redline | 1714ba5db61334c038b40a0e41d65b87a583530097cb11793d2a67d84373679a | Triage

Sharing

General

Target

0e4e3cdacfbe29fdc3e189e52ee8228e.bin
Size

34KB
Sample

230508-bc6lyagd56
MD5

4f084595b3f135da6ecd75af19a79220
SHA1

463b5248f226a116cf235d16ade51d01939a69fd
SHA256

1714ba5db61334c038b40a0e41d65b87a583530097cb11793d2a67d84373679a
SHA512

f5f5f7ebf20cab4b3e24bed669eb8da03608885e06c0ce236a60ecc5d7366b6d0a0e8ef546bf3f5552c887c6cd2211902450d4019082ee64e74c927f1f0ee078
SSDEEP

768:Q4cWw4vwZN0ejdOrw2qmcrfA3s7YvQE9aW5Onk1upwc9:QjjzdYperl7Yvt93Uksb

Score

10^/10

redline xmrig [ pro ]evasion infostealer miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/o.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/r.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/file.png

Extracted

Family

redline

Botnet

[ PRO ]

C2

185.161.248.16:26885

Attributes

auth_value
b4958da54d1cdd9d9b28330afda1cc3c

Targets

- Target
  
  ac3af6bd3139c444e8e146a6d48c110ae33c09d23c84b7b02f3d7af9eaa49c84.exe
- Size
  
  82KB
- MD5
  
  0e4e3cdacfbe29fdc3e189e52ee8228e
- SHA1
  
  59bdf38588f8fefefd49aa748dac4d025e9d0ec3
- SHA256
  
  ac3af6bd3139c444e8e146a6d48c110ae33c09d23c84b7b02f3d7af9eaa49c84
- SHA512
  
  4356a79c3c15f6bdd5c9e465f99cf5b5ea90edcf9e6e84be79cd3e128b3565462af4ce3982077f9f0b11035a30c3caedeae2ca4a62bc74eb6dc319c2236d302a
- SSDEEP
  
  1536:Vdbe0uWRLLmR/epMMj1McUa33271MT1AosEeR9m+dIs:Tb/RLLmJMMMjK63E1MT1zr+dp
Score

10^/10

xmrig evasion miner redline [ pro ]infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

xmrigevasionminer

behavioral2

redline[ pro ]evasioninfostealer