General
-
Target
CryptoMiner.exe
-
Size
1.5MB
-
Sample
220505-bvntvahfap
-
MD5
310eb5bd45ac9c5767d28e63ab64635b
-
SHA1
4ac0d40abb71e9fcff34c8f67511fc590f495f3e
-
SHA256
d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6
-
SHA512
c2b0c3e890bb92f527960230c97c9c75ce50a2b9c4186c1dea87f7e55892702ac82805e5a038b8d32614790357c3ad113afe63e7f77cc99866801f4fdbac5e97
Static task
static1
Behavioral task
behavioral1
Sample
CryptoMiner.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
CryptoMiner.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
redline
@watercloudrobot - oblako za 8500
65.21.213.209:32936
-
auth_value
a14b52bba3a0ad35d4f66edae1132d42
Targets
-
-
Target
CryptoMiner.exe
-
Size
1.5MB
-
MD5
310eb5bd45ac9c5767d28e63ab64635b
-
SHA1
4ac0d40abb71e9fcff34c8f67511fc590f495f3e
-
SHA256
d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6
-
SHA512
c2b0c3e890bb92f527960230c97c9c75ce50a2b9c4186c1dea87f7e55892702ac82805e5a038b8d32614790357c3ad113afe63e7f77cc99866801f4fdbac5e97
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-