Analysis
-
max time kernel
128s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
14-08-2023 15:41
Static task
static1
Behavioral task
behavioral1
Sample
7db4a17d481c2205c209742d495ae5752d770c4c9a06435d993b8c44fea7d337.exe
Resource
win10-20230703-en
General
-
Target
7db4a17d481c2205c209742d495ae5752d770c4c9a06435d993b8c44fea7d337.exe
-
Size
339KB
-
MD5
554362f8a18333a0645fbb5f857ced29
-
SHA1
304d28994735fb95d13bced8dc0865f2ce67928d
-
SHA256
7db4a17d481c2205c209742d495ae5752d770c4c9a06435d993b8c44fea7d337
-
SHA512
458621a6f23b53e5d13292b5f1147adec0f62325a3e4f1fefeb4a478e4707809c6c4898d73246baf708b3365cc58e69471d76e27c87c7c3e9d063d4949081e3b
-
SSDEEP
6144:P5kvdQNtTHYKjUqq8opePLBiJLs8Q1BP+2hPgPHRfzj:hklQzT4IlqDpAL4Jw80Di/Rfz
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.83.170.21:19447
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 5012 7db4a17d481c2205c209742d495ae5752d770c4c9a06435d993b8c44fea7d337.exe 5012 7db4a17d481c2205c209742d495ae5752d770c4c9a06435d993b8c44fea7d337.exe 5012 7db4a17d481c2205c209742d495ae5752d770c4c9a06435d993b8c44fea7d337.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5012 7db4a17d481c2205c209742d495ae5752d770c4c9a06435d993b8c44fea7d337.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7db4a17d481c2205c209742d495ae5752d770c4c9a06435d993b8c44fea7d337.exe"C:\Users\Admin\AppData\Local\Temp\7db4a17d481c2205c209742d495ae5752d770c4c9a06435d993b8c44fea7d337.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012