General

  • Target

    148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe

  • Size

    515KB

  • Sample

    240526-t8dj5sdg53

  • MD5

    148b2c38cf0726535d760a703f803c80

  • SHA1

    107503ca149f547d4745fe9b9a3fbae03d60126c

  • SHA256

    30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d

  • SHA512

    6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd

  • SSDEEP

    12288:EMbx504bFjsNfn8lmwaYy//2hWc8CYBMQI4aqNA:Lbw4bR689aYy//2hDPYBMQI4aqN

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    cmd.exe

  • telegram

    https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

redline

Botnet

DOCX

C2

beshomandotestbesnd.run.place:1111

Targets

    • Target

      148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe

    • Size

      515KB

    • MD5

      148b2c38cf0726535d760a703f803c80

    • SHA1

      107503ca149f547d4745fe9b9a3fbae03d60126c

    • SHA256

      30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d

    • SHA512

      6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd

    • SSDEEP

      12288:EMbx504bFjsNfn8lmwaYy//2hWc8CYBMQI4aqNA:Lbw4bR689aYy//2hDPYBMQI4aqN

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks