Malware Analysis Report

2025-01-18 08:00

Sample ID 230813-egj6aaba7s
Target 2788-62-0x0000000003430000-0x0000000003464000-memory.dmp
SHA256 663b71de84eb89b20d1db2148bd7c465995110a4a1de9301171737fe722657d1
Tags
redline logsdiller cloud (tg: @logsdillabot) infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

663b71de84eb89b20d1db2148bd7c465995110a4a1de9301171737fe722657d1

Threat Level: Known bad

The file 2788-62-0x0000000003430000-0x0000000003464000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) infostealer spyware stealer

RedLine

Redline family

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-13 03:54

Signatures

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-13 03:54

Reported

2023-08-13 03:57

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2788-62-0x0000000003430000-0x0000000003464000-memory.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2788-62-0x0000000003430000-0x0000000003464000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2788-62-0x0000000003430000-0x0000000003464000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2788-62-0x0000000003430000-0x0000000003464000-memory.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 21.170.83.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 126.137.241.8.in-addr.arpa udp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 104.116.69.13.in-addr.arpa udp

Files

memory/4696-133-0x00000000000B0000-0x00000000000E4000-memory.dmp

memory/4696-134-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/4696-135-0x00000000051F0000-0x0000000005808000-memory.dmp

memory/4696-136-0x0000000004CE0000-0x0000000004DEA000-memory.dmp

memory/4696-137-0x0000000004B70000-0x0000000004B82000-memory.dmp

memory/4696-138-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/4696-139-0x0000000004C10000-0x0000000004C4C000-memory.dmp

memory/4696-140-0x0000000004EF0000-0x0000000004F66000-memory.dmp

memory/4696-141-0x0000000005010000-0x00000000050A2000-memory.dmp

memory/4696-142-0x00000000062B0000-0x0000000006854000-memory.dmp

memory/4696-143-0x0000000005810000-0x0000000005876000-memory.dmp

memory/4696-144-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/4696-145-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/4696-146-0x0000000005D50000-0x0000000005DA0000-memory.dmp

memory/4696-147-0x0000000006A30000-0x0000000006BF2000-memory.dmp

memory/4696-148-0x0000000008BA0000-0x00000000090CC000-memory.dmp

memory/4696-150-0x0000000075230000-0x00000000759E0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-13 03:54

Reported

2023-08-13 03:57

Platform

win7-20230712-en

Max time kernel

118s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2788-62-0x0000000003430000-0x0000000003464000-memory.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2788-62-0x0000000003430000-0x0000000003464000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2788-62-0x0000000003430000-0x0000000003464000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2788-62-0x0000000003430000-0x0000000003464000-memory.exe"

Network

Country Destination Domain Proto
PL 51.83.170.21:19447 tcp

Files

memory/2468-54-0x0000000000880000-0x00000000008B4000-memory.dmp

memory/2468-55-0x0000000074D10000-0x00000000753FE000-memory.dmp

memory/2468-56-0x0000000000270000-0x0000000000276000-memory.dmp

memory/2468-57-0x00000000007B0000-0x00000000007F0000-memory.dmp

memory/2468-58-0x0000000074D10000-0x00000000753FE000-memory.dmp

memory/2468-59-0x00000000007B0000-0x00000000007F0000-memory.dmp

memory/2468-60-0x0000000074D10000-0x00000000753FE000-memory.dmp