Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.exe

  • Size

    35KB

  • Sample

    230104-xcwydsce9y

  • MD5

    763f596df92174f31b2019474d6a022c

  • SHA1

    3716637d97d20f4c1a92631e78d363635e6d7bf4

  • SHA256

    6032d1538d68df2b8a118c6c5f3756a9c383d213f71fae50fef2c59482cdf107

  • SHA512

    fb38f1ec9105c753c56e8dbf1023fa84ccf61511ad15ef21db221890858b2aa1a33688dea0da894262f21bf2c3ef06bde92f3cbe95d4a6d601c4b5d0748e0e2d

  • SSDEEP

    768:R0EzuhkxatcjJP1sgjy4r/wOPpdwMNhghy0qN:R0Ey6xatUNst4kmTghy0Y

Score
10/10
redlinexmrig$infostealerminerspyware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.194/go.png

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://62.204.41.194/F1.exe

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.194/me.png

Extracted

Family

redline

Botnet

$

C2

31.41.244.135:19850

Attributes
  • auth_value

    66623f79e2af33286760f5dd6c4262dc

Targets

    • Target

      file.exe

    • Size

      35KB

    • MD5

      763f596df92174f31b2019474d6a022c

    • SHA1

      3716637d97d20f4c1a92631e78d363635e6d7bf4

    • SHA256

      6032d1538d68df2b8a118c6c5f3756a9c383d213f71fae50fef2c59482cdf107

    • SHA512

      fb38f1ec9105c753c56e8dbf1023fa84ccf61511ad15ef21db221890858b2aa1a33688dea0da894262f21bf2c3ef06bde92f3cbe95d4a6d601c4b5d0748e0e2d

    • SSDEEP

      768:R0EzuhkxatcjJP1sgjy4r/wOPpdwMNhghy0qN:R0Ey6xatUNst4kmTghy0Y

    Score
    10/10
    xmrigminerredline$infostealerspyware

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks