General
-
Target
1ec428773f74cd93c4f5e407e49d2c441cdd16d72aa7735ea68e1a38de354bb7
-
Size
153KB
-
Sample
240423-ptr2rsgd53
-
MD5
c1367e0a51d368198b014287172f8dca
-
SHA1
0d2a002989b3c4494e45af19a0f15e934c5c8376
-
SHA256
1ec428773f74cd93c4f5e407e49d2c441cdd16d72aa7735ea68e1a38de354bb7
-
SHA512
2216b48678146e495737cd4c318ea644774cc3de019255adcba141fa0a907f12f4d907555585e4fae10a3f6961a222fb55244374e0405a800a9d550fa6fef255
-
SSDEEP
3072:uQkaGjCqg4HDixINlV84LnTDc+ZW73wypt3PbxujHoUllhOdykWZrZdI+:p8vWQBLnTAYW7/uMUl/sWz+
Static task
static1
Behavioral task
behavioral1
Sample
1ec428773f74cd93c4f5e407e49d2c441cdd16d72aa7735ea68e1a38de354bb7.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
xworm
5.0
127.0.0.1:7000
91.92.252.220:7000
ROaH4xeOywr7qoLs
-
Install_directory
%AppData%
-
install_file
explorer.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
redline
IDS
91.92.252.220:9078
Targets
-
-
Target
1ec428773f74cd93c4f5e407e49d2c441cdd16d72aa7735ea68e1a38de354bb7
-
Size
153KB
-
MD5
c1367e0a51d368198b014287172f8dca
-
SHA1
0d2a002989b3c4494e45af19a0f15e934c5c8376
-
SHA256
1ec428773f74cd93c4f5e407e49d2c441cdd16d72aa7735ea68e1a38de354bb7
-
SHA512
2216b48678146e495737cd4c318ea644774cc3de019255adcba141fa0a907f12f4d907555585e4fae10a3f6961a222fb55244374e0405a800a9d550fa6fef255
-
SSDEEP
3072:uQkaGjCqg4HDixINlV84LnTDc+ZW73wypt3PbxujHoUllhOdykWZrZdI+:p8vWQBLnTAYW7/uMUl/sWz+
-
Detect Xworm Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-