Analysis
-
max time kernel
127s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
07-08-2023 17:43
Static task
static1
Behavioral task
behavioral1
Sample
b627149008d1c56175402960e3b2a8513ad4021cbe93cd64c8d6a93331d911b5.exe
Resource
win10-20230703-en
General
-
Target
b627149008d1c56175402960e3b2a8513ad4021cbe93cd64c8d6a93331d911b5.exe
-
Size
313KB
-
MD5
756b2a3d105ca11bccb51818718fbd31
-
SHA1
65cda28e1b9e4584f1a328a6d846a114d42d8450
-
SHA256
b627149008d1c56175402960e3b2a8513ad4021cbe93cd64c8d6a93331d911b5
-
SHA512
35742a1e602141f8653f95a496cbeccb467053123832bc02776ec90ba0ea6635933c3ff66ca8308ec6c496f42ca2f8a68e86f9a6943f6b445a96b2c147a15a8e
-
SSDEEP
6144:p7YLSnYReaimzhimI37ej3pV374sMq9sTOCcMx:yeYRjimFirsosMq98O9
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
209.250.248.11:33522
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4900 b627149008d1c56175402960e3b2a8513ad4021cbe93cd64c8d6a93331d911b5.exe 4900 b627149008d1c56175402960e3b2a8513ad4021cbe93cd64c8d6a93331d911b5.exe 4900 b627149008d1c56175402960e3b2a8513ad4021cbe93cd64c8d6a93331d911b5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4900 b627149008d1c56175402960e3b2a8513ad4021cbe93cd64c8d6a93331d911b5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b627149008d1c56175402960e3b2a8513ad4021cbe93cd64c8d6a93331d911b5.exe"C:\Users\Admin\AppData\Local\Temp\b627149008d1c56175402960e3b2a8513ad4021cbe93cd64c8d6a93331d911b5.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900