General
-
Target
files.zip
-
Size
26.0MB
-
Sample
230401-za3n9sdh6t
-
MD5
6a6b53119f5ebcfe8972320273a42a58
-
SHA1
751f4a806870c7d09fdc7c31145d9b5acb4d3234
-
SHA256
0fccb88dd106638ef91db078bb6534849cc1b12f68bb1a08a70db89d338a10f0
-
SHA512
4d14788233ddd645b9d874c0e1b38aa0d94231f6e49a0a2c2238da30ef1b51d2b12475057e2098c02091128cad56ea129ef21ed029be443515ea14e2d13659fd
-
SSDEEP
786432:X5X23QgeyHQxdT2cqWdmUlzFvXCif1+uHKQhTTPNredaC:pX23QghE98WdmIFSm/oZ
Behavioral task
behavioral1
Sample
XWorm_V3.1/XWorm V3.1.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
XWorm_V3.1/XWorm V3.1.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
XWorm_V3.1/crack.exe
Resource
win7-20230220-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6133753310:AAHOsvlWQDP23zggObP6jfcNHkvhUg1zl1k/sendMessage?chat_id=5876226574
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
redline
DARKWEB
89.22.234.180:40608
-
auth_value
cf407bc0c9a8384bb62aa110b7844cfe
Targets
-
-
Target
XWorm_V3.1/XWorm V3.1.exe
-
Size
7.2MB
-
MD5
c0897e921672c2619acc5d9ff1329860
-
SHA1
683d5c1b0858cd5089e4a60ba344872531584d35
-
SHA256
607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52
-
SHA512
696ce43462167d474491fc8dee8cd29ef8d12a1795d6b4e5262332fa58b102a503f5565799f960237b8fa58796391f445856206d70b4b8087f9918399063d4ff
-
SSDEEP
196608:FLQ6B/XKUDz9NoUXJzUWi7MYjBVvo5/UVC:ZFlaU/9NZXJZinjB9oxgC
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
XWorm_V3.1/crack.exe
-
Size
175KB
-
MD5
d2cc190ae73674db35f0dedfb1b76d0b
-
SHA1
02cc0edba7f750c8069ded02726adadf8faf5a69
-
SHA256
e7f0d6d12608ea3a553998fef002ec41d346b29e32634a3279c2e4be10aa9e97
-
SHA512
45d085308e73554674dcb480d0c37ce289df28f1b04b2e3f6932c112d3a388443d60f9cfbeed9038b2688b858bf1c019591d55ad5f670d998c9d721083da4db0
-
SSDEEP
3072:Be8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTHwA5E+WpCc:d6ewwIwQJ6vKX0c5MlYZ0b2Q
-
StormKitty payload
-
Async RAT payload
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-