Malware Analysis Report

2025-01-18 07:38

Sample ID 230814-r6mzpaee9z
Target 1168-217-0x0000000003F00000-0x0000000003F34000-memory.dmp
SHA256 37b019aef1b6dbf2203d282c0eb757f14b3ac2d8cb9f9a5b3bbcd43596ddc5ab
Tags
logsdiller cloud (tg: @logsdillabot) redline infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37b019aef1b6dbf2203d282c0eb757f14b3ac2d8cb9f9a5b3bbcd43596ddc5ab

Threat Level: Known bad

The file 1168-217-0x0000000003F00000-0x0000000003F34000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

logsdiller cloud (tg: @logsdillabot) redline infostealer spyware stealer

Redline family

RedLine

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-14 14:48

Signatures

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-14 14:48

Reported

2023-08-14 14:51

Platform

win7-20230712-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1168-217-0x0000000003F00000-0x0000000003F34000-memory.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1168-217-0x0000000003F00000-0x0000000003F34000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1168-217-0x0000000003F00000-0x0000000003F34000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\1168-217-0x0000000003F00000-0x0000000003F34000-memory.exe"

Network

Country Destination Domain Proto
PL 51.83.170.21:19447 tcp

Files

memory/2988-54-0x0000000000B90000-0x0000000000BC4000-memory.dmp

memory/2988-55-0x0000000074B90000-0x000000007527E000-memory.dmp

memory/2988-56-0x0000000000210000-0x0000000000216000-memory.dmp

memory/2988-57-0x0000000004510000-0x0000000004550000-memory.dmp

memory/2988-58-0x0000000074B90000-0x000000007527E000-memory.dmp

memory/2988-59-0x0000000004510000-0x0000000004550000-memory.dmp

memory/2988-60-0x0000000074B90000-0x000000007527E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-14 14:48

Reported

2023-08-14 14:51

Platform

win10v2004-20230703-en

Max time kernel

139s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1168-217-0x0000000003F00000-0x0000000003F34000-memory.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1168-217-0x0000000003F00000-0x0000000003F34000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1168-217-0x0000000003F00000-0x0000000003F34000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\1168-217-0x0000000003F00000-0x0000000003F34000-memory.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 21.170.83.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/3896-133-0x0000000000760000-0x0000000000794000-memory.dmp

memory/3896-134-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/3896-135-0x0000000005870000-0x0000000005E88000-memory.dmp

memory/3896-136-0x0000000005360000-0x000000000546A000-memory.dmp

memory/3896-138-0x0000000005140000-0x0000000005150000-memory.dmp

memory/3896-137-0x0000000005120000-0x0000000005132000-memory.dmp

memory/3896-139-0x0000000005290000-0x00000000052CC000-memory.dmp

memory/3896-140-0x00000000055A0000-0x0000000005616000-memory.dmp

memory/3896-141-0x00000000056C0000-0x0000000005752000-memory.dmp

memory/3896-142-0x0000000005620000-0x0000000005686000-memory.dmp

memory/3896-143-0x0000000006930000-0x0000000006ED4000-memory.dmp

memory/3896-144-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/3896-145-0x0000000005140000-0x0000000005150000-memory.dmp

memory/3896-146-0x00000000067D0000-0x0000000006820000-memory.dmp

memory/3896-147-0x00000000070B0000-0x0000000007272000-memory.dmp

memory/3896-148-0x0000000007B00000-0x000000000802C000-memory.dmp

memory/3896-150-0x00000000750C0000-0x0000000075870000-memory.dmp