redline

Resubmissions

29-06-2024 20:27

240629-y8r5rayfjl 10

29-06-2024 20:19

240629-y4ad5svfmc 7

Sharing

Copy URL

Twitter E-mail

General

Target

ChromeSetup.exe
Size

8.0MB
Sample

240629-y8r5rayfjl
MD5

4641579bd234f353da345f009bf460ea
SHA1

5a0201eddda21cf7f6156495f99da66b4715cb01
SHA256

bc677d2df4c9acb50253987d5904b573c12e62661923a022194ae09e103e8144
SHA512

1b68e095ae7d578ee31e5d4d8a2978499d3c5164708a1d0cdd2fec9448e0542e4201738755ce82a6b5d890ad5cd79c40faf96502f182232d9aeab02e27d5c2ff
SSDEEP

196608:bWi1ZYP2rPma7ts+ndryl6xmrsUbX1YmbWxAnwvS:b7e2rua7tsedwrsUbX1YcWxAnw

Score

10^/10

Malware Config

Targets

- Target
  
  ChromeSetup.exe
- Size
  
  8.0MB
- MD5
  
  4641579bd234f353da345f009bf460ea
- SHA1
  
  5a0201eddda21cf7f6156495f99da66b4715cb01
- SHA256
  
  bc677d2df4c9acb50253987d5904b573c12e62661923a022194ae09e103e8144
- SHA512
  
  1b68e095ae7d578ee31e5d4d8a2978499d3c5164708a1d0cdd2fec9448e0542e4201738755ce82a6b5d890ad5cd79c40faf96502f182232d9aeab02e27d5c2ff
- SSDEEP
  
  196608:bWi1ZYP2rPma7ts+ndryl6xmrsUbX1YmbWxAnwvS:b7e2rua7tsedwrsUbX1YcWxAnw
Score

10^/10

redline xmrig discovery evasion execution infostealer miner persistence privilege_escalation spyware stealer trojan upx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix

Tasks

static1

Score

1^/10

behavioral1

redlinexmrigdiscoveryevasionexecutioninfostealerminerpersistenceprivilege_escalationspywarestealertrojanupx

Score

10^/10

Resubmissions

Sharing

General

Malware Config

Targets

RedLine payload

xmrig

XMRig Miner payload

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Stops running service(s)

Reads user/profile data of web browsers

UPX packed file

Boot or Logon Autostart Execution: Active Setup

Checks whether UAC is enabled

Power Settings

Checks computer location settings

Drops file in System32 directory

Event Triggered Execution: Component Object Model Hijacking

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1