Malware Analysis Report

2025-01-18 07:59

Sample ID 230813-egh8zsgh93
Target 2468-60-0x0000000003540000-0x0000000003574000-memory.dmp
SHA256 1b4b695ff0e3c2bb369e4ae2614f6c3cd71862a86bcc6baadf733fadf9279c5d
Tags
redline logsdiller cloud (tg: @logsdillabot) infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b4b695ff0e3c2bb369e4ae2614f6c3cd71862a86bcc6baadf733fadf9279c5d

Threat Level: Known bad

The file 2468-60-0x0000000003540000-0x0000000003574000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) infostealer spyware stealer

Redline family

RedLine

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-13 03:54

Signatures

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-13 03:54

Reported

2023-08-13 03:57

Platform

win10v2004-20230703-en

Max time kernel

124s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 126.128.241.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 21.170.83.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 126.130.255.8.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/1620-133-0x00000000753B0000-0x0000000075B60000-memory.dmp

memory/1620-134-0x0000000000610000-0x0000000000644000-memory.dmp

memory/1620-135-0x000000000AAD0000-0x000000000B0E8000-memory.dmp

memory/1620-136-0x000000000A5C0000-0x000000000A6CA000-memory.dmp

memory/1620-138-0x000000000A500000-0x000000000A512000-memory.dmp

memory/1620-137-0x0000000005120000-0x0000000005130000-memory.dmp

memory/1620-139-0x000000000A560000-0x000000000A59C000-memory.dmp

memory/1620-140-0x00000000753B0000-0x0000000075B60000-memory.dmp

memory/1620-141-0x000000000A870000-0x000000000A8E6000-memory.dmp

memory/1620-142-0x000000000A990000-0x000000000AA22000-memory.dmp

memory/1620-143-0x000000000B6A0000-0x000000000BC44000-memory.dmp

memory/1620-144-0x000000000AA30000-0x000000000AA96000-memory.dmp

memory/1620-145-0x000000000B5B0000-0x000000000B600000-memory.dmp

memory/1620-146-0x0000000005120000-0x0000000005130000-memory.dmp

memory/1620-147-0x000000000CBD0000-0x000000000CD92000-memory.dmp

memory/1620-148-0x000000000D2D0000-0x000000000D7FC000-memory.dmp

memory/1620-150-0x00000000753B0000-0x0000000075B60000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-13 03:54

Reported

2023-08-13 03:57

Platform

win7-20230712-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe"

Network

Country Destination Domain Proto
PL 51.83.170.21:19447 tcp

Files

memory/2896-54-0x0000000001060000-0x0000000001094000-memory.dmp

memory/2896-55-0x00000000746E0000-0x0000000074DCE000-memory.dmp

memory/2896-56-0x0000000000300000-0x0000000000306000-memory.dmp

memory/2896-57-0x0000000000FC0000-0x0000000001000000-memory.dmp

memory/2896-58-0x00000000746E0000-0x0000000074DCE000-memory.dmp

memory/2896-59-0x0000000000FC0000-0x0000000001000000-memory.dmp

memory/2896-60-0x00000000746E0000-0x0000000074DCE000-memory.dmp