redline | 60c85fce1fbb2d9aaf9737335785e6c0c55b1e42a45394aa7c408b93f2b9bdf0

General

Target

661a6a25cbdbec6543e74fae455e349a.exe
Size

926KB
MD5

661a6a25cbdbec6543e74fae455e349a
SHA1

c5486f079370b7a0b2c1dbd170035ce25da8163e
SHA256

60c85fce1fbb2d9aaf9737335785e6c0c55b1e42a45394aa7c408b93f2b9bdf0
SHA512

b2514f2f29d73a41a4c26c81c1997dd3cd91258461b71da86e7cfe6f02d416cd13d11747be9b274a612b08544cd4389b7c2f0337a4a2b020d7c5e8babf51bb5b
SSDEEP

12288:taxffztFbbNiQoNS+2pvdNbbM3wBirlBQYg3fLLD:taxHzvwQoNS+q/bbswBirPQYgvD

Score

10^/10

redline mag21 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

mag21

C2

jamesmillion.xyz:47481

Attributes

auth_value
b5ecf039f4b13b472d3c95fc6fe41fc8

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 2 IoCs

Processes:

MinerStub.exeMinerStub.exe

pid process

1608 MinerStub.exe
1756 MinerStub.exe
Loads dropped DLL 2 IoCs

Processes:

mg.exe.exetaskeng.exe

pid process

1980 mg.exe.exe
924 taskeng.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

mg.exe.exe

description pid process target process

PID 1980 set thread context of 764 1980 mg.exe.exe InstallUtil.exe
Drops file in Program Files directory 1 IoCs

Processes:

mg.exe.exe

description ioc process

File created C:\Program Files (x86)\Common Files\MinerStub.exe mg.exe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1608	MinerStub.exe
1756	MinerStub.exe

pid	process
1980	mg.exe.exe
924	taskeng.exe

description	pid	process	target process
PID 1980 set thread context of 764	1980	mg.exe.exe	InstallUtil.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\MinerStub.exe	mg.exe.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

661a6a25cbdbec6543e74fae455e349a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	661a6a25cbdbec6543e74fae455e349a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	661a6a25cbdbec6543e74fae455e349a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	661a6a25cbdbec6543e74fae455e349a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	661a6a25cbdbec6543e74fae455e349a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	661a6a25cbdbec6543e74fae455e349a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	661a6a25cbdbec6543e74fae455e349a.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

mg.exe.exepowershell.exeInstallUtil.exeMinerStub.exe

pid process

1980 mg.exe.exe
324 powershell.exe
764 InstallUtil.exe
764 InstallUtil.exe
1756 MinerStub.exe
1756 MinerStub.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

661a6a25cbdbec6543e74fae455e349a.exe

pid process

1808 661a6a25cbdbec6543e74fae455e349a.exe

pid	process
1980	mg.exe.exe
324	powershell.exe
764	InstallUtil.exe
764	InstallUtil.exe
1756	MinerStub.exe
1756	MinerStub.exe

pid	process
1808	661a6a25cbdbec6543e74fae455e349a.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

661a6a25cbdbec6543e74fae455e349a.exemg.exe.exeMinerStub.exepowershell.exeInstallUtil.exeMinerStub.exe

description	pid	process
Token: SeDebugPrivilege	1808	661a6a25cbdbec6543e74fae455e349a.exe
Token: SeDebugPrivilege	1980	mg.exe.exe
Token: SeDebugPrivilege	1608	MinerStub.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	764	InstallUtil.exe
Token: SeDebugPrivilege	1756	MinerStub.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

