Malware Analysis Report

2025-04-14 06:02

Sample ID 230925-ffgjfacc5y
Target cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
Tags
redline logsdiller cloud (tg: @logsdillabot) infostealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d

Threat Level: Known bad

The file cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) infostealer spyware

RedLine

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-25 04:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-25 04:48

Reported

2023-09-25 04:53

Platform

win7-20230831-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe"

Signatures

RedLine

infostealer redline

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1732 set thread context of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\SysWOW64\WerFault.exe
PID 1732 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\SysWOW64\WerFault.exe
PID 1732 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\SysWOW64\WerFault.exe
PID 1732 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe

"C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 52

Network

Country Destination Domain Proto
PL 146.59.10.173:45035 tcp

Files

memory/3016-0-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3016-2-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3016-4-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3016-6-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3016-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/3016-9-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3016-13-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3016-11-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3016-14-0x0000000073DD0000-0x00000000744BE000-memory.dmp

memory/3016-15-0x00000000003E0000-0x00000000003E6000-memory.dmp

memory/3016-16-0x0000000004A40000-0x0000000004A80000-memory.dmp

memory/3016-17-0x0000000073DD0000-0x00000000744BE000-memory.dmp

memory/3016-18-0x0000000004A40000-0x0000000004A80000-memory.dmp

memory/3016-19-0x0000000073DD0000-0x00000000744BE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-25 04:48

Reported

2023-09-25 04:53

Platform

win10-20230915-en

Max time kernel

188s

Max time network

294s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe"

Signatures

RedLine

infostealer redline

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1500 set thread context of 3268 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1500 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe

"C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 228

Network

Country Destination Domain Proto
US 8.8.8.8:53 f.8.3.8.0.2.1.d.f.d.1.8.5.3.4.0.8.f.7.1.4.4.8.5.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
PL 146.59.10.173:45035 tcp
US 8.8.8.8:53 173.10.59.146.in-addr.arpa udp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp

Files

memory/3268-0-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3268-4-0x00000000731E0000-0x00000000738CE000-memory.dmp

memory/3268-5-0x0000000006960000-0x0000000006966000-memory.dmp

memory/3268-6-0x000000000E9B0000-0x000000000EFB6000-memory.dmp

memory/3268-7-0x000000000E4F0000-0x000000000E5FA000-memory.dmp

memory/3268-9-0x000000000E420000-0x000000000E432000-memory.dmp

memory/3268-8-0x0000000009010000-0x0000000009020000-memory.dmp

memory/3268-10-0x000000000E480000-0x000000000E4BE000-memory.dmp

memory/3268-11-0x000000000E600000-0x000000000E64B000-memory.dmp

memory/3268-16-0x000000000E7A0000-0x000000000E816000-memory.dmp

memory/3268-17-0x000000000E8C0000-0x000000000E952000-memory.dmp

memory/3268-18-0x000000000F4C0000-0x000000000F9BE000-memory.dmp

memory/3268-21-0x000000000EFC0000-0x000000000F026000-memory.dmp

memory/3268-22-0x00000000731E0000-0x00000000738CE000-memory.dmp

memory/3268-269-0x000000000FC90000-0x000000000FE52000-memory.dmp

memory/3268-270-0x0000000010390000-0x00000000108BC000-memory.dmp

memory/3268-283-0x0000000009010000-0x0000000009020000-memory.dmp

memory/3268-392-0x000000000FC40000-0x000000000FC90000-memory.dmp

memory/3268-403-0x00000000731E0000-0x00000000738CE000-memory.dmp