redline | 32dbd23da3165e24cca4714f1b822d02f7056fb7bf21e687ae5506109f223b3f | Triage

Submit
Reports

Overview

overview

Static

static

4f7a427579...29.exe

windows7_x64

1

4f7a427579...29.exe

windows10-2004_x64

Sharing

General

Target

4f7a427579f50779ecf321f86e06fc29
Size

304KB
Sample

220523-ha7vjsbhg4
MD5

4f7a427579f50779ecf321f86e06fc29
SHA1

1d4133535b7ba2e52871ba3d84a6d03d89ea59ce
SHA256

32dbd23da3165e24cca4714f1b822d02f7056fb7bf21e687ae5506109f223b3f
SHA512

2ee1dd0860f666a1f98255044f93de8147bcb1b6757da78cd4d93cdd281525a393a6d5914731a36b4d64a4080472688e9ecbc51e2c1fe9cd799c67a84f1ab402

Score

10^/10

redline xmrig infostealer miner spyware upx

Static task

static1

Behavioral task

behavioral1

Sample

4f7a427579f50779ecf321f86e06fc29.exe

Resource

win7-20220414-en

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

4f7a427579f50779ecf321f86e06fc29.exe

Resource

win10v2004-20220414-en

redline xmrig infostealer miner spyware upx

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

redline

C2

141.95.140.173:33470

Attributes

auth_value
ccdf86c63434db56ca19a6af104c916b

Targets

- Target
  
  4f7a427579f50779ecf321f86e06fc29
- Size
  
  304KB
- MD5
  
  4f7a427579f50779ecf321f86e06fc29
- SHA1
  
  1d4133535b7ba2e52871ba3d84a6d03d89ea59ce
- SHA256
  
  32dbd23da3165e24cca4714f1b822d02f7056fb7bf21e687ae5506109f223b3f
- SHA512
  
  2ee1dd0860f666a1f98255044f93de8147bcb1b6757da78cd4d93cdd281525a393a6d5914731a36b4d64a4080472688e9ecbc51e2c1fe9cd799c67a84f1ab402
Score

10^/10

redline xmrig infostealer miner spyware upx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner Payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

redlinexmriginfostealerminerspywareupx

© 2018-2024

Terms | Privacy