General

  • Target

    24370dee664ee20b21599b477966ea9a7654a1252c772f5afd50a83c427fa290_JC.exe

  • Size

    328KB

  • Sample

    230813-k85tysab92

  • MD5

    f635244249cbfb941d5e731e85317cd7

  • SHA1

    18348912a1b40a932275dcb2385ff5605d282f7b

  • SHA256

    24370dee664ee20b21599b477966ea9a7654a1252c772f5afd50a83c427fa290

  • SHA512

    72ce1cd49451009ceb167682079fc1b891d3cb62230c559d7e301dccba226e77e215a35ceac7872ac0c33080454562880bf2c8e8e81ed80b02159dad10edb619

  • SSDEEP

    6144:e+U+3LlWV4W8wrKLOq/5MDaQV7vhM+4V7StG3Byv:ed+3RWV4W8wrKL15Q9VJ4V7SJ

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.83.170.21:19447

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Targets

    • Target

      24370dee664ee20b21599b477966ea9a7654a1252c772f5afd50a83c427fa290_JC.exe

    • Size

      328KB

    • MD5

      f635244249cbfb941d5e731e85317cd7

    • SHA1

      18348912a1b40a932275dcb2385ff5605d282f7b

    • SHA256

      24370dee664ee20b21599b477966ea9a7654a1252c772f5afd50a83c427fa290

    • SHA512

      72ce1cd49451009ceb167682079fc1b891d3cb62230c559d7e301dccba226e77e215a35ceac7872ac0c33080454562880bf2c8e8e81ed80b02159dad10edb619

    • SSDEEP

      6144:e+U+3LlWV4W8wrKLOq/5MDaQV7vhM+4V7StG3Byv:ed+3RWV4W8wrKL15Q9VJ4V7SJ

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks