Overview

overview

10

Static

static

3

10f47af828...in.exe

windows7-x64

10

10f47af828...in.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    10f47af828a8e5880a751635143563cb.bin.exe

  • Size

    252KB

  • Sample

    230619-gqwa1sbh45

  • MD5

    10f47af828a8e5880a751635143563cb

  • SHA1

    af570f4569ce36e58038c44a176148afe6b053bf

  • SHA256

    2cf7764d7c90c8bd63c0f5f4d1a5554fbca5276210c5b5d7e013b7dbaa42d6fb

  • SHA512

    5eeefd1a874987aedc8098dd0d7fd255acdf84a07bde12ba973635ca477e3481920afac220d710ea4c4c48b65d9399602203eca2c07d72a99d5fddb6cafb768e

  • SSDEEP

    3072:H/JBX+goMLnQ4JwiBoykRbe7SvHztuR6ISIOaPp6F2WtuT4+zQ8Kxq:RAgojHiAASvpuMIPM4jzhKx

Score
10/10
redlinexmrig1discoveryevasionexploitinfostealerminerpyinstallerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.81.224.130/any.exe

Extracted

Family

redline

Botnet

1

C2

213.239.213.187:17260

Attributes
  • auth_value

    6a4b05ef943a0dd801fd01dfbb9eb717

Targets

    • Target

      10f47af828a8e5880a751635143563cb.bin.exe

    • Size

      252KB

    • MD5

      10f47af828a8e5880a751635143563cb

    • SHA1

      af570f4569ce36e58038c44a176148afe6b053bf

    • SHA256

      2cf7764d7c90c8bd63c0f5f4d1a5554fbca5276210c5b5d7e013b7dbaa42d6fb

    • SHA512

      5eeefd1a874987aedc8098dd0d7fd255acdf84a07bde12ba973635ca477e3481920afac220d710ea4c4c48b65d9399602203eca2c07d72a99d5fddb6cafb768e

    • SSDEEP

      3072:H/JBX+goMLnQ4JwiBoykRbe7SvHztuR6ISIOaPp6F2WtuT4+zQ8Kxq:RAgojHiAASvpuMIPM4jzhKx

    Score
    10/10
    redlinexmrig1discoveryevasionexploitinfostealerminerpyinstallerspywarestealertrojan

    • Modifies security service

      evasion

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • XMRig Miner payload

      miner

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Possible privilege escalation attempt

      exploit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

File Permissions Modification

1
T1222

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks