Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
15-08-2023 15:53
Static task
static1
Behavioral task
behavioral1
Sample
a3e0afc4f566d77ed6a131c02869aec391da7b01cef8d07e51f729a4a36d77ae_JC.exe
Resource
win7-20230712-en
General
-
Target
a3e0afc4f566d77ed6a131c02869aec391da7b01cef8d07e51f729a4a36d77ae_JC.exe
-
Size
328KB
-
MD5
31bb461f855c67b27b9020448da53173
-
SHA1
37c0d18403289dea757e4fafade4121c4c88e02a
-
SHA256
a3e0afc4f566d77ed6a131c02869aec391da7b01cef8d07e51f729a4a36d77ae
-
SHA512
dfab15a4e413cf56c576c8c9b9b4f22a63f2c26d86f3828fd861fb5531804f017a61fd2dba647f13e8999326e2694e3009ad2a87b0d93cd0b73e7ff46706fd5e
-
SSDEEP
6144:uriWgLjSV4lcBVKZLOgcv91F/Gkb3A1eeufwYukmQlgPkP+LjzfsBHc:uOWgfSV4lcBVKZzi1F/Gkb3Uu4YukmQx
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.83.170.21:19447
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2916 a3e0afc4f566d77ed6a131c02869aec391da7b01cef8d07e51f729a4a36d77ae_JC.exe 2916 a3e0afc4f566d77ed6a131c02869aec391da7b01cef8d07e51f729a4a36d77ae_JC.exe 2916 a3e0afc4f566d77ed6a131c02869aec391da7b01cef8d07e51f729a4a36d77ae_JC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2916 a3e0afc4f566d77ed6a131c02869aec391da7b01cef8d07e51f729a4a36d77ae_JC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3e0afc4f566d77ed6a131c02869aec391da7b01cef8d07e51f729a4a36d77ae_JC.exe"C:\Users\Admin\AppData\Local\Temp\a3e0afc4f566d77ed6a131c02869aec391da7b01cef8d07e51f729a4a36d77ae_JC.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916