Overview

overview

10

Static

static

3

49883d026f...40.exe

windows7-x64

10

49883d026f...40.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    49883d026fb595c0243e0deb509e7bb534f54b10e6fa2567695a3937d31ff840.exe

  • Size

    1020KB

  • Sample

    230523-h2vpaseb77

  • MD5

    7405d40eeb9e5c190ea52d2fe22c4ade

  • SHA1

    831e57887e29a5217b7a382666d7a7ce7a9a1651

  • SHA256

    49883d026fb595c0243e0deb509e7bb534f54b10e6fa2567695a3937d31ff840

  • SHA512

    1be5a4eb2610048396fee84996d74b73538d5b0702391728fad90ca15530bf2069ef80338fface02aec9d9842d7e258dafd8e69bf5bc60e54c043d7814d18d45

  • SSDEEP

    24576:4yCk0Xxjij3IvWo1Z7hxXrem3LniPptz9kWgsEcI:/YBjiVqZ1xXv3rOvz6P

Score
10/10
loaderbotredlinexmrigluxadiscoveryevasioninfostealerloaderminerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

luxa

C2

77.91.68.157:19065

Attributes
  • auth_value

    2dda654f9abf47e50c7446be3ecc1806

Targets

    • Target

      49883d026fb595c0243e0deb509e7bb534f54b10e6fa2567695a3937d31ff840.exe

    • Size

      1020KB

    • MD5

      7405d40eeb9e5c190ea52d2fe22c4ade

    • SHA1

      831e57887e29a5217b7a382666d7a7ce7a9a1651

    • SHA256

      49883d026fb595c0243e0deb509e7bb534f54b10e6fa2567695a3937d31ff840

    • SHA512

      1be5a4eb2610048396fee84996d74b73538d5b0702391728fad90ca15530bf2069ef80338fface02aec9d9842d7e258dafd8e69bf5bc60e54c043d7814d18d45

    • SSDEEP

      24576:4yCk0Xxjij3IvWo1Z7hxXrem3LniPptz9kWgsEcI:/YBjiVqZ1xXv3rOvz6P

    Score
    10/10
    loaderbotredlinexmrigluxadiscoveryevasioninfostealerloaderminerpersistencespywarestealertrojanupx

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • LoaderBot executable

    • XMRig Miner payload

      miner

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks