redline | 80923a0d7111b0a1fa4326e3a9a0d9ecb7ce66e276f8672aa79e2b5d99473fab

Analysis

max time kernel
139s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EBC4B354D6EC654829F9DE447D0C7B04.exe
Size

839KB
MD5

ebc4b354d6ec654829f9de447d0c7b04
SHA1

9e5d3ccae0d22bd27f8ae39b2f35b274dabd7fd1
SHA256

80923a0d7111b0a1fa4326e3a9a0d9ecb7ce66e276f8672aa79e2b5d99473fab
SHA512

1cb3487cf2f1864d22d3148b30ecf70794567af3a84c9ba5f2d16b5dac38017347c4efb92e4978ebfe57588c5883a2ebe4af33e83eaafad99de202548fd0048e
SSDEEP

24576:3CIQgVHOEqG7111cZRHVzutBSRhmG5ep:yAH1KL1zwBSRhmAI

Score

10^/10

redline sectoprat stormkitty xworm x3.0 foundry execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

79.110.49.209:7000

Mutex

biVc5L0dNUTxuebk

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

redline

Botnet

X3.0 Foundry

79.110.49.209:37552

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/1580-130-0x000000001C910000-0x000000001C91E000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023277-24.dat	family_xworm
behavioral2/memory/1580-33-0x0000000000100000-0x0000000000110000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023279-32.dat	family_redline
behavioral2/memory/4048-49-0x0000000000890000-0x00000000008AE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023279-32.dat	family_sectoprat
behavioral2/memory/4048-49-0x0000000000890000-0x00000000008AE000-memory.dmp	family_sectoprat

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/1580-129-0x000000001D9A0000-0x000000001DAC0000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4192	powershell.exe
3872	powershell.exe
4600	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	X3 Foundry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	EBC4B354D6EC654829F9DE447D0C7B04.exe

Executes dropped EXE 3 IoCs

pid	Process
832	X3 Libraries.exe
1580	X3 Foundry.exe
4048	X3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{54C47BEE-5E37-46C9-8CEC-4B888B06EFCD}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{CBF3AAF8-CAA1-412B-A017-4C7CF4D1A17F}	svchost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1580	X3 Foundry.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4192	powershell.exe
4192	powershell.exe
4192	powershell.exe
3872	powershell.exe
3872	powershell.exe
3872	powershell.exe
4600	powershell.exe
4600	powershell.exe
4600	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1580	X3 Foundry.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	4048	X3.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4532	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 4192	3484	EBC4B354D6EC654829F9DE447D0C7B04.exe	91
PID 3484 wrote to memory of 4192	3484	EBC4B354D6EC654829F9DE447D0C7B04.exe	91
PID 3484 wrote to memory of 4192	3484	EBC4B354D6EC654829F9DE447D0C7B04.exe	91
PID 3484 wrote to memory of 832	3484	EBC4B354D6EC654829F9DE447D0C7B04.exe	93
PID 3484 wrote to memory of 832	3484	EBC4B354D6EC654829F9DE447D0C7B04.exe	93
PID 3484 wrote to memory of 832	3484	EBC4B354D6EC654829F9DE447D0C7B04.exe	93
PID 3484 wrote to memory of 1580	3484	EBC4B354D6EC654829F9DE447D0C7B04.exe	94
PID 3484 wrote to memory of 1580	3484	EBC4B354D6EC654829F9DE447D0C7B04.exe	94
PID 3484 wrote to memory of 4048	3484	EBC4B354D6EC654829F9DE447D0C7B04.exe	95
PID 3484 wrote to memory of 4048	3484	EBC4B354D6EC654829F9DE447D0C7B04.exe	95
PID 3484 wrote to memory of 4048	3484	EBC4B354D6EC654829F9DE447D0C7B04.exe	95
PID 1580 wrote to memory of 3872	1580	X3 Foundry.exe	100
PID 1580 wrote to memory of 3872	1580	X3 Foundry.exe	100
PID 1580 wrote to memory of 4600	1580	X3 Foundry.exe	102
PID 1580 wrote to memory of 4600	1580	X3 Foundry.exe	102

C:\Users\Admin\AppData\Local\Temp\EBC4B354D6EC654829F9DE447D0C7B04.exe
"C:\Users\Admin\AppData\Local\Temp\EBC4B354D6EC654829F9DE447D0C7B04.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZgB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAYgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYgB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAcwBsACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Users\Admin\AppData\Roaming\X3 Libraries.exe
  "C:\Users\Admin\AppData\Roaming\X3 Libraries.exe"
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Users\Admin\AppData\Roaming\X3 Foundry.exe
  "C:\Users\Admin\AppData\Roaming\X3 Foundry.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\X3 Foundry.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X3 Foundry.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4600
- C:\Users\Admin\AppData\Roaming\X3.exe
  "C:\Users\Admin\AppData\Roaming\X3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4048

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:2720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3872 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eztfqnv2.w4g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\X3 Foundry.exe

Filesize
37KB

MD5
481dfe8fc19890a677c7824c60f721e8

SHA1
5db87becad1d847643fc853206feb3b33236dcd1

SHA256
3fb3f5a0edfedb7b6d05fe45f499df151d0b4b474c86f886ddc497106b6aefe5

SHA512
edf8d07242f349bc96d9b583641556019c6b11478794a6243786b814fed99d3778df74ede6d5e745038880a64abfc1a5537cb9fc03f42e835319487aa4f11e74

