redline

Resubmissions

22-11-2023 01:16

231122-bm924she63 1

05-06-2023 18:52

01-06-2023 19:18

01-06-2023 17:57

01-06-2023 16:56

01-06-2023 16:38

01-06-2023 16:19

01-06-2023 16:10

Sharing

Copy URL

Twitter E-mail

General

Target

http://34.101.154.50
Sample

230601-wjvhgaff56

Score

10^/10

Malware Config

Extracted

Path

C:\PerfLogs\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Extracted

Family

redline

Botnet

dix

77.91.124.251:19065

Attributes

auth_value
9b544b3d9c88af32e2f5bf8705f9a2fb

Extracted

Family

redline

Botnet

diza

185.161.248.37:4138

83.97.73.127:19045

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

redline

Botnet

rocker

83.97.73.127:19045

Attributes

auth_value
b4693c25843b5a1c7d63376e73e32dae

Targets

- Target
  
  http://34.101.154.50
Score

10^/10

redline ryuk xmrig dix diza rocker discovery infostealer miner persistence ransomware
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- XMRig Miner payload
  miner
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Renames multiple (7721) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Drops Chrome extension
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Ryuk

XMRig Miner payload

xmrig

Renames multiple (7721) files with added filename extension

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Modifies file permissions

Adds Run key to start application

Drops Chrome extension

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

urlscan1

behavioral1