redline | 6e8bf74388ea7fd0920ba751b8815fc3cf8b08718062695e1860ba9afa961e12 | Triage

Submit
Reports

Overview

overview

Static

static

file.exe

windows7-x64

file.exe

windows10-2004-x64

Sharing

General

Target

file.exe
Size

35KB
Sample

230106-nbzs8afg97
MD5

4cf755615a13020d548efdb50075c7f4
SHA1

d7fe35e37bda895f6ead22cda6e918716be2bbf1
SHA256

6e8bf74388ea7fd0920ba751b8815fc3cf8b08718062695e1860ba9afa961e12
SHA512

e0230b47232d3ff6ed0d4de0c63990cbd03e7141c62102045f95b4960ccd75407737426218dd643fee5028932f16e63eed6360d95cbe539882d7d4dfecb39348
SSDEEP

768:l4fwXzHw0maEVLjCFHsGy4r/wOPpdwMNhghy0q9:l44XjxmaEVcu4kmTghy0w

Score

10^/10

redline xmrig $infostealer miner persistence spyware

Static task

static1

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20220901-en

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20221111-en

redline xmrig $infostealer miner persistence spyware

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.194/go.png

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://62.204.41.194/F1.exe

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.194/me.png

Extracted

Family

redline

Botnet

$

C2

31.41.244.135:19850

Attributes

auth_value
66623f79e2af33286760f5dd6c4262dc

Targets

- Target
  
  file.exe
- Size
  
  35KB
- MD5
  
  4cf755615a13020d548efdb50075c7f4
- SHA1
  
  d7fe35e37bda895f6ead22cda6e918716be2bbf1
- SHA256
  
  6e8bf74388ea7fd0920ba751b8815fc3cf8b08718062695e1860ba9afa961e12
- SHA512
  
  e0230b47232d3ff6ed0d4de0c63990cbd03e7141c62102045f95b4960ccd75407737426218dd643fee5028932f16e63eed6360d95cbe539882d7d4dfecb39348
- SSDEEP
  
  768:l4fwXzHw0maEVLjCFHsGy4r/wOPpdwMNhghy0q9:l44XjxmaEVcu4kmTghy0w
Score

10^/10

xmrig miner redline $infostealer persistence spyware
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

redlinexmrig$infostealerminerpersistencespyware

© 2018-2024

Terms | Privacy