Malware Analysis Report

2025-01-18 08:00

Sample ID 230813-ebmdfsgh78
Target 0297c11c91595bb24d1a04c866e9a25f.exe
SHA256 6dbf5bd3cc04522f3a9a8694ccef864b3abc2e63f4d553b9a68ace16d9666f65
Tags
redline logsdiller cloud (tg: @logsdillabot) infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dbf5bd3cc04522f3a9a8694ccef864b3abc2e63f4d553b9a68ace16d9666f65

Threat Level: Known bad

The file 0297c11c91595bb24d1a04c866e9a25f.exe was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) infostealer spyware stealer

RedLine

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-13 03:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-13 03:46

Reported

2023-08-13 03:48

Platform

win7-20230712-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0297c11c91595bb24d1a04c866e9a25f.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0297c11c91595bb24d1a04c866e9a25f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0297c11c91595bb24d1a04c866e9a25f.exe

"C:\Users\Admin\AppData\Local\Temp\0297c11c91595bb24d1a04c866e9a25f.exe"

Network

Country Destination Domain Proto
PL 51.83.170.21:19447 tcp

Files

memory/3000-54-0x0000000000220000-0x0000000000249000-memory.dmp

memory/3000-55-0x0000000000270000-0x00000000002AF000-memory.dmp

memory/3000-56-0x0000000000400000-0x00000000018D5000-memory.dmp

memory/3000-57-0x0000000003480000-0x00000000034C0000-memory.dmp

memory/3000-58-0x0000000003430000-0x0000000003468000-memory.dmp

memory/3000-59-0x0000000003500000-0x0000000003534000-memory.dmp

memory/3000-60-0x0000000074120000-0x000000007480E000-memory.dmp

memory/3000-62-0x0000000003410000-0x0000000003416000-memory.dmp

memory/3000-61-0x0000000003480000-0x00000000034C0000-memory.dmp

memory/3000-63-0x0000000000400000-0x00000000018D5000-memory.dmp

memory/3000-64-0x0000000000220000-0x0000000000249000-memory.dmp

memory/3000-65-0x0000000000270000-0x00000000002AF000-memory.dmp

memory/3000-66-0x0000000074120000-0x000000007480E000-memory.dmp

memory/3000-67-0x0000000003480000-0x00000000034C0000-memory.dmp

memory/3000-68-0x0000000000400000-0x00000000018D5000-memory.dmp

memory/3000-69-0x0000000074120000-0x000000007480E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-13 03:46

Reported

2023-08-13 03:48

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0297c11c91595bb24d1a04c866e9a25f.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0297c11c91595bb24d1a04c866e9a25f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0297c11c91595bb24d1a04c866e9a25f.exe

"C:\Users\Admin\AppData\Local\Temp\0297c11c91595bb24d1a04c866e9a25f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4564 -ip 4564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1300

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 21.170.83.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/4564-133-0x0000000001A80000-0x0000000001AA9000-memory.dmp

memory/4564-134-0x0000000001AB0000-0x0000000001AEF000-memory.dmp

memory/4564-135-0x0000000000400000-0x00000000018D5000-memory.dmp

memory/4564-136-0x0000000074990000-0x0000000075140000-memory.dmp

memory/4564-137-0x0000000006170000-0x0000000006180000-memory.dmp

memory/4564-139-0x0000000006170000-0x0000000006180000-memory.dmp

memory/4564-138-0x0000000006180000-0x0000000006724000-memory.dmp

memory/4564-140-0x0000000006170000-0x0000000006180000-memory.dmp

memory/4564-141-0x0000000006830000-0x0000000006E48000-memory.dmp

memory/4564-142-0x0000000006E50000-0x0000000006F5A000-memory.dmp

memory/4564-144-0x0000000006170000-0x0000000006180000-memory.dmp

memory/4564-143-0x0000000006140000-0x0000000006152000-memory.dmp

memory/4564-145-0x0000000006F60000-0x0000000006F9C000-memory.dmp

memory/4564-146-0x0000000000400000-0x00000000018D5000-memory.dmp

memory/4564-147-0x0000000001A80000-0x0000000001AA9000-memory.dmp

memory/4564-148-0x0000000001AB0000-0x0000000001AEF000-memory.dmp

memory/4564-149-0x0000000074990000-0x0000000075140000-memory.dmp

memory/4564-150-0x0000000007150000-0x00000000071C6000-memory.dmp

memory/4564-151-0x00000000071D0000-0x0000000007262000-memory.dmp

memory/4564-152-0x0000000006170000-0x0000000006180000-memory.dmp

memory/4564-153-0x0000000006170000-0x0000000006180000-memory.dmp

memory/4564-154-0x0000000007370000-0x00000000073D6000-memory.dmp

memory/4564-155-0x0000000006170000-0x0000000006180000-memory.dmp

memory/4564-156-0x0000000007E20000-0x0000000007E70000-memory.dmp

memory/4564-157-0x0000000007E80000-0x0000000008042000-memory.dmp

memory/4564-158-0x0000000008070000-0x000000000859C000-memory.dmp

memory/4564-159-0x0000000006170000-0x0000000006180000-memory.dmp

memory/4564-162-0x0000000000400000-0x00000000018D5000-memory.dmp

memory/4564-163-0x0000000074990000-0x0000000075140000-memory.dmp