Malware Analysis Report

2025-01-18 08:51

Sample ID 230810-mdbczadg51
Target 64a0d961e9f643a9457fd35d908a3549c87413dca21226e199c67bcafd47317b
SHA256 64a0d961e9f643a9457fd35d908a3549c87413dca21226e199c67bcafd47317b
Tags
redline logsdiller cloud (tg: @logsdillabot) infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64a0d961e9f643a9457fd35d908a3549c87413dca21226e199c67bcafd47317b

Threat Level: Known bad

The file 64a0d961e9f643a9457fd35d908a3549c87413dca21226e199c67bcafd47317b was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) infostealer spyware stealer

RedLine

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 10:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 10:20

Reported

2023-08-10 10:23

Platform

win10-20230703-en

Max time kernel

102s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64a0d961e9f643a9457fd35d908a3549c87413dca21226e199c67bcafd47317b.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64a0d961e9f643a9457fd35d908a3549c87413dca21226e199c67bcafd47317b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64a0d961e9f643a9457fd35d908a3549c87413dca21226e199c67bcafd47317b.exe

"C:\Users\Admin\AppData\Local\Temp\64a0d961e9f643a9457fd35d908a3549c87413dca21226e199c67bcafd47317b.exe"

Network

Country Destination Domain Proto
NL 209.250.248.11:33522 tcp
US 8.8.8.8:53 11.248.250.209.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp

Files

memory/2912-121-0x00000000024B0000-0x00000000025B0000-memory.dmp

memory/2912-122-0x0000000002440000-0x000000000247F000-memory.dmp

memory/2912-123-0x0000000000400000-0x00000000022FC000-memory.dmp

memory/2912-124-0x00000000043C0000-0x00000000043F8000-memory.dmp

memory/2912-125-0x0000000004480000-0x0000000004490000-memory.dmp

memory/2912-126-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/2912-127-0x00000000068F0000-0x0000000006DEE000-memory.dmp

memory/2912-128-0x0000000004440000-0x0000000004474000-memory.dmp

memory/2912-129-0x0000000004080000-0x0000000004086000-memory.dmp

memory/2912-130-0x000000000C320000-0x000000000C926000-memory.dmp

memory/2912-131-0x000000000C9A0000-0x000000000CAAA000-memory.dmp

memory/2912-133-0x0000000004480000-0x0000000004490000-memory.dmp

memory/2912-132-0x000000000CAE0000-0x000000000CAF2000-memory.dmp

memory/2912-134-0x000000000CB00000-0x000000000CB3E000-memory.dmp

memory/2912-135-0x000000000CBA0000-0x000000000CBEB000-memory.dmp

memory/2912-136-0x00000000024B0000-0x00000000025B0000-memory.dmp

memory/2912-137-0x0000000002440000-0x000000000247F000-memory.dmp

memory/2912-138-0x0000000000400000-0x00000000022FC000-memory.dmp

memory/2912-139-0x0000000004480000-0x0000000004490000-memory.dmp

memory/2912-141-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/2912-142-0x000000000CDE0000-0x000000000CE56000-memory.dmp

memory/2912-143-0x000000000CE60000-0x000000000CEF2000-memory.dmp

memory/2912-144-0x000000000CF00000-0x000000000CF66000-memory.dmp

memory/2912-145-0x00000000040C0000-0x0000000004110000-memory.dmp

memory/2912-146-0x00000000092D0000-0x0000000009492000-memory.dmp

memory/2912-147-0x00000000094A0000-0x00000000099CC000-memory.dmp

memory/2912-148-0x0000000004480000-0x0000000004490000-memory.dmp

memory/2912-150-0x0000000000400000-0x00000000022FC000-memory.dmp

memory/2912-151-0x00000000732E0000-0x00000000739CE000-memory.dmp