General
-
Target
fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe
-
Size
202KB
-
Sample
240425-cnm5eadf8s
-
MD5
c8eb81dbb47b76334f0ed0a0885cd9a0
-
SHA1
01cfab774e33012674789ad2606266c19f3f416c
-
SHA256
fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43
-
SHA512
e1db5211a16b666dbc134de6fcfc3ccdf5949d455ddb09013a4774e81e6b968c5dd5bac43c1abbd0284e54d59f5d6a21e1d1e394d20f804a192d0c2975f28edc
-
SSDEEP
6144:SVVFgarTMrJGALiKN+iLSYKEahJns5dm:SVPXMrCKN+gSTEahRsrm
Static task
static1
Behavioral task
behavioral1
Sample
fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
xworm
3.1
91.92.252.220:4442
wR68bAqsujrl6VoA
-
Install_directory
%AppData%
-
install_file
explorer.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
xworm
5.0
127.0.0.1:7000
91.92.252.220:7000
MeDwR8PJidtfrQQa
-
Install_directory
%AppData%
-
install_file
explorer.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
redline
cheat
91.92.252.220:1337
Targets
-
-
Target
fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe
-
Size
202KB
-
MD5
c8eb81dbb47b76334f0ed0a0885cd9a0
-
SHA1
01cfab774e33012674789ad2606266c19f3f416c
-
SHA256
fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43
-
SHA512
e1db5211a16b666dbc134de6fcfc3ccdf5949d455ddb09013a4774e81e6b968c5dd5bac43c1abbd0284e54d59f5d6a21e1d1e394d20f804a192d0c2975f28edc
-
SSDEEP
6144:SVVFgarTMrJGALiKN+iLSYKEahJns5dm:SVPXMrCKN+gSTEahRsrm
-
Detect Xworm Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects executables using Telegram Chat Bot
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-