Overview

overview

10

Static

static

ca44e8e580...20.exe

windows7_x64

10

ca44e8e580...20.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ca44e8e580c74216a7b0e00d7a6e2e20.exe

  • Size

    1.8MB

  • Sample

    220522-fx5btsagdr

  • MD5

    ca44e8e580c74216a7b0e00d7a6e2e20

  • SHA1

    c3e8b24428814bb6b3ca49f19e751540713215a8

  • SHA256

    1576f4c2f31463121911c10c5bdfbe676eed69c510718d422ba2d2f0550b0012

  • SHA512

    eef66c8a2e71af364ffffa8eb8da8268b64d93ec8616f20df33258c3408fc5529efb7d30038872b5ea6eb7c5b64e2cb35efd22a87f864b41db0942b13dabbb7b

Score
10/10
redlinexmriginfostealerminerpersistencespywarestealerupx

Malware Config

Extracted

Family

redline

C2

193.106.191.16:28958

Attributes
  • auth_value

    c01539fd53cd71ce9672d6f01d9e1926

Targets

    • Target

      ca44e8e580c74216a7b0e00d7a6e2e20.exe

    • Size

      1.8MB

    • MD5

      ca44e8e580c74216a7b0e00d7a6e2e20

    • SHA1

      c3e8b24428814bb6b3ca49f19e751540713215a8

    • SHA256

      1576f4c2f31463121911c10c5bdfbe676eed69c510718d422ba2d2f0550b0012

    • SHA512

      eef66c8a2e71af364ffffa8eb8da8268b64d93ec8616f20df33258c3408fc5529efb7d30038872b5ea6eb7c5b64e2cb35efd22a87f864b41db0942b13dabbb7b

    Score
    10/10
    redlinexmriginfostealerminerpersistencespywarestealerupx

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner Payload

      miner

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks