Analysis
-
max time kernel
129s -
max time network
132s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
08-08-2023 09:40
Static task
static1
Behavioral task
behavioral1
Sample
a85e18b20a3a73f084789d9d4b4a8d140e7d4c85b60b0741b585510cfec89df4.exe
Resource
win10-20230703-en
General
-
Target
a85e18b20a3a73f084789d9d4b4a8d140e7d4c85b60b0741b585510cfec89df4.exe
-
Size
385KB
-
MD5
c30feb6c9c747d590d77ccfa1e15d719
-
SHA1
a25c36f12ecfa778f0d93ee625dc9bf7b341078a
-
SHA256
a85e18b20a3a73f084789d9d4b4a8d140e7d4c85b60b0741b585510cfec89df4
-
SHA512
37498207c637bab33f5d64c41279c3fb6af830c573170a53efcbfa07dc26d2f1a599dd7ebec7a8c767c4533d1a7fd3858944e79d6eb54c006ce894fcf9dbe96f
-
SSDEEP
6144:d4qo+62RpmrofFTIEuz30y8tt7ma+TkocdI7dc1r:dZJ62Rm2TIEU3W7maKkocWu
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
209.250.248.11:33522
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3752 a85e18b20a3a73f084789d9d4b4a8d140e7d4c85b60b0741b585510cfec89df4.exe 3752 a85e18b20a3a73f084789d9d4b4a8d140e7d4c85b60b0741b585510cfec89df4.exe 3752 a85e18b20a3a73f084789d9d4b4a8d140e7d4c85b60b0741b585510cfec89df4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3752 a85e18b20a3a73f084789d9d4b4a8d140e7d4c85b60b0741b585510cfec89df4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a85e18b20a3a73f084789d9d4b4a8d140e7d4c85b60b0741b585510cfec89df4.exe"C:\Users\Admin\AppData\Local\Temp\a85e18b20a3a73f084789d9d4b4a8d140e7d4c85b60b0741b585510cfec89df4.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752