Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 04:13
Static task
static1
Behavioral task
behavioral1
Sample
e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab.exe
Resource
win10v2004-20241007-en
General
-
Target
e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab.exe
-
Size
590KB
-
MD5
c8ce7da93c8306c38f0ab287edd1c056
-
SHA1
e59d448c703fe9d4aead875c6657d4ae92177928
-
SHA256
e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab
-
SHA512
04c2b38ca0239b1ca37921d70060490ad31563edc88e40658cac191544d5335178ea22d243197e8d09b2c5f3e5f84d60a0d72d91caa2bf57e71ebb5bbf198c32
-
SSDEEP
12288:AMrMy90wlIo7NOFrOgeubcKavElkeH32fr8OdUQVlz12l:8yX57NOFJTbRtJmfZUQDw
Malware Config
Extracted
redline
crypt1
176.113.115.17:4132
-
auth_value
2e2ca7bbceaa9f98252a6f9fc0e6fa86
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/1100-9-0x0000000000400000-0x0000000000432000-memory.dmp family_redline behavioral1/memory/4864-25-0x0000000002540000-0x0000000002586000-memory.dmp family_redline behavioral1/memory/4864-27-0x0000000004AC0000-0x0000000004B04000-memory.dmp family_redline behavioral1/memory/4864-81-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-73-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-86-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-83-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-79-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-77-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-76-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-71-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-69-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-68-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-63-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-61-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-59-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-57-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-55-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-53-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-51-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-49-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-47-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-45-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-41-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-39-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-37-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-35-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-34-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-31-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-29-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-28-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-65-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline behavioral1/memory/4864-43-0x0000000004AC0000-0x0000000004AFE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2936 ddn57.exe 4864 lnq78.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2936 set thread context of 1100 2936 ddn57.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lnq78.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddn57.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4864 lnq78.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3584 wrote to memory of 2936 3584 e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab.exe 83 PID 3584 wrote to memory of 2936 3584 e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab.exe 83 PID 3584 wrote to memory of 2936 3584 e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab.exe 83 PID 2936 wrote to memory of 1100 2936 ddn57.exe 87 PID 2936 wrote to memory of 1100 2936 ddn57.exe 87 PID 2936 wrote to memory of 1100 2936 ddn57.exe 87 PID 2936 wrote to memory of 1100 2936 ddn57.exe 87 PID 2936 wrote to memory of 1100 2936 ddn57.exe 87 PID 3584 wrote to memory of 4864 3584 e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab.exe 88 PID 3584 wrote to memory of 4864 3584 e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab.exe 88 PID 3584 wrote to memory of 4864 3584 e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab.exe"C:\Users\Admin\AppData\Local\Temp\e33b1f491539f1f4f57cae4f1a1696f7b3d8ae3dedb0ec1b0f1b0c81b3f0baab.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ddn57.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ddn57.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1100
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lnq78.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lnq78.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
277KB
MD53bc6ecb7d1f35f3171383f88879659b7
SHA1e82887b3d6ab38ae3b8880d6c904244495dcf0cc
SHA256c95f1ca2230edb615f3365e4c3ad09e4e1940a2c554eaf27c0df2d5bc4fc1068
SHA512709eb1c1c322c70a2a377324fa1766bfff9a3e1d37db04da240aaab36317d813b6f32f5c0d0a3f8d30f196f132985fce0ec030d5783df3c7bff76a4ccfb4431c
-
Filesize
485KB
MD5aea6aaf78390cfdddb11904f65af65c0
SHA1d6205779d018d5b5c7e5ba17b5bc5815768b63db
SHA2569e4d64522aa801b84f97f5e2f26ca5ff762f3c882355db3011d596ab246c980f
SHA512abea52f55e28af7b3eecd7ba0a863ca0c0a4489b41af5508abb7428d3bac5c7425f4d2a2342f9851b50bc9f2ea4ebf32e8653913014e01fe73f844ec18d1a730