redline | 82548329bb9a46a2dda0a85d5fbaf605d8712e609a14c459d185511ac1ad3791 | Triage

Submit
Reports

Overview

overview

Static

static

3

dridex

windows10-2004-x64

Sharing

General

Target

82548329bb9a46a2dda0a85d5fbaf605d8712e609a14c459d185511ac1ad3791
Size

1.1MB
Sample

230514-bs6xmsce8s
MD5

a21264085fd8e40c0a55171a6b1f1360
SHA1

9e4ecbd8c5af834d55d9c230d0c702f3299cf80b
SHA256

82548329bb9a46a2dda0a85d5fbaf605d8712e609a14c459d185511ac1ad3791
SHA512

6e9b18cf79b3ede2334d38834c37eabc41af3d78d634f4f95a82e14484edc244fc16c5249ad58c1db3d64148bea6ab99fbf544dd58649ab1224abb40b82acb6c
SSDEEP

24576:VyUGTkEmBQFreBOc7H5Pr5pEVC+En4FZFSEPO:wH/cQreBxlPNutQApP

Score

10^/10

redline vjw0rm wshrat luka terra evasion infostealer persistence trojan worm

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

82548329bb9a46a2dda0a85d5fbaf605d8712e609a14c459d185511ac1ad3791.exe

Resource

win10v2004-20230220-en

redline vjw0rm wshrat luka terra evasion infostealer persistence trojan worm

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

luka

C2

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Extracted

Family

redline

Botnet

terra

C2

185.161.248.75:4132

Attributes

auth_value
60df3f535f8aa4e264f78041983592d2

Extracted

Family

vjw0rm

C2

http://vj5566.duckdns.org:5566

Targets

- Target
  
  82548329bb9a46a2dda0a85d5fbaf605d8712e609a14c459d185511ac1ad3791
- Size
  
  1.1MB
- MD5
  
  a21264085fd8e40c0a55171a6b1f1360
- SHA1
  
  9e4ecbd8c5af834d55d9c230d0c702f3299cf80b
- SHA256
  
  82548329bb9a46a2dda0a85d5fbaf605d8712e609a14c459d185511ac1ad3791
- SHA512
  
  6e9b18cf79b3ede2334d38834c37eabc41af3d78d634f4f95a82e14484edc244fc16c5249ad58c1db3d64148bea6ab99fbf544dd58649ab1224abb40b82acb6c
- SSDEEP
  
  24576:VyUGTkEmBQFreBOc7H5Pr5pEVC+En4FZFSEPO:wH/cQreBxlPNutQApP
Score

10^/10

redline vjw0rm wshrat luka terra evasion infostealer persistence trojan worm
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- WSHRAT payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Disabling Security Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

redlinevjw0rmwshratlukaterraevasioninfostealerpersistencetrojanworm

© 2018-2024

Terms | Privacy