Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
15-08-2023 15:38
Static task
static1
Behavioral task
behavioral1
Sample
6dbf5bd3cc04522f3a9a8694ccef864b3abc2e63f4d553b9a68ace16d9666f65_JC.exe
Resource
win7-20230712-en
General
-
Target
6dbf5bd3cc04522f3a9a8694ccef864b3abc2e63f4d553b9a68ace16d9666f65_JC.exe
-
Size
352KB
-
MD5
0297c11c91595bb24d1a04c866e9a25f
-
SHA1
6747221c70e8ed7fb5d185877b5e6b0a5f47bd86
-
SHA256
6dbf5bd3cc04522f3a9a8694ccef864b3abc2e63f4d553b9a68ace16d9666f65
-
SHA512
62431871248c21defbee0766ac29551d962ad7be609d3e658f141b7f032580a967700a66c410d165eedb90de51e65ddd48c7549ea9ca6ff29dc97a944c5490b5
-
SSDEEP
6144:xbk+nLlWV4mcgbKbZKr48KiZQhmH8VenwoD+GCTwm1MjlkRwQ4fvBBt:xY+nxWV4mcgbKbcHKiZQ9SXDruCW+v
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.83.170.21:19447
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1596 6dbf5bd3cc04522f3a9a8694ccef864b3abc2e63f4d553b9a68ace16d9666f65_JC.exe 1596 6dbf5bd3cc04522f3a9a8694ccef864b3abc2e63f4d553b9a68ace16d9666f65_JC.exe 1596 6dbf5bd3cc04522f3a9a8694ccef864b3abc2e63f4d553b9a68ace16d9666f65_JC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1596 6dbf5bd3cc04522f3a9a8694ccef864b3abc2e63f4d553b9a68ace16d9666f65_JC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dbf5bd3cc04522f3a9a8694ccef864b3abc2e63f4d553b9a68ace16d9666f65_JC.exe"C:\Users\Admin\AppData\Local\Temp\6dbf5bd3cc04522f3a9a8694ccef864b3abc2e63f4d553b9a68ace16d9666f65_JC.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596