General
-
Target
287e94024ef4ea0f1d9aad740b75a2ff594dd93062848867ed028ac719143298
-
Size
199KB
-
Sample
240516-2sp71acf64
-
MD5
73309cc961f9645c1c2562ffcdc2dab1
-
SHA1
6a8545c08c931e016198c80b304ade1c1e8f7a17
-
SHA256
287e94024ef4ea0f1d9aad740b75a2ff594dd93062848867ed028ac719143298
-
SHA512
89858a407acbc7c13a4bd40031abd6803c311d381a37702631b1739d9f0e67c6afae50e6d1188b54a7d0e1ddfbcb6857b68f8f44cad3b10b1b31b53f1b676914
-
SSDEEP
3072:Pp/WjbfQnyH5oGpIlkOpXFcdXrOjVbcL/6Z3zPK2Cu:KbYymGpIlHuKoLC9/
Behavioral task
behavioral1
Sample
287e94024ef4ea0f1d9aad740b75a2ff594dd93062848867ed028ac719143298.exe
Resource
win7-20240221-en
Malware Config
Extracted
xworm
127.0.0.1:7000
beshomandotestbesnd.run.place:7000
-
Install_directory
%ProgramData%
-
install_file
taskmgr.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
redline
Vic
beshomandotestbesnd.run.place:1111
Targets
-
-
Target
287e94024ef4ea0f1d9aad740b75a2ff594dd93062848867ed028ac719143298
-
Size
199KB
-
MD5
73309cc961f9645c1c2562ffcdc2dab1
-
SHA1
6a8545c08c931e016198c80b304ade1c1e8f7a17
-
SHA256
287e94024ef4ea0f1d9aad740b75a2ff594dd93062848867ed028ac719143298
-
SHA512
89858a407acbc7c13a4bd40031abd6803c311d381a37702631b1739d9f0e67c6afae50e6d1188b54a7d0e1ddfbcb6857b68f8f44cad3b10b1b31b53f1b676914
-
SSDEEP
3072:Pp/WjbfQnyH5oGpIlkOpXFcdXrOjVbcL/6Z3zPK2Cu:KbYymGpIlHuKoLC9/
-
Detect Xworm Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1