Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.exe

  • Size

    35KB

  • Sample

    230104-3gjrhsde4w

  • MD5

    b74be466bb67f2a2d226100d57a929d4

  • SHA1

    8b494dd6d976ed75f48497321393a49aef2b1c69

  • SHA256

    4e47aacea0a261d290baf16b29636e778a5de66deff6e5bc3fbf04c88f77a05a

  • SHA512

    97707f79971e899309ccc8f1b59c76f75cf9958ba6054210631f2a6d2e2ee33d7fe420ea8d6fd1d58a9a3949ac7bfa696bc9ef24970e35704d459bfac385b62e

  • SSDEEP

    768:jKjudhnvbNBfg7jduMey4r/wOPpdwMNhghy0q9:jAuRbNNLO4kmTghy0w

Score
10/10
redlinexmrig$infostealerminerpersistencespyware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.194/go.png

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://62.204.41.194/F1.exe

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.194/me.png

Extracted

Family

redline

Botnet

$

C2

31.41.244.135:19850

Attributes
  • auth_value

    66623f79e2af33286760f5dd6c4262dc

Targets

    • Target

      file.exe

    • Size

      35KB

    • MD5

      b74be466bb67f2a2d226100d57a929d4

    • SHA1

      8b494dd6d976ed75f48497321393a49aef2b1c69

    • SHA256

      4e47aacea0a261d290baf16b29636e778a5de66deff6e5bc3fbf04c88f77a05a

    • SHA512

      97707f79971e899309ccc8f1b59c76f75cf9958ba6054210631f2a6d2e2ee33d7fe420ea8d6fd1d58a9a3949ac7bfa696bc9ef24970e35704d459bfac385b62e

    • SSDEEP

      768:jKjudhnvbNBfg7jduMey4r/wOPpdwMNhghy0q9:jAuRbNNLO4kmTghy0w

    Score
    10/10
    xmrigminerredline$infostealerpersistencespyware

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks