redline | f7a08ebdae40fcb8cdc61a569fdf42b9e65d2dd8f88a4cca9cae0e632a3d8f53

Analysis

max time kernel
122s
max time network
142s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03-08-2024 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f674147118b728504faa4e9ee9be1f2.exe
Size

995KB
MD5

0f674147118b728504faa4e9ee9be1f2
SHA1

d1decfde4071500708161329f9e0c29e85fea315
SHA256

f7a08ebdae40fcb8cdc61a569fdf42b9e65d2dd8f88a4cca9cae0e632a3d8f53
SHA512

584f4b6caf6e12c692fb8a450c98931910a50f89f424adb10f349db3b7b8f8b485dbe8c7f0731f5d8a2e330973385b6d9692822abc398817db8a2c21aef33250
SSDEEP

24576:Cf+6UNxk0J9qt3BGVF+gyToYisepcgq9VB0dEV:CG6U80JAt3BGVF2ksepcnjB0d2

Score

10^/10

redline sectoprat stormkitty xworm henz credential_access discovery execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

henzz.ddns.net:7000

Mutex

vtEVqifwQsIiyHfJ

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

redline

Botnet

Henz

54.37.93.250:45867

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2720-20-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2720-17-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2720-15-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2720-24-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2720-21-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2140-71-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2140-68-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2140-66-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2140-74-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2140-72-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2140-71-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2140-68-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2140-66-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2140-74-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2140-72-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2720-37-0x0000000006A70000-0x0000000006B90000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3044	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2936	cxtdzj.exe

Loads dropped DLL 1 IoCs

pid	Process
2720	0f674147118b728504faa4e9ee9be1f2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2112 set thread context of 2720	2112	0f674147118b728504faa4e9ee9be1f2.exe	34
PID 2936 set thread context of 2140	2936	cxtdzj.exe	37

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f674147118b728504faa4e9ee9be1f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxtdzj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f674147118b728504faa4e9ee9be1f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3044	powershell.exe
2720	0f674147118b728504faa4e9ee9be1f2.exe
2140	RegSvcs.exe
2140	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2720	0f674147118b728504faa4e9ee9be1f2.exe
Token: SeDebugPrivilege	2140	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2720	0f674147118b728504faa4e9ee9be1f2.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3044	2112	0f674147118b728504faa4e9ee9be1f2.exe	30
PID 2112 wrote to memory of 3044	2112	0f674147118b728504faa4e9ee9be1f2.exe	30
PID 2112 wrote to memory of 3044	2112	0f674147118b728504faa4e9ee9be1f2.exe	30
PID 2112 wrote to memory of 3044	2112	0f674147118b728504faa4e9ee9be1f2.exe	30
PID 2112 wrote to memory of 2548	2112	0f674147118b728504faa4e9ee9be1f2.exe	31
PID 2112 wrote to memory of 2548	2112	0f674147118b728504faa4e9ee9be1f2.exe	31
PID 2112 wrote to memory of 2548	2112	0f674147118b728504faa4e9ee9be1f2.exe	31
PID 2112 wrote to memory of 2548	2112	0f674147118b728504faa4e9ee9be1f2.exe	31
PID 2112 wrote to memory of 2720	2112	0f674147118b728504faa4e9ee9be1f2.exe	34
PID 2112 wrote to memory of 2720	2112	0f674147118b728504faa4e9ee9be1f2.exe	34
PID 2112 wrote to memory of 2720	2112	0f674147118b728504faa4e9ee9be1f2.exe	34
PID 2112 wrote to memory of 2720	2112	0f674147118b728504faa4e9ee9be1f2.exe	34
PID 2112 wrote to memory of 2720	2112	0f674147118b728504faa4e9ee9be1f2.exe	34
PID 2112 wrote to memory of 2720	2112	0f674147118b728504faa4e9ee9be1f2.exe	34
PID 2112 wrote to memory of 2720	2112	0f674147118b728504faa4e9ee9be1f2.exe	34
PID 2112 wrote to memory of 2720	2112	0f674147118b728504faa4e9ee9be1f2.exe	34
PID 2112 wrote to memory of 2720	2112	0f674147118b728504faa4e9ee9be1f2.exe	34
PID 2720 wrote to memory of 2936	2720	0f674147118b728504faa4e9ee9be1f2.exe	36
PID 2720 wrote to memory of 2936	2720	0f674147118b728504faa4e9ee9be1f2.exe	36
PID 2720 wrote to memory of 2936	2720	0f674147118b728504faa4e9ee9be1f2.exe	36
PID 2720 wrote to memory of 2936	2720	0f674147118b728504faa4e9ee9be1f2.exe	36
PID 2936 wrote to memory of 2140	2936	cxtdzj.exe	37
PID 2936 wrote to memory of 2140	2936	cxtdzj.exe	37
PID 2936 wrote to memory of 2140	2936	cxtdzj.exe	37
PID 2936 wrote to memory of 2140	2936	cxtdzj.exe	37
PID 2936 wrote to memory of 2140	2936	cxtdzj.exe	37
PID 2936 wrote to memory of 2140	2936	cxtdzj.exe	37
PID 2936 wrote to memory of 2140	2936	cxtdzj.exe	37
PID 2936 wrote to memory of 2140	2936	cxtdzj.exe	37
PID 2936 wrote to memory of 2140	2936	cxtdzj.exe	37
PID 2936 wrote to memory of 2140	2936	cxtdzj.exe	37
PID 2936 wrote to memory of 2140	2936	cxtdzj.exe	37
PID 2936 wrote to memory of 2140	2936	cxtdzj.exe	37

