Malware Analysis Report

2025-01-18 09:09

Sample ID 230811-bw1j2abg6v
Target 2256-292-0x0000000003F60000-0x0000000003F94000-memory.dmp
SHA256 a9917e65b1a4eed5087549276e9038bbd3f880e8f5e42c7ee7282bceccb1ae4e
Tags
logsdiller cloud (tg: @logsdillabot) redline infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9917e65b1a4eed5087549276e9038bbd3f880e8f5e42c7ee7282bceccb1ae4e

Threat Level: Known bad

The file 2256-292-0x0000000003F60000-0x0000000003F94000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

logsdiller cloud (tg: @logsdillabot) redline infostealer spyware stealer

RedLine

Redline family

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-11 01:30

Signatures

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-11 01:30

Reported

2023-08-11 01:33

Platform

win7-20230712-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2256-292-0x0000000003F60000-0x0000000003F94000-memory.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2256-292-0x0000000003F60000-0x0000000003F94000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2256-292-0x0000000003F60000-0x0000000003F94000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2256-292-0x0000000003F60000-0x0000000003F94000-memory.exe"

Network

Country Destination Domain Proto
NL 136.244.98.226:33587 tcp

Files

memory/1972-54-0x0000000000890000-0x00000000008C4000-memory.dmp

memory/1972-55-0x00000000739D0000-0x00000000740BE000-memory.dmp

memory/1972-56-0x00000000002F0000-0x00000000002F6000-memory.dmp

memory/1972-57-0x0000000004990000-0x00000000049D0000-memory.dmp

memory/1972-58-0x00000000739D0000-0x00000000740BE000-memory.dmp

memory/1972-59-0x0000000004990000-0x00000000049D0000-memory.dmp

memory/1972-60-0x00000000739D0000-0x00000000740BE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-11 01:30

Reported

2023-08-11 01:33

Platform

win10v2004-20230703-en

Max time kernel

133s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2256-292-0x0000000003F60000-0x0000000003F94000-memory.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2256-292-0x0000000003F60000-0x0000000003F94000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2256-292-0x0000000003F60000-0x0000000003F94000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2256-292-0x0000000003F60000-0x0000000003F94000-memory.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
NL 136.244.98.226:33587 tcp
US 8.8.8.8:53 226.98.244.136.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 194.98.74.40.in-addr.arpa udp

Files

memory/2232-133-0x0000000000F40000-0x0000000000F74000-memory.dmp

memory/2232-134-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/2232-135-0x0000000006040000-0x0000000006658000-memory.dmp

memory/2232-136-0x0000000005B30000-0x0000000005C3A000-memory.dmp

memory/2232-138-0x0000000005A20000-0x0000000005A32000-memory.dmp

memory/2232-137-0x0000000005910000-0x0000000005920000-memory.dmp

memory/2232-139-0x0000000005A80000-0x0000000005ABC000-memory.dmp

memory/2232-140-0x0000000005D80000-0x0000000005DF6000-memory.dmp

memory/2232-141-0x0000000005EA0000-0x0000000005F32000-memory.dmp

memory/2232-142-0x0000000007100000-0x00000000076A4000-memory.dmp

memory/2232-143-0x0000000006660000-0x00000000066C6000-memory.dmp

memory/2232-144-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/2232-145-0x0000000009180000-0x00000000091D0000-memory.dmp

memory/2232-146-0x00000000093A0000-0x0000000009562000-memory.dmp

memory/2232-147-0x0000000009AA0000-0x0000000009FCC000-memory.dmp

memory/2232-148-0x0000000005910000-0x0000000005920000-memory.dmp

memory/2232-150-0x0000000075300000-0x0000000075AB0000-memory.dmp