Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
12/11/2024, 04:13
General
-
Target
e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab.exe
-
Size
590KB
-
MD5
c8ce7da93c8306c38f0ab287edd1c056
-
SHA1
e59d448c703fe9d4aead875c6657d4ae92177928
-
SHA256
e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab
-
SHA512
04c2b38ca0239b1ca37921d70060490ad31563edc88e40658cac191544d5335178ea22d243197e8d09b2c5f3e5f84d60a0d72d91caa2bf57e71ebb5bbf198c32
-
SSDEEP
12288:AMrMy90wlIo7NOFrOgeubcKavElkeH32fr8OdUQVlz12l:8yX57NOFJTbRtJmfZUQDw
Malware Config
Extracted
redline
crypt1
176.113.115.17:4132
-
auth_value
2e2ca7bbceaa9f98252a6f9fc0e6fa86
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
-
Redline family
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab.exe"C:\Users\Admin\AppData\Local\Temp\e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ddn57.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ddn57.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lnq78.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lnq78.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
277KB
MD53bc6ecb7d1f35f3171383f88879659b7
SHA1e82887b3d6ab38ae3b8880d6c904244495dcf0cc
SHA256c95f1ca2230edb615f3365e4c3ad09e4e1940a2c554eaf27c0df2d5bc4fc1068
SHA512709eb1c1c322c70a2a377324fa1766bfff9a3e1d37db04da240aaab36317d813b6f32f5c0d0a3f8d30f196f132985fce0ec030d5783df3c7bff76a4ccfb4431c
-
Filesize
485KB
MD5aea6aaf78390cfdddb11904f65af65c0
SHA1d6205779d018d5b5c7e5ba17b5bc5815768b63db
SHA2569e4d64522aa801b84f97f5e2f26ca5ff762f3c882355db3011d596ab246c980f
SHA512abea52f55e28af7b3eecd7ba0a863ca0c0a4489b41af5508abb7428d3bac5c7425f4d2a2342f9851b50bc9f2ea4ebf32e8653913014e01fe73f844ec18d1a730
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
280KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
5.6MB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
1024KB
-
Filesize
1024KB