General
-
Target
mstc.exe
-
Size
50KB
-
Sample
240427-n8w4laag2v
-
MD5
17eefbaaa30123fa3091add80026aed4
-
SHA1
8e43d736ea03bd33de5434bda5e20aae121cd218
-
SHA256
b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5
-
SHA512
e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09
-
SSDEEP
768:C/ul3bG/lNZeBFjzdG514y9iIn0N+LJwdFNt9cHydAQ6vOAh3HVXj+T3m:aulrukLdQ142uNBFf9iG6vOAhVST3m
Behavioral task
behavioral1
Sample
mstc.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
mstc.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
xworm
5.0
127.0.0.1:7000
91.92.252.220:7000
41.199.23.195:7000
saveclinetsforme68465454711991.publicvm.com:7000
bBT8anvIxhxDFmkf
-
Install_directory
%AppData%
-
install_file
explorer.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
saveclinetsforme68465454711991.publicvm.com:6606
saveclinetsforme68465454711991.publicvm.com:7707
saveclinetsforme68465454711991.publicvm.com:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
mstc.exe
-
install_folder
%AppData%
Extracted
redline
cheat
saveclinetsforme68465454711991.publicvm.com:1111
Targets
-
-
Target
mstc.exe
-
Size
50KB
-
MD5
17eefbaaa30123fa3091add80026aed4
-
SHA1
8e43d736ea03bd33de5434bda5e20aae121cd218
-
SHA256
b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5
-
SHA512
e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09
-
SSDEEP
768:C/ul3bG/lNZeBFjzdG514y9iIn0N+LJwdFNt9cHydAQ6vOAh3HVXj+T3m:aulrukLdQ142uNBFf9iG6vOAhVST3m
-
Detect Xworm Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-