General

  • Target

    0f674147118b728504faa4e9ee9be1f2.exe

  • Size

    995KB

  • Sample

    240803-erx5wssgrq

  • MD5

    0f674147118b728504faa4e9ee9be1f2

  • SHA1

    d1decfde4071500708161329f9e0c29e85fea315

  • SHA256

    f7a08ebdae40fcb8cdc61a569fdf42b9e65d2dd8f88a4cca9cae0e632a3d8f53

  • SHA512

    584f4b6caf6e12c692fb8a450c98931910a50f89f424adb10f349db3b7b8f8b485dbe8c7f0731f5d8a2e330973385b6d9692822abc398817db8a2c21aef33250

  • SSDEEP

    24576:Cf+6UNxk0J9qt3BGVF+gyToYisepcgq9VB0dEV:CG6U80JAt3BGVF2ksepcnjB0d2

Malware Config

Extracted

Family

xworm

Version

5.0

C2

henzz.ddns.net:7000

Mutex

vtEVqifwQsIiyHfJ

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

redline

Botnet

Henz

C2

54.37.93.250:45867

Targets

    • Target

      0f674147118b728504faa4e9ee9be1f2.exe

    • Size

      995KB

    • MD5

      0f674147118b728504faa4e9ee9be1f2

    • SHA1

      d1decfde4071500708161329f9e0c29e85fea315

    • SHA256

      f7a08ebdae40fcb8cdc61a569fdf42b9e65d2dd8f88a4cca9cae0e632a3d8f53

    • SHA512

      584f4b6caf6e12c692fb8a450c98931910a50f89f424adb10f349db3b7b8f8b485dbe8c7f0731f5d8a2e330973385b6d9692822abc398817db8a2c21aef33250

    • SSDEEP

      24576:Cf+6UNxk0J9qt3BGVF+gyToYisepcgq9VB0dEV:CG6U80JAt3BGVF2ksepcnjB0d2

    • Detect Xworm Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks