General

  • Target

    3c3ae074efc209a63f628f55b07eaf7c605dbbf5d0025419d78d42ec3488dbb6

  • Size

    69.9MB

  • Sample

    240708-m2vrhsvhpk

  • MD5

    14a76f1fbd3829471ab5387a06d82753

  • SHA1

    fca74b2fe85d294830d64ad0e769d0d9b9d97832

  • SHA256

    3c3ae074efc209a63f628f55b07eaf7c605dbbf5d0025419d78d42ec3488dbb6

  • SHA512

    fbb2da96ed9e4dee7228af943d07387ad710fd4a0262009509d04d0bec7fdfdfdc238cfe9ca024baf5df2dd33ae69c1ce3ee058d6295709a2b9b2ba553c55813

  • SSDEEP

    1572864:PRDm7pl/94Y93gb+1VAP4YrA2y5AnCZVr2:PRq+w3E+1VwaWz

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://drive.usercontent.google.com/u/0/uc?id=1x3Qsl0ip2snOsNAYvLibF9vZtml1AeI9&export=download

Extracted

Family

redline

Botnet

GameTrash

C2

213.219.199.48:1912

Targets

    • Target

      RobuxGiver/Giver.jar

    • Size

      36.6MB

    • MD5

      1bc56c1c09bb5d108365c0992291f5c6

    • SHA1

      7c47e8db8b527b256520499033f0c39ab2fee449

    • SHA256

      15788f4491bbaefd419c7a152a2ce35e59ad827218260a10430a2fcf23e30cf6

    • SHA512

      a283f96cc878a88125cdb1e959f17044ddcb4031e566f4a3273012e4cbfc568004b2a25c54896b104fe0ede950193b518f6be283de260679871e8860ea88c86d

    • SSDEEP

      786432:J67l/W65D0Dspv3aagZb+1VBy3W8B4YrA2ysrjAAi81iVZV6zihX1:el/94Y93gb+1VAP4YrA2y5AnCZVrf

    Score
    1/10
    • Target

      RobuxGiver/Refresh.dll

    • Size

      7.4MB

    • MD5

      e669283790077343477be2e0a7578891

    • SHA1

      5b6e41b930aedcc1f6ccd9301448e6c0eacc1315

    • SHA256

      b11625c73e8ef0f76058b2ef7d7f09dc3453988eba227e9d7b2310eea923d7a9

    • SHA512

      f81376c9727614d12a1825c71b93024ff9659822f6dc8f660277e85467081e1755ced1e53241d6009b09214c5f7fd0cfab47383bb6a42077757b0bd1cd2fa71b

    • SSDEEP

      98304:8mg7qz9u16T8R2y1fUv50DKKNUqGX1Y5l533y9SSFr32W3:8vqRu16T8RpfSaDKKNUqGX032z3Z3

    Score
    1/10
    • Target

      RobuxGiver/Run.bat

    • Size

      133KB

    • MD5

      cda01b7a38c5168643879c37a603b756

    • SHA1

      8e106bdf6faeabc194f94bec498bad28dd6e380b

    • SHA256

      e52ac9954fd9cf9ec2ada166cdc0ad720efb0e5492ec7422390b4050327f6b85

    • SHA512

      eb5e074720b0dd72b6998dc2f8aa4f603361077d42fb2b76b912844445db5b58947ab1204e9b7015952a6e284b084452f7d4c4dbe6c54d5e4d128e7370fadfe6

    • SSDEEP

      3072:UzU4BgtWtI0Mb4Rp39rixLerYKGM/548phyS0:sTBLO09RLriFerVGQGf

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Creates new service(s)

    • Drops file in Drivers directory

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      RobuxGiver/connect.dll

    • Size

      598KB

    • MD5

      9d420367ad9cc9a64abb3070ba056a4d

    • SHA1

      56ad1e0143aa5b5860225b6d6e798966822f0ee9

    • SHA256

      14e21da9127bfc402072131eb35df9f75541d577c470624db563261290c79571

    • SHA512

      507a4aff01b75d786b3cf945cd08a92407369db609ee7ef4c922a15a6db647ce3f0726d5a22911e763c8e1add6b33effee871d543429c9f468766ef56a7e6017

    • SSDEEP

      12288:iToJbEjeRbToJbEjeRFToJbEjeRFToJbEjeRFToJbEjeRY:2oJbEjeR3oJbEjeRRoJbEjeRRoJbEjeh

    Score
    1/10
    • Target

      Accessibility.dll

    • Size

      30KB

    • MD5

      cd67df24d44e55f8a39a8ab8c6af5bf8

    • SHA1

      1d94109212b75ad006db614ef0379c3eba6f13ea

    • SHA256

      507b945cfcb8841d67b1015911f2716515d70c7547f3d73a1efd87e23a1789bd

    • SHA512

      242d20e0c7d807696e9e0fd809bd419cf2a746edffecdf74e9a6c7fd78e7920bbab32ad91e1a5cb1576ae89e8d882f84f694e02c58c5122f89b9e582f3db3c21

    • SSDEEP

      384:6IW1XfPAzkHn8dlRu98nYsWZbWU9kk5+R9zusw6A8iHRN7YKy50ZSxR9zusgPRvB:6BRca98nYzP1g9zuoAxY50Zi9zuzp

    Score
    1/10
    • Target

      RB.uiu

    • Size

      3.2MB

    • MD5

      4ec2a06a4c66ab46b6cd2ba048e1e9a2

    • SHA1

      ee09664e59931bf6659bc70748713701c6d283a4

    • SHA256

      92cef33249a372491bb51e8b7c607ac69588f88829ad7561fd2b2b853f6a2ad7

    • SHA512

      63b147e8b4b1a436b008f48fb58e3a297cf1bc0182caacb3b414a764642d76cc081ba5836e434f8cd56c02f770bc795aa98186459fd750f1b3a5700645fb32d9

    • SSDEEP

      49152:GjmWx8dQMC5C/3T5EDeKxWwN5aFjZDiWEbZaiFOuR:Gjm4CvT5EDeKxW2aFlRpuR

    Score
    1/10
    • Target

      api-ms-win-base-util-l1-1-0.dll

    • Size

      11KB

    • MD5

      b6b9ff41852a816fda2fb19e46b41428

    • SHA1

      85a732933c9480f501d4d623a4688500092f5790

    • SHA256

      8ad869b6b66f784655f09ef4b2cc2299d26e32e8c93de3b52eb04ba084dfb799

    • SHA512

      d3a3f4a6118a5d1cd2b961db471bc83ebff8e01f1e60d4e8ce223ad5da62e46b6cc12a56bd6de9a9ebd11fa7f25ed0d2745a65077b11775b0e1364d8f4ae6ad6

    • SSDEEP

      192:JWZhWrcCroDBQABJbpF+nasu+JX01k9z3Azs+9Lys:JWZhW6DBRJbpUad+JR9zus+tv

    Score
    3/10
    • Target

      api-ms-win-core-com-l1-1-0.dll

    • Size

      16KB

    • MD5

      9ad32425879d587f6440787d749d28b5

    • SHA1

      6fe77657963a680d605ea43a20dafa38b9a0c840

    • SHA256

      1a1c91a02511a5b6c519f62d0c126c663284b70c8c1fac2befa73903358954ea

    • SHA512

      cdbac27c9b881c012808f6cc836004424e01dda51841040e49c2f5fa5a06fc98d4acc00f7030c7eabc718e1c2033027a5b5ccc681408d57b23fe908fcc34ccda

    • SSDEEP

      192:LWjfog5hLYXTAdBEV5TlOX/SUfEWZhWUcCroDBQABJCRZC0pF+nasu+JX01k9z3V:LQ8XBOfEWZhWFDBRJYpUad+JR9zus+wl

    Score
    3/10
    • Target

      api-ms-win-core-comm-l1-1-0.dll

    • Size

      12KB

    • MD5

      b2d6e9d578b9c5133154cf283795be13

    • SHA1

      458de064436dcd02eff88af28cd14fcacc80cba5

    • SHA256

      81cccf230877808c5c6ede5aa0b1a944cfc167305f36b7261a4b2fbaf4846b3e

    • SHA512

      336ff3e8c8163aee6c1603902a7832ab69acaadd350b33ae2fc336ba37f5420d8b5cdfb0fcbb5982e2b9aacec4ef5c642ef6a37a96aff05a5a484f48db4c6303

    • SSDEEP

      192:8NWZhWeRpSDBQABJN7DqF9e+X01k9z3AzsJFD4ElVbu:8NWZhWPDBRJle99R9zusX0gVS

    Score
    1/10
    • Target

      api-ms-win-core-console-l1-1-0.dll

    • Size

      12KB

    • MD5

      51876f5c5a4a18fbff8e49b4098a2837

    • SHA1

      5435558aa2b0edbc3dd259a10f18041d5a4a457a

    • SHA256

      120245d0362392e14ab0248561c75cba92f9cc633b318454a4ed4c73c260998d

    • SHA512

      42a56fe43ce986cd27932520e044aa9ccceec8c8b10f50bb9be3f93d0a7038fbd4a7bd70fa3c63f034133dee81f870f382e67c3b6bf9445545b7d10022b17113

    • SSDEEP

      192:3x4x8WZhWrYRpSDBQABJxwks9gICQX01k9z3AF21zHo:h4KWZhWrZDBRJe/P/R9zfW

    Score
    1/10
    • Target

      api-ms-win-core-datetime-l1-1-0.dll

    • Size

      12KB

    • MD5

      27063ef9884d2e99c4efc23afb82d362

    • SHA1

      7d61625a6a4586414663fae9706308304bed2fc9

    • SHA256

      7d57238f0552b7c3222af0d92ac876be6bbe750ecea527564ecfe96207b306c7

    • SHA512

      22904dd56cfac474587235ba8d1efdd31cebd9ab392f3af5a65901b5f020ddbaa77ad57e2d23e75e349e0f8d2c77dd5daa9e50366d64d9fc5f94c6fe4c916e8b

    • SSDEEP

      192:YyWZhWgcCroDBQABJxr3NWGaN4NhrJgX01k9z3AhQCs2RB:YyWZhWBDBRJpsTN4tgR9zatRB

    Score
    1/10
    • Target

      api-ms-win-core-datetime-l1-1-1.dll

    • Size

      12KB

    • MD5

      0e1ea6efc5c6824c0b0d55ef5b670dec

    • SHA1

      589b957ac3bcea9327d75af4b07cb0e8bd158fe5

    • SHA256

      7511280e57c23aeea9926476c3fc34da92b7dd261aabc4cd092ed4c9c4869a0d

    • SHA512

      b2472aefc6eff582905e2d1f95394b3ef687f3041bde07b3be82851402e9265e52a7396e7bba8b7e3a1427563b92d5d0608ed7d93038107e7da9e7b5ff08738b

    • SSDEEP

      192:aWZhWtcBRpSDBQABJSXq21eX01k9z3Az7+9t/HjQib:aWZhWuMDBRJSXl8R9ziARHEib

    Score
    3/10
    • Target

      RobuxGiver/natives/Accessibility.dll

    • Size

      30KB

    • MD5

      cd67df24d44e55f8a39a8ab8c6af5bf8

    • SHA1

      1d94109212b75ad006db614ef0379c3eba6f13ea

    • SHA256

      507b945cfcb8841d67b1015911f2716515d70c7547f3d73a1efd87e23a1789bd

    • SHA512

      242d20e0c7d807696e9e0fd809bd419cf2a746edffecdf74e9a6c7fd78e7920bbab32ad91e1a5cb1576ae89e8d882f84f694e02c58c5122f89b9e582f3db3c21

    • SSDEEP

      384:6IW1XfPAzkHn8dlRu98nYsWZbWU9kk5+R9zusw6A8iHRN7YKy50ZSxR9zusgPRvB:6BRca98nYzP1g9zuoAxY50Zi9zuzp

