Extracted

• • Target

    a1d18a8a59f0934ba9c600c477ec5565d863ac2a2189cd29d063e61600181736

  • Size

    1020KB

  • MD5

    4aeda6e2b1f51a375f3393735a6ee9c2

  • SHA1

    ec7ce670cbd33ddda0dd983e71838548c8a4f9c5

  • SHA256

    a1d18a8a59f0934ba9c600c477ec5565d863ac2a2189cd29d063e61600181736

  • SHA512

    4fa369dc07157f0ac02252c11a6624a0c688990cbd97316b67aeae13313ed7234fde120a2422fea59a13f628254f264410f3dc87b9739fde273ba785f5e87d85

  • SSDEEP

    24576:+yS/nq8KH/wgrvIHJYH5WRwpFaFisnlr4wyD0F5sdF:NS/nqPw7HKYRSsFiqkB6

  Score

  10^/10

  loaderbotredlinexmriglupadiscoveryevasioninfostealerloaderminerpersistencespywarestealertrojan

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • LoaderBot executable

  • XMRig Miner payload

    miner

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1