General

  • Target

    4ce2c0836c46c61b588972b56a23d5e2.bin

  • Size

    187KB

  • Sample

    240718-b7gw3asgmd

  • MD5

    7e2b48d624df35520c8eab9b0d64d544

  • SHA1

    3c1d4c68a1806df79fc4d211037d0e4f68942489

  • SHA256

    ce26a1216f635a70eeecd02ce29d35c1e88db84cb91a27e60d28e96f7c6446ca

  • SHA512

    7c28a2c90cfcb8ea4202cd7526466b9c133d8221a651be467fa72cc79d276329309b0716d051f5842cf19e6e7fd7a879f2dffdc3fed70c01d62a66a193f4e6d7

  • SSDEEP

    3072:zivZpA2CjW9PRAeAbAOSN8GcNZivjLwCGD583V9aSEv62IVM2k71zo1K/v2ZMeUK:ziR62+WVfmAOSBOivj0CGuF9aM2IDkQx

Malware Config

Extracted

Family

redline

Botnet

winsc

C2

pst-child.gl.at.ply.gg:9336

Extracted

Family

xworm

Version

5.0

C2

45.88.186.18:7000

Mutex

BjImkAWMcrtpfpkF

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=6678411703

aes.plain

Targets

    • Target

      05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3.exe

    • Size

      282KB

    • MD5

      4ce2c0836c46c61b588972b56a23d5e2

    • SHA1

      939a9f983870df1913acce63ca408bba9789588f

    • SHA256

      05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3

    • SHA512

      7b32f30b61ca8dcd9ae897d4d9e0480d8e0e2e5ae43f5f56f393d6a0dce7fa79e501c3d3609fcd288624c817401aa7f53c5f2fcdd7dda78d32c5034519d7256e

    • SSDEEP

      6144:+sxanyfX5k7JlJDlABKUtfU/WQcb5sDqaxw3fWHdJytaaDlNiJ:f0nyfXuIBDtfu3qaxzHdJytlM

    • Detect Xworm Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks