Extracted

• • Target

    348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4

  • Size

    12.6MB

  • MD5

    b378f607d65dbbceded6f57aafd08629

  • SHA1

    85c297246e6ef5d19b2b469783ecd5a13b217ac1

  • SHA256

    348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4

  • SHA512

    7a5b157f89ff3bb29be3b279e8645fd61acca9dec32537fb966ea2695a580d855618ec65b2e43576cb15ac61c90213f5dc68d5cb41c9af3b1b4da8514bc07748

  Score

  10^/10

  redlinexmrig1137502411discoveryevasionexploitinfostealerminerspywarevmprotect

  • Modifies security service

    evasion

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Possible privilege escalation attempt

    exploit

  • Stops running service(s)

    evasion

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions

    discovery

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Suspicious use of SetThreadContext

  behavioral1