Download Submit
C:\Users\Admin\AppData\Roaming\X3 Libraries.exe

Filesize
701KB

MD5
17a4fe963bfec0ddadd74c1f39e8fd8f

SHA1
a857e89e506074bfedc937dc62fb1aa9e63e3281

SHA256
364492be3bc6462856177bb67acfc98ab80b751e22fd07d441fbcdc89754534e

SHA512
5aba4065f5c44163b4b9f479135d2e4c358bdc8ec273ac7acab0b40743633d0711d19999c019ddf991d428bb337b7840c29bc5ed093439758456d0272b9b7c9d

Download Submit
C:\Users\Admin\AppData\Roaming\X3.exe

Filesize
95KB

MD5
7875166307500da488a1618d9790e14c

SHA1
94219d3929064c36a1a60dd0a0b82c67f1038f4a

SHA256
1a328c71452450974247cf6126bbde1b1ab459bb1c6f56cc6f4c5626b8c9d386

SHA512
2ffacea5b936fe99d17c46c3a24450a1b95d0cb84c355a7deec6080b8f4fb6ec442280ea953621a20bac379d0b7f11e9ff18a489a0eee0cb1bb3366ea3ba9d4f

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/832-50-0x00000000000C0000-0x0000000000176000-memory.dmp

Filesize
728KB

Download
memory/832-66-0x0000000004B90000-0x0000000004B9A000-memory.dmp

Filesize
40KB

Download
memory/832-55-0x0000000004BB0000-0x0000000004C42000-memory.dmp

Filesize
584KB

Download
memory/832-52-0x00000000050C0000-0x0000000005664000-memory.dmp

Filesize
5.6MB

Download
memory/1580-31-0x00007FFCA3103000-0x00007FFCA3105000-memory.dmp

Filesize
8KB

Download
memory/1580-129-0x000000001D9A0000-0x000000001DAC0000-memory.dmp

Filesize
1.1MB

Download
memory/1580-33-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/1580-128-0x000000001BF10000-0x000000001BF1E000-memory.dmp

Filesize
56KB

Download
memory/1580-127-0x000000001CEA0000-0x000000001D1F0000-memory.dmp

Filesize
3.3MB

Download
memory/1580-130-0x000000001C910000-0x000000001C91E000-memory.dmp

Filesize
56KB

Download
memory/3872-75-0x0000022BB7E10000-0x0000022BB7E32000-memory.dmp

Filesize
136KB

Download
memory/4048-56-0x0000000005250000-0x0000000005262000-memory.dmp

Filesize
72KB

Download
memory/4048-67-0x00000000052F0000-0x000000000533C000-memory.dmp

Filesize
304KB

Download
memory/4048-116-0x0000000007080000-0x00000000075AC000-memory.dmp

Filesize
5.2MB

Download
memory/4048-115-0x0000000006980000-0x0000000006B42000-memory.dmp

Filesize
1.8MB

Download
memory/4048-74-0x0000000005560000-0x000000000566A000-memory.dmp

Filesize
1.0MB

Download
memory/4048-49-0x0000000000890000-0x00000000008AE000-memory.dmp

Filesize
120KB

Download
memory/4048-57-0x00000000052B0000-0x00000000052EC000-memory.dmp

Filesize
240KB

Download
memory/4048-53-0x0000000005A10000-0x0000000006028000-memory.dmp

Filesize
6.1MB

Download
memory/4192-73-0x00000000066C0000-0x00000000066DE000-memory.dmp

Filesize
120KB

Download
memory/4192-100-0x0000000070F50000-0x0000000070F9C000-memory.dmp

Filesize
304KB

Download
memory/4192-110-0x0000000006C70000-0x0000000006C8E000-memory.dmp

Filesize
120KB

Download
memory/4192-111-0x00000000078D0000-0x0000000007973000-memory.dmp

Filesize
652KB

Download
memory/4192-112-0x0000000008080000-0x00000000086FA000-memory.dmp

Filesize
6.5MB

Download
memory/4192-113-0x0000000007A00000-0x0000000007A1A000-memory.dmp

Filesize
104KB

Download
memory/4192-114-0x0000000007A60000-0x0000000007A6A000-memory.dmp

Filesize
40KB

Download
memory/4192-99-0x0000000006CC0000-0x0000000006CF2000-memory.dmp

Filesize
200KB

Download
memory/4192-72-0x0000000006280000-0x00000000065D4000-memory.dmp

Filesize
3.3MB

Download
memory/4192-118-0x0000000007CC0000-0x0000000007D56000-memory.dmp

Filesize
600KB

Download
memory/4192-119-0x0000000007A70000-0x0000000007A81000-memory.dmp

Filesize
68KB

Download
memory/4192-120-0x0000000007C30000-0x0000000007C3E000-memory.dmp

Filesize
56KB

Download
memory/4192-121-0x0000000007C40000-0x0000000007C54000-memory.dmp

Filesize
80KB

Download
memory/4192-122-0x0000000007C80000-0x0000000007C9A000-memory.dmp

Filesize
104KB

Download
memory/4192-123-0x0000000007C70000-0x0000000007C78000-memory.dmp

Filesize
32KB

Download
memory/4192-59-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/4192-60-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/4192-58-0x0000000005660000-0x0000000005682000-memory.dmp

Filesize
136KB

Download
memory/4192-54-0x00000000057E0000-0x0000000005E08000-memory.dmp

Filesize
6.2MB

Download
memory/4192-51-0x00000000030A0000-0x00000000030D6000-memory.dmp

Filesize
216KB

Download