91a2c8c5a6eb25
-
SSDEEP
3072:p6j4ELH6Vt7CENpmh6sLKR+utY/edHbpiWo40mTJghm0nlQoYKgQmExNn2pU9f2O:p6jgppZsLKwuAexbpZghdnlQH5Q
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/224-1-0x0000000000260000-0x00000000002A4000-memory.dmp family_redline -
Redline family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe46d1b77b1081bd4d1a0449d8f526d14bc6fef6ce4778eb6124694c4614ff7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 224 8fe46d1b77b1081bd4d1a0449d8f526d14bc6fef6ce4778eb6124694c4614ff7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fe46d1b77b1081bd4d1a0449d8f526d14bc6fef6ce4778eb6124694c4614ff7.exe"C:\Users\Admin\AppData\Local\Temp\8fe46d1b77b1081bd4d1a0449d8f526d14bc6fef6ce4778eb6124694c4614ff7.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:224