Malware Analysis Report

2025-01-18 08:59

Sample ID 230809-xn2ysage3x
Target f19631e5456b043a5ca7bb5d5b07a6c062a1e737259298594cd0001f50195f19
SHA256 f19631e5456b043a5ca7bb5d5b07a6c062a1e737259298594cd0001f50195f19
Tags
redline logsdiller cloud (tg: @logsdillabot) infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f19631e5456b043a5ca7bb5d5b07a6c062a1e737259298594cd0001f50195f19

Threat Level: Known bad

The file f19631e5456b043a5ca7bb5d5b07a6c062a1e737259298594cd0001f50195f19 was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) infostealer spyware stealer

RedLine

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-09 19:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-09 19:00

Reported

2023-08-09 19:03

Platform

win10-20230703-en

Max time kernel

128s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f19631e5456b043a5ca7bb5d5b07a6c062a1e737259298594cd0001f50195f19.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f19631e5456b043a5ca7bb5d5b07a6c062a1e737259298594cd0001f50195f19.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f19631e5456b043a5ca7bb5d5b07a6c062a1e737259298594cd0001f50195f19.exe

"C:\Users\Admin\AppData\Local\Temp\f19631e5456b043a5ca7bb5d5b07a6c062a1e737259298594cd0001f50195f19.exe"

Network

Country Destination Domain Proto
NL 209.250.248.11:33522 tcp
US 8.8.8.8:53 11.248.250.209.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 201.201.50.20.in-addr.arpa udp

Files

memory/4380-118-0x0000000001A30000-0x0000000001A59000-memory.dmp

memory/4380-119-0x0000000001A60000-0x0000000001A9F000-memory.dmp

memory/4380-121-0x0000000000400000-0x00000000018CF000-memory.dmp

memory/4380-120-0x00000000039C0000-0x00000000039F8000-memory.dmp

memory/4380-122-0x0000000005F60000-0x0000000005F70000-memory.dmp

memory/4380-123-0x0000000005F70000-0x000000000646E000-memory.dmp

memory/4380-124-0x00000000731C0000-0x00000000738AE000-memory.dmp

memory/4380-125-0x0000000003A00000-0x0000000003A34000-memory.dmp

memory/4380-126-0x0000000005F60000-0x0000000005F70000-memory.dmp

memory/4380-127-0x0000000005F60000-0x0000000005F70000-memory.dmp

memory/4380-128-0x00000000037D0000-0x00000000037D6000-memory.dmp

memory/4380-129-0x00000000066B0000-0x0000000006CB6000-memory.dmp

memory/4380-130-0x0000000006CC0000-0x0000000006DCA000-memory.dmp

memory/4380-132-0x0000000005F60000-0x0000000005F70000-memory.dmp

memory/4380-131-0x0000000006E00000-0x0000000006E12000-memory.dmp

memory/4380-133-0x0000000006E20000-0x0000000006E5E000-memory.dmp

memory/4380-134-0x0000000006EC0000-0x0000000006F0B000-memory.dmp

memory/4380-135-0x0000000000400000-0x00000000018CF000-memory.dmp

memory/4380-136-0x0000000001A30000-0x0000000001A59000-memory.dmp

memory/4380-137-0x0000000001A60000-0x0000000001A9F000-memory.dmp

memory/4380-138-0x0000000007000000-0x0000000007076000-memory.dmp

memory/4380-139-0x0000000007080000-0x0000000007112000-memory.dmp

memory/4380-140-0x0000000007220000-0x0000000007286000-memory.dmp

memory/4380-141-0x0000000005F60000-0x0000000005F70000-memory.dmp

memory/4380-142-0x00000000731C0000-0x00000000738AE000-memory.dmp

memory/4380-143-0x0000000007B60000-0x0000000007D22000-memory.dmp

memory/4380-144-0x0000000005F60000-0x0000000005F70000-memory.dmp

memory/4380-145-0x0000000007D40000-0x000000000826C000-memory.dmp

memory/4380-146-0x0000000005F60000-0x0000000005F70000-memory.dmp

memory/4380-147-0x0000000008690000-0x00000000086E0000-memory.dmp

memory/4380-148-0x0000000005F60000-0x0000000005F70000-memory.dmp

memory/4380-150-0x0000000000400000-0x00000000018CF000-memory.dmp

memory/4380-151-0x00000000731C0000-0x00000000738AE000-memory.dmp