661a6a25cbdbec6543e74fae455e349a.exemg.exe.exeMinerStub.exetaskeng.exe

description	pid	process	target process
PID 1808 wrote to memory of 1980	1808	661a6a25cbdbec6543e74fae455e349a.exe	mg.exe.exe
PID 1808 wrote to memory of 1980	1808	661a6a25cbdbec6543e74fae455e349a.exe	mg.exe.exe
PID 1808 wrote to memory of 1980	1808	661a6a25cbdbec6543e74fae455e349a.exe	mg.exe.exe
PID 1808 wrote to memory of 1980	1808	661a6a25cbdbec6543e74fae455e349a.exe	mg.exe.exe
PID 1980 wrote to memory of 1608	1980	mg.exe.exe	MinerStub.exe
PID 1980 wrote to memory of 1608	1980	mg.exe.exe	MinerStub.exe
PID 1980 wrote to memory of 1608	1980	mg.exe.exe	MinerStub.exe
PID 1980 wrote to memory of 1608	1980	mg.exe.exe	MinerStub.exe
PID 1980 wrote to memory of 764	1980	mg.exe.exe	InstallUtil.exe
PID 1980 wrote to memory of 764	1980	mg.exe.exe	InstallUtil.exe
PID 1980 wrote to memory of 764	1980	mg.exe.exe	InstallUtil.exe
PID 1980 wrote to memory of 764	1980	mg.exe.exe	InstallUtil.exe
PID 1980 wrote to memory of 764	1980	mg.exe.exe	InstallUtil.exe
PID 1980 wrote to memory of 764	1980	mg.exe.exe	InstallUtil.exe
PID 1980 wrote to memory of 764	1980	mg.exe.exe	InstallUtil.exe
PID 1980 wrote to memory of 764	1980	mg.exe.exe	InstallUtil.exe
PID 1980 wrote to memory of 764	1980	mg.exe.exe	InstallUtil.exe
PID 1980 wrote to memory of 764	1980	mg.exe.exe	InstallUtil.exe
PID 1980 wrote to memory of 764	1980	mg.exe.exe	InstallUtil.exe
PID 1980 wrote to memory of 764	1980	mg.exe.exe	InstallUtil.exe
PID 1608 wrote to memory of 324	1608	MinerStub.exe	powershell.exe
PID 1608 wrote to memory of 324	1608	MinerStub.exe	powershell.exe
PID 1608 wrote to memory of 324	1608	MinerStub.exe	powershell.exe
PID 924 wrote to memory of 1756	924	taskeng.exe	MinerStub.exe
PID 924 wrote to memory of 1756	924	taskeng.exe	MinerStub.exe
PID 924 wrote to memory of 1756	924	taskeng.exe	MinerStub.exe

C:\Users\Admin\AppData\Local\Temp\661a6a25cbdbec6543e74fae455e349a.exe
"C:\Users\Admin\AppData\Local\Temp\661a6a25cbdbec6543e74fae455e349a.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Local\Temp\mg.exe.exe
"C:\Users\Admin\AppData\Local\Temp\mg.exe.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Program Files (x86)\Common Files\MinerStub.exe
"C:\Program Files (x86)\Common Files\MinerStub.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACAAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\taskeng.exe
taskeng.exe {62507467-828F-4998-BB88-ED197137F805} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Roaming\MinerStub.exe
C:\Users\Admin\AppData\Roaming\MinerStub.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\MinerStub.exe
Filesize
469KB

MD5
5df52a373daa1af07a403e3556ecc43c

SHA1
1791f75489f917078e3f15172efe1c3b214c5567

SHA256
5173f34fd7d1451ef86933d79ea1f9bf7247f32044f30773350cfe3daaa99cf3

SHA512
f7229502dea6a01dc5ecabcfd80512f27e1a6f581d5a95eb5ab9b84cfd3eb32bd3f7c0668e1932e397ddf8a8a35920520d5c4b120e8014d737dbe483a514e9af

Download Submit
C:\Program Files (x86)\Common Files\MinerStub.exe
Filesize
469KB

MD5
5df52a373daa1af07a403e3556ecc43c

SHA1
1791f75489f917078e3f15172efe1c3b214c5567

SHA256
5173f34fd7d1451ef86933d79ea1f9bf7247f32044f30773350cfe3daaa99cf3

SHA512
f7229502dea6a01dc5ecabcfd80512f27e1a6f581d5a95eb5ab9b84cfd3eb32bd3f7c0668e1932e397ddf8a8a35920520d5c4b120e8014d737dbe483a514e9af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
6c6a24456559f305308cb1fb6c5486b3

SHA1
3273ac27d78572f16c3316732b9756ebc22cb6ed

SHA256
efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

SHA512
587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
3930d9401c720d72a62089588c301839

SHA1
5db67453072f9bb95a2d6c76e2314ea707a2c403

SHA256
f81cd310aeb72ff6f21411eac12e524874d08563f613ec958f76495421db960c

SHA512
55c4cd53ec7e51f6807976de1bd0d06ac2b47bbea48bf8489e7fb7120f2519bc938768e9886c0b357b551712d9d631212cbb0703cc77c613088144691b79e8cf

Download Submit
C:\Users\Admin\AppData\Roaming\MinerStub.exe
Filesize
469KB

MD5
5df52a373daa1af07a403e3556ecc43c

SHA1
1791f75489f917078e3f15172efe1c3b214c5567

SHA256
5173f34fd7d1451ef86933d79ea1f9bf7247f32044f30773350cfe3daaa99cf3

SHA512
f7229502dea6a01dc5ecabcfd80512f27e1a6f581d5a95eb5ab9b84cfd3eb32bd3f7c0668e1932e397ddf8a8a35920520d5c4b120e8014d737dbe483a514e9af

