General

  • Target

    2620-61-0x0000000003DC0000-0x0000000003DF4000-memory.dmp

  • Size

    208KB

  • Sample

    230811-agg9gahg23

  • MD5

    69ecb6af7703b98749f8841c465fc2f4

  • SHA1

    ed7d009c6eb866de960637c2e00a394dbacc7cf0

  • SHA256

    e1ba9b1567985575021e7c3acff4044e6d17164d32391c848fe8290e40249607

  • SHA512

    c37936d634463f8ec825ca11727c64487b57923f3fd1d73de787c9f452eb16cc7417e9a4755e892a8052f5e55696e2adda30af5e58e4ae643ace8662890904c2

  • SSDEEP

    3072:c2d6mtyOf3YItpGVH1/W92Ve/eV+9wdLxwafS8e8hq:x6mtyOgItpGgD/eUmZS

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

136.244.98.226:33587

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Targets

    • Target

      2620-61-0x0000000003DC0000-0x0000000003DF4000-memory.dmp

    • Size

      208KB

    • MD5

      69ecb6af7703b98749f8841c465fc2f4

    • SHA1

      ed7d009c6eb866de960637c2e00a394dbacc7cf0

    • SHA256

      e1ba9b1567985575021e7c3acff4044e6d17164d32391c848fe8290e40249607

    • SHA512

      c37936d634463f8ec825ca11727c64487b57923f3fd1d73de787c9f452eb16cc7417e9a4755e892a8052f5e55696e2adda30af5e58e4ae643ace8662890904c2

    • SSDEEP

      3072:c2d6mtyOf3YItpGVH1/W92Ve/eV+9wdLxwafS8e8hq:x6mtyOgItpGgD/eUmZS

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks