redline | 57d2f478356b21d798ab32c030fe0fe8cf5ddd0ceb075b259090813558b6abd8 | Triage

Submit
Reports

Overview

overview

Static

static

New Project 1.exe

windows10-2004_x64

Sharing

General

Target

New Project 1.bin
Size

13.2MB
Sample

220517-jj1y2agfh2
MD5

3516f6cae47d318527ba2a24391edf43
SHA1

cda159e20558c20d567f8745e30cb0dcde34e260
SHA256

57d2f478356b21d798ab32c030fe0fe8cf5ddd0ceb075b259090813558b6abd8
SHA512

f0d6e93743132d2c96060fe90667d61ee554228e3e72f7ba8914f012bee326ea61017daf2c63969cf04d918b6c87adc1cd4bd887480de3e2f97461a5b321c7db

Score

10^/10

redline xmrig 1137502411 1502775644 evasion infostealer miner themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

New Project 1.exe

Resource

win10v2004-20220414-en

redline xmrig 1137502411 1502775644 evasion infostealer miner themida trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

redline

Botnet

1502775644

C2

95.143.178.231:11047

Attributes

auth_value
6d1ba68e2d3a3dbe14d0406c631510fe

Extracted

Family

redline

Botnet

1137502411

C2

193.232.179.34:20856

Attributes

auth_value
bf80dce2076c6f3cb9ed05b510f4060e

Targets

- Target
  
  New Project 1.bin
- Size
  
  13.2MB
- MD5
  
  3516f6cae47d318527ba2a24391edf43
- SHA1
  
  cda159e20558c20d567f8745e30cb0dcde34e260
- SHA256
  
  57d2f478356b21d798ab32c030fe0fe8cf5ddd0ceb075b259090813558b6abd8
- SHA512
  
  f0d6e93743132d2c96060fe90667d61ee554228e3e72f7ba8914f012bee326ea61017daf2c63969cf04d918b6c87adc1cd4bd887480de3e2f97461a5b321c7db
Score

10^/10

redline xmrig 1137502411 1502775644 evasion infostealer miner themida trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- XMRig Miner Payload
  miner
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinexmrig11375024111502775644evasioninfostealerminerthemidatrojan

© 2018-2024

Terms | Privacy