C:\Users\Admin\AppData\Local\Temp\0f674147118b728504faa4e9ee9be1f2.exe
"C:\Users\Admin\AppData\Local\Temp\0f674147118b728504faa4e9ee9be1f2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\swZCJnIb.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\swZCJnIb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D2D.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\0f674147118b728504faa4e9ee9be1f2.exe
  "C:\Users\Admin\AppData\Local\Temp\0f674147118b728504faa4e9ee9be1f2.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\cxtdzj.exe
    "C:\Users\Admin\AppData\Local\Temp\cxtdzj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cxtdzj.exe

Filesize
522KB

MD5
48848dc652fd9227f5383c9abfc5bae1

SHA1
c0e7bc68784a9bafe9f0c43d7a3b1f52f724e22e

SHA256
97c6fe300a253318d1d0a83a4199786c478ddcafaf6eec44804b8fb6f06902bd

SHA512
aba97da36bc65355c9aed66755ebdfec5b274ce490d117ad3cd74173b041264dffac7d80ec411affd424ecb52a7842edb721748edbcae70d1ba65d2c3b49460a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D2D.tmp

Filesize
1KB

MD5
1fab641ad1fed4d4a32b05b04025d2aa

SHA1
5fcaaa8e7c7a94b327fac18ffeaad4a284b7fb30

SHA256
230d2b9dca568ea8f511a89eef158d364ae6b1d8d74ede246a25b9b8ebd8bfdf

SHA512
af59dff56aad6defc4e1f67917951256ca2e03afbecf18aefc312c609a6a3d2d882a72eab718c83e8e29741392b1bf72fba3f5a13d51e6f50a46f21adbf9f8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEBE6.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEBFA.tmp

Filesize
92KB

MD5
cf00cf5b059b43e29cbde1a36c6209f3

SHA1
9df2f8ef60997e3934fef0d88f9770fb9d19769f

SHA256
9f861e6046979ac19a569747cd17b7e77a8e1301c870691595a68d9a8244a30a

SHA512
16e433a67de26cbf052f2639df05c5d3d2c5ef5d4ef065b45af913174e08415bd6672f6637e8727e88b2e68c74c2ffeabc6673e1506e8ad397edb198e0276399

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEC27.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
memory/2112-5-0x0000000000500000-0x0000000000552000-memory.dmp

Filesize
328KB

Download
memory/2112-23-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2112-4-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/2112-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/2112-3-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2112-2-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2112-1-0x0000000000990000-0x0000000000A8E000-memory.dmp

Filesize
1016KB

Download
memory/2140-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2140-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2140-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2140-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2140-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2140-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2140-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2140-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-20-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2720-37-0x0000000006A70000-0x0000000006B90000-memory.dmp

Filesize
1.1MB

Download
memory/2720-28-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/2720-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2720-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2720-13-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2720-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2720-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2720-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2936-61-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2936-36-0x00000000006C0000-0x00000000006D6000-memory.dmp

Filesize
88KB

Download
memory/2936-35-0x0000000000D30000-0x0000000000DB8000-memory.dmp

Filesize
544KB

Download