Download Submit
C:\Users\Admin\AppData\Roaming\MinerStub.exe
Filesize
469KB

MD5
5df52a373daa1af07a403e3556ecc43c

SHA1
1791f75489f917078e3f15172efe1c3b214c5567

SHA256
5173f34fd7d1451ef86933d79ea1f9bf7247f32044f30773350cfe3daaa99cf3

SHA512
f7229502dea6a01dc5ecabcfd80512f27e1a6f581d5a95eb5ab9b84cfd3eb32bd3f7c0668e1932e397ddf8a8a35920520d5c4b120e8014d737dbe483a514e9af

Download Submit
\Program Files (x86)\Common Files\MinerStub.exe
Filesize
469KB

MD5
5df52a373daa1af07a403e3556ecc43c

SHA1
1791f75489f917078e3f15172efe1c3b214c5567

SHA256
5173f34fd7d1451ef86933d79ea1f9bf7247f32044f30773350cfe3daaa99cf3

SHA512
f7229502dea6a01dc5ecabcfd80512f27e1a6f581d5a95eb5ab9b84cfd3eb32bd3f7c0668e1932e397ddf8a8a35920520d5c4b120e8014d737dbe483a514e9af

Download Submit
\Users\Admin\AppData\Roaming\MinerStub.exe
Filesize
469KB

MD5
5df52a373daa1af07a403e3556ecc43c

SHA1
1791f75489f917078e3f15172efe1c3b214c5567

SHA256
5173f34fd7d1451ef86933d79ea1f9bf7247f32044f30773350cfe3daaa99cf3

SHA512
f7229502dea6a01dc5ecabcfd80512f27e1a6f581d5a95eb5ab9b84cfd3eb32bd3f7c0668e1932e397ddf8a8a35920520d5c4b120e8014d737dbe483a514e9af

Download Submit
memory/324-91-0x000000000299B000-0x00000000029BA000-memory.dmp

Filesize
124KB

Download
memory/324-82-0x0000000002994000-0x0000000002997000-memory.dmp

Filesize
12KB

Download
memory/324-79-0x000007FEED250000-0x000007FEEDC73000-memory.dmp

Filesize
10.1MB

Download
memory/324-90-0x0000000002994000-0x0000000002997000-memory.dmp

Filesize
12KB

Download
memory/324-89-0x000000000299B000-0x00000000029BA000-memory.dmp

Filesize
124KB

Download
memory/324-78-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download
memory/324-77-0x0000000000000000-mapping.dmp

Download
memory/324-80-0x000007FEEC6F0000-0x000007FEED24D000-memory.dmp

Filesize
11.4MB

Download
memory/764-72-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/764-73-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/764-92-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/764-93-0x0000000000417BEE-mapping.dmp

Download
memory/764-70-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/764-69-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/764-95-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/764-97-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1608-76-0x000000001B100000-0x000000001B14C000-memory.dmp

Filesize
304KB

Download
memory/1608-63-0x0000000000000000-mapping.dmp

Download
memory/1608-83-0x000000001B9F6000-0x000000001BA15000-memory.dmp

Filesize
124KB

Download
memory/1608-75-0x000000001B0B0000-0x000000001B0FE000-memory.dmp

Filesize
312KB

Download
memory/1608-74-0x0000000002260000-0x0000000002306000-memory.dmp

Filesize
664KB

Download
memory/1608-68-0x000000013FF70000-0x000000013FFE8000-memory.dmp

Filesize
480KB

Download
memory/1608-81-0x000000001B9A0000-0x000000001B9F4000-memory.dmp

Filesize
336KB

Download
memory/1756-100-0x000000001B6D6000-0x000000001B6F5000-memory.dmp

Filesize
124KB

Download
memory/1756-85-0x0000000000000000-mapping.dmp

Download
memory/1756-88-0x000000013F650000-0x000000013F6C8000-memory.dmp

Filesize
480KB

Download
memory/1756-99-0x000000001B6D6000-0x000000001B6F5000-memory.dmp

Filesize
124KB

Download
memory/1808-57-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/1808-56-0x0000000000500000-0x000000000053C000-memory.dmp

Filesize
240KB

Download
memory/1808-55-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1808-54-0x00000000010E0000-0x00000000011CE000-memory.dmp

Filesize
952KB

Download
memory/1980-58-0x0000000000000000-mapping.dmp

Download
memory/1980-66-0x0000000004FB0000-0x0000000004FCA000-memory.dmp

Filesize
104KB

Download
memory/1980-67-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads