Malware Analysis Report

2025-01-18 07:43

Sample ID 230815-h7cexahd66
Target ea79ee028f9137297f4b4f42165658c0c60fd51a54e3df57361079e18cb42e22
SHA256 ea79ee028f9137297f4b4f42165658c0c60fd51a54e3df57361079e18cb42e22
Tags
redline logsdiller cloud (tg: @logsdillabot) infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea79ee028f9137297f4b4f42165658c0c60fd51a54e3df57361079e18cb42e22

Threat Level: Known bad

The file ea79ee028f9137297f4b4f42165658c0c60fd51a54e3df57361079e18cb42e22 was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) infostealer spyware stealer

RedLine

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-15 07:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-15 07:22

Reported

2023-08-15 07:24

Platform

win10-20230703-en

Max time kernel

127s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea79ee028f9137297f4b4f42165658c0c60fd51a54e3df57361079e18cb42e22.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ea79ee028f9137297f4b4f42165658c0c60fd51a54e3df57361079e18cb42e22.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ea79ee028f9137297f4b4f42165658c0c60fd51a54e3df57361079e18cb42e22.exe

"C:\Users\Admin\AppData\Local\Temp\ea79ee028f9137297f4b4f42165658c0c60fd51a54e3df57361079e18cb42e22.exe"

Network

Country Destination Domain Proto
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 21.170.83.51.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/948-121-0x0000000001B40000-0x0000000001B69000-memory.dmp

memory/948-122-0x0000000001B70000-0x0000000001BAF000-memory.dmp

memory/948-123-0x00000000039B0000-0x00000000039E8000-memory.dmp

memory/948-124-0x0000000000400000-0x00000000018D2000-memory.dmp

memory/948-125-0x0000000003A30000-0x0000000003A40000-memory.dmp

memory/948-126-0x0000000005FC0000-0x00000000064BE000-memory.dmp

memory/948-128-0x0000000003A40000-0x0000000003A74000-memory.dmp

memory/948-127-0x0000000073D50000-0x000000007443E000-memory.dmp

memory/948-129-0x0000000003890000-0x0000000003896000-memory.dmp

memory/948-130-0x00000000065C0000-0x0000000006BC6000-memory.dmp

memory/948-131-0x0000000006BD0000-0x0000000006CDA000-memory.dmp

memory/948-133-0x0000000003A30000-0x0000000003A40000-memory.dmp

memory/948-132-0x0000000006CE0000-0x0000000006CF2000-memory.dmp

memory/948-134-0x0000000006D00000-0x0000000006D3E000-memory.dmp

memory/948-135-0x0000000006D90000-0x0000000006DDB000-memory.dmp

memory/948-136-0x0000000001B40000-0x0000000001B69000-memory.dmp

memory/948-137-0x0000000000400000-0x00000000018D2000-memory.dmp

memory/948-138-0x0000000001B70000-0x0000000001BAF000-memory.dmp

memory/948-139-0x0000000073D50000-0x000000007443E000-memory.dmp

memory/948-140-0x0000000006ED0000-0x0000000006F46000-memory.dmp

memory/948-141-0x0000000006F50000-0x0000000006FE2000-memory.dmp

memory/948-142-0x00000000070F0000-0x0000000007156000-memory.dmp

memory/948-143-0x0000000007930000-0x0000000007AF2000-memory.dmp

memory/948-144-0x0000000007B10000-0x000000000803C000-memory.dmp

memory/948-145-0x0000000008550000-0x00000000085A0000-memory.dmp

memory/948-146-0x0000000003A30000-0x0000000003A40000-memory.dmp

memory/948-148-0x0000000000400000-0x00000000018D2000-memory.dmp

memory/948-149-0x0000000073D50000-0x000000007443E000-memory.dmp