Extracted

• • Target

    25a9fa38ecef745b7437783c5d2d92d6.exe

  • Size

    1020KB

  • MD5

    25a9fa38ecef745b7437783c5d2d92d6

  • SHA1

    730fa6f1fdaea9a3820d61efa558e5546ff9aad7

  • SHA256

    e6e6dd786fa32e98eb482e69d34794abd69f5e185f11d48eece5b18497eaa11a

  • SHA512

    0e9cddf3fe1e04e7c27a339bd88a730008372d9b13fabd2824796e48fa1c5313f209916509e75fb83e9dfefe1abcc926ee43828604b0a67c1c7c744358682d84

  • SSDEEP

    24576:3yx/2j4XrBmLx84bvBbfazM3SrTgXfBfXL1gEv7e:Cx/2uFsOzqSrTkF1

  Score

  10^/10

  loaderbotredlinexmrigluxadiscoveryevasioninfostealerloaderminerpersistencespywarestealertrojan

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • LoaderBot executable

  • XMRig Miner payload

    miner

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2