redline

General

Target

1d3535cc01b2cc54b808a55e945707a0.bin
Size

530KB
Sample

240518-bdevlscd5s
MD5

327489de949d42b7c77b4b0a3c9cd394
SHA1

287bb67d4e945e25cb9dee065a4aa19cd3f9cb4c
SHA256

9b6db82d4b33285545976a603b1dfdf280e85287f3d4a03b425e75bd985a9705
SHA512

f00afa770e27778930e19cedf31b1ca262eb8d086e7b824e387a244f316ca6c44adc6418391423bca22468c6a1e1007db6b9bea2aa27e8be1231a0dea11149e9
SSDEEP

12288:xr7CZ2eTYrwS/APpQYh8YkIhtTlYhhch9QoXRmKmFQ/+XQmkxhES2Km:xrWAjrwaRzIKuQeRmKmcslk0Ft

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes

Install_directory
%ProgramData%
install_file
taskmgr.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

redline

Botnet

Vic

C2

beshomandotestbesnd.run.place:1111

Targets

- Target
  
  f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe
- Size
  
  596KB
- MD5
  
  1d3535cc01b2cc54b808a55e945707a0
- SHA1
  
  a9a563b8ee37f17c847248bb207b28086d9f4628
- SHA256
  
  f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19
- SHA512
  
  4c344a2abc7ace17a3fced1e3fcf09ac959b47d8bc1a5bf4280d46c3dccd015254a42ce722f93bbbe28f9866696db685df6209b4e863fa9e02772753eeb2ebbc
- SSDEEP
  
  12288:15/Sm4/r42toIX4IaZo2BOtdMKX8MbICwAvV6LwfAnxMlpxxWmBNIg9SWvAK:70/rX8IJ2BwNQcfAnxgDzBx
Score

10^/10

redline sectoprat xworm vic discovery execution infostealer persistence rat spyware stealer trojan
- Detect Xworm Payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2