redline | fd9ba5fdb9c7a11812ef8aed5ef7afda54bed718c57f83e2dc39463348594c2c | Triage

Submit
Reports

Overview

overview

Static

static

3

dridex

windows10-2004-x64

Sharing

General

Target

fd9ba5fdb9c7a11812ef8aed5ef7afda54bed718c57f83e2dc39463348594c2c
Size

1.1MB
Sample

230514-brcx6sac22
MD5

7efcf50d722b6259120d33df12b5cbdd
SHA1

b1af7de0d8cb5748d87524ffea340c0c414c38a6
SHA256

fd9ba5fdb9c7a11812ef8aed5ef7afda54bed718c57f83e2dc39463348594c2c
SHA512

efd31ef9296271c4b5c0ecd954c53ee6b4a31c7b772ffe9fe11b0c65c6b45a70806b92ff8f63e4c346419d0189433013374dddbc01bf984ad91660e6f0b68cb5
SSDEEP

24576:UyHnLS2B41PUm8xwylQWaPxk2s2X3s9JINiO9UawWKx12rfpsttnLZ:jHLSD1PUfwYQXkR2X3Hr/wlXspstt

Score

10^/10

redline vjw0rm wshrat luka terra evasion infostealer persistence trojan worm

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

fd9ba5fdb9c7a11812ef8aed5ef7afda54bed718c57f83e2dc39463348594c2c.exe

Resource

win10v2004-20230220-en

redline vjw0rm wshrat luka terra evasion infostealer persistence trojan worm

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

luka

C2

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Extracted

Family

redline

Botnet

terra

C2

185.161.248.75:4132

Attributes

auth_value
60df3f535f8aa4e264f78041983592d2

Extracted

Family

vjw0rm

C2

http://vj5566.duckdns.org:5566

Targets

- Target
  
  fd9ba5fdb9c7a11812ef8aed5ef7afda54bed718c57f83e2dc39463348594c2c
- Size
  
  1.1MB
- MD5
  
  7efcf50d722b6259120d33df12b5cbdd
- SHA1
  
  b1af7de0d8cb5748d87524ffea340c0c414c38a6
- SHA256
  
  fd9ba5fdb9c7a11812ef8aed5ef7afda54bed718c57f83e2dc39463348594c2c
- SHA512
  
  efd31ef9296271c4b5c0ecd954c53ee6b4a31c7b772ffe9fe11b0c65c6b45a70806b92ff8f63e4c346419d0189433013374dddbc01bf984ad91660e6f0b68cb5
- SSDEEP
  
  24576:UyHnLS2B41PUm8xwylQWaPxk2s2X3s9JINiO9UawWKx12rfpsttnLZ:jHLSD1PUfwYQXkR2X3Hr/wlXspstt
Score

10^/10

redline vjw0rm wshrat luka terra evasion infostealer persistence trojan worm
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- WSHRAT payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Disabling Security Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

redlinevjw0rmwshratlukaterraevasioninfostealerpersistencetrojanworm

© 2018-2024

Terms | Privacy