Extracted

• • Target

    c068aae17f843ffc60c792336879c570.exe

  • Size

    916KB

  • MD5

    c068aae17f843ffc60c792336879c570

  • SHA1

    47dad1f6396317f2d0591bb674ab7d6113e87611

  • SHA256

    1e5f2c0b0ce987ff58c642c4c98ab60c79453d0f6ac4de50de382917e2a1d518

  • SHA512

    65d29971233001088ac5ad0e52dff7484e156d4c79e320242fc8bb5548f42f4dcf20af5adce1e5bff377bdf7dd5b8b1bbc574e79c8b0237bdccf1d140e19a27f

  • SSDEEP

    24576:dyOYs7tghLdXyOAP19W6FnsEE2nCfzDI:4OYHLdXs9YssJ2n0D

  Score

  10^/10

  loaderbotredlinexmriglupadiscoveryevasioninfostealerloaderminerpersistencespywarestealertrojan

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • LoaderBot executable

  • XMRig Miner payload

    miner

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2