    Score
    1/10
    • Target

      RobuxGiver/natives/RB.uiu

    • Size

      3.2MB

    • MD5

      4ec2a06a4c66ab46b6cd2ba048e1e9a2

    • SHA1

      ee09664e59931bf6659bc70748713701c6d283a4

    • SHA256

      92cef33249a372491bb51e8b7c607ac69588f88829ad7561fd2b2b853f6a2ad7

    • SHA512

      63b147e8b4b1a436b008f48fb58e3a297cf1bc0182caacb3b414a764642d76cc081ba5836e434f8cd56c02f770bc795aa98186459fd750f1b3a5700645fb32d9

    • SSDEEP

      49152:GjmWx8dQMC5C/3T5EDeKxWwN5aFjZDiWEbZaiFOuR:Gjm4CvT5EDeKxW2aFlRpuR

    Score
    1/10
    • Target

      RobuxGiver/natives/UnRAR.exe

    • Size

      494KB

    • MD5

      98ccd44353f7bc5bad1bc6ba9ae0cd68

    • SHA1

      76a4e5bf8d298800c886d29f85ee629e7726052d

    • SHA256

      e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b

    • SHA512

      d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

    • SSDEEP

      6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK

    Score
    3/10
    • Target

      RobuxGiver/natives/api-ms-win-base-util-l1-1-0.dll

    • Size

      1.2MB

    • MD5

      15be12b923012fe94229b2b91520b5b2

    • SHA1

      8bbecb00fcd3d42a01939d4b0a02f30a5a34721e

    • SHA256

      77c523fcf6d739df0823fd08738e05c876b99b684d882084df78b449c5464c48

    • SHA512

      67a85ba2745300d47c0a6e5907b5c5011fc84c3b962163c624c8e36254d6b7ef7d7421f69b7d57d41bdf3c05c62eca4af750b884d340d3a293f54c6a4d066a3f

    • SSDEEP

      3072:LDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaDaK:X

    Score
    1/10
    • Target

      RobuxGiver/natives/api-ms-win-core-com-l1-1-0.dll

    • Size

      1.6MB

    • MD5

      cd4209e51836249b2a410758e49cd000

    • SHA1

      f4c8c4cd1f0075782441e6897e0b12a42fe93c6d

    • SHA256

      7b813c00b3002f2689b4d55bd3dbf643adc93aa3e965d094da1e00201427fd27

    • SHA512

      a9095e3fb08e232b2543707ae28c0a8ba17e473971c87c09412867704407b24e6a6df61bcfe27e5a1e12b822602f5134d4ff2f8d29ba498cb1ce4f55cd021cd4

    • SSDEEP

      12288:977777777777777777777777777777777777777777777777777777777777777l:H

    Score
    1/10
    • Target

      RobuxGiver/natives/api-ms-win-core-comm-l1-1-0.dll

    • Size

      1.3MB

    • MD5

      f6cd3a4a45c54a0c7f18a0e75f3afcbe

    • SHA1

      d0a66c79f815a46d2319538b8f557bfc92c4deba

    • SHA256

      850102912c9a2897fca0cf7d143e162f1a7f58bf689a94082b50969f05106d51

    • SHA512

      ee15055a3adba6704c6313025baad2d69fda2d181f07812c324fa8c21caed1c82612a4cbe57e1e3702850197c787cafa583d47739f2f923e8655bee929c248d2

    • SSDEEP

      3072:RKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK2:U

    Score
    1/10
    • Target

      RobuxGiver/natives/api-ms-win-core-console-l1-1-0.dll

    • Size

      11.1MB

    • MD5

      eaf2a3ab027b941b49fed9a7cb3e55fb

    • SHA1

      c7b7477879b7f757f98798de813330b9ebbdd23a

    • SHA256

      6c442b192f89d1e4c8349b1fb48a4bd8df6b0fdca5ea9ca59c1d8b7ce03d9842

    • SHA512

      36efe8bb0c4b361f9bfa809fae819f409cae84b95b4216a3100272ea213e200b803cf7afd625c8393df0f18a41fccb498f8a80635e93e5bd7d062f8d6749f179

    • SSDEEP

      6144:6mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmme:h

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

xmrigevasionexecutionminerpersistenceupx
Score
10/10

behavioral6

redlinexmriggametrashdiscoveryevasionexecutioninfostealerminerpersistencespywarestealerupx
Score
10/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
3/10

behavioral14

Score
3/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
3/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
3/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10