General

  • Target

    296-246-0x0000000003D50000-0x0000000003D84000-memory.dmp

  • Size

    208KB

  • Sample

    230806-w3ameada61

  • MD5

    4e440f67186e2995945b43581d563825

  • SHA1

    84e9adfb35ce505cbf08f0f2d1a49c85a2ade6e1

  • SHA256

    74f06e568aebd641f9f1b0bc279d0306f0ff043f57d22eea805c5ac8a7668eb7

  • SHA512

    1e65053531bb385d9606853671d906306e289d69944ec755654d788a88875e436eb631408967a17ce7e8f5d86bdad6d575a9cd0fab170e63f079a104ae6caef5

  • SSDEEP

    3072:MW3s69VvJMzabHEt82BCHJam9UlCQXD/2brWI4+okzBby/8e8hg:p3s6NMzaBJpK+brWIFdS

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.89.201.49:6932

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Targets

    • Target

      296-246-0x0000000003D50000-0x0000000003D84000-memory.dmp

    • Size

      208KB

    • MD5

      4e440f67186e2995945b43581d563825

    • SHA1

      84e9adfb35ce505cbf08f0f2d1a49c85a2ade6e1

    • SHA256

      74f06e568aebd641f9f1b0bc279d0306f0ff043f57d22eea805c5ac8a7668eb7

    • SHA512

      1e65053531bb385d9606853671d906306e289d69944ec755654d788a88875e436eb631408967a17ce7e8f5d86bdad6d575a9cd0fab170e63f079a104ae6caef5

    • SSDEEP

      3072:MW3s69VvJMzabHEt82BCHJam9UlCQXD/2brWI4+okzBby/8e8hg:p3s6NMzaBJpK+brWIFdS

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks