Malware Analysis Report

2025-01-18 07:29

Sample ID 230813-e795dsbb8s
Target 2784-58-0x0000000001C90000-0x0000000001CC4000-memory.dmp
SHA256 eecc72d20c70deb80dcac3ea5fa59f5ed275ce1bd52da9e6901584dd980be9e7
Tags
logsdiller cloud (tg: @logsdillabot) redline infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eecc72d20c70deb80dcac3ea5fa59f5ed275ce1bd52da9e6901584dd980be9e7

Threat Level: Known bad

The file 2784-58-0x0000000001C90000-0x0000000001CC4000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

logsdiller cloud (tg: @logsdillabot) redline infostealer spyware stealer

RedLine

Redline family

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-13 04:36

Signatures

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-13 04:36

Reported

2023-08-13 04:38

Platform

win7-20230712-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2784-58-0x0000000001C90000-0x0000000001CC4000-memory.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2784-58-0x0000000001C90000-0x0000000001CC4000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2784-58-0x0000000001C90000-0x0000000001CC4000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2784-58-0x0000000001C90000-0x0000000001CC4000-memory.exe"

Network

Country Destination Domain Proto
PL 51.83.170.21:19447 tcp

Files

memory/2100-54-0x0000000000C80000-0x0000000000CB4000-memory.dmp

memory/2100-55-0x00000000741E0000-0x00000000748CE000-memory.dmp

memory/2100-56-0x0000000000270000-0x0000000000276000-memory.dmp

memory/2100-57-0x0000000004980000-0x00000000049C0000-memory.dmp

memory/2100-58-0x00000000741E0000-0x00000000748CE000-memory.dmp

memory/2100-59-0x00000000741E0000-0x00000000748CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-13 04:36

Reported

2023-08-13 04:38

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2784-58-0x0000000001C90000-0x0000000001CC4000-memory.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2784-58-0x0000000001C90000-0x0000000001CC4000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2784-58-0x0000000001C90000-0x0000000001CC4000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2784-58-0x0000000001C90000-0x0000000001CC4000-memory.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 21.170.83.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 126.130.241.8.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

memory/216-133-0x0000000000FA0000-0x0000000000FD4000-memory.dmp

memory/216-134-0x0000000074F40000-0x00000000756F0000-memory.dmp

memory/216-135-0x00000000060A0000-0x00000000066B8000-memory.dmp

memory/216-136-0x0000000005B90000-0x0000000005C9A000-memory.dmp

memory/216-137-0x0000000005A80000-0x0000000005A92000-memory.dmp

memory/216-138-0x0000000005A70000-0x0000000005A80000-memory.dmp

memory/216-139-0x0000000005AE0000-0x0000000005B1C000-memory.dmp

memory/216-140-0x0000000005DE0000-0x0000000005E56000-memory.dmp

memory/216-141-0x0000000005F00000-0x0000000005F92000-memory.dmp

memory/216-142-0x0000000007160000-0x0000000007704000-memory.dmp

memory/216-143-0x00000000066C0000-0x0000000006726000-memory.dmp

memory/216-144-0x0000000074F40000-0x00000000756F0000-memory.dmp

memory/216-145-0x0000000005A70000-0x0000000005A80000-memory.dmp

memory/216-146-0x0000000007030000-0x0000000007080000-memory.dmp

memory/216-147-0x00000000086F0000-0x00000000088B2000-memory.dmp

memory/216-148-0x0000000008DF0000-0x000000000931C000-memory.dmp

memory/216-150-0x0000000074F40000-0x00000000756F0000-memory.dmp