redline | f7a08ebdae40fcb8cdc61a569fdf42b9e65d2dd8f88a4cca9cae0e632a3d8f53

Analysis

max time kernel
122s
max time network
147s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
03-08-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f674147118b728504faa4e9ee9be1f2.exe
Size

995KB
MD5

0f674147118b728504faa4e9ee9be1f2
SHA1

d1decfde4071500708161329f9e0c29e85fea315
SHA256

f7a08ebdae40fcb8cdc61a569fdf42b9e65d2dd8f88a4cca9cae0e632a3d8f53
SHA512

584f4b6caf6e12c692fb8a450c98931910a50f89f424adb10f349db3b7b8f8b485dbe8c7f0731f5d8a2e330973385b6d9692822abc398817db8a2c21aef33250
SSDEEP

24576:Cf+6UNxk0J9qt3BGVF+gyToYisepcgq9VB0dEV:CG6U80JAt3BGVF2ksepcnjB0d2

Score

10^/10

redline sectoprat stormkitty xworm henz credential_access discovery execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

henzz.ddns.net:7000

Mutex

vtEVqifwQsIiyHfJ

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

redline

Botnet

Henz

54.37.93.250:45867

Signatures

Detect Xworm Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2580-22-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2580-21-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2580-20-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2580-17-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral1/memory/2580-15-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2232-70-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2232-67-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2232-65-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2232-72-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2232-71-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2232-70-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2232-67-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2232-65-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2232-72-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2232-71-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2580-35-0x0000000006720000-0x0000000006840000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2576 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

bhjlkv.exe

pid process

2616 bhjlkv.exe
Loads dropped DLL 1 IoCs

Processes:

0f674147118b728504faa4e9ee9be1f2.exe

pid process

2580 0f674147118b728504faa4e9ee9be1f2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2576	powershell.exe

pid	process
2616	bhjlkv.exe

pid	process
2580	0f674147118b728504faa4e9ee9be1f2.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

0f674147118b728504faa4e9ee9be1f2.exebhjlkv.exe

description	pid	process	target process
PID 2652 set thread context of 2580	2652	0f674147118b728504faa4e9ee9be1f2.exe	0f674147118b728504faa4e9ee9be1f2.exe
PID 2616 set thread context of 2232	2616	bhjlkv.exe	RegSvcs.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0f674147118b728504faa4e9ee9be1f2.exeschtasks.exepowershell.exe0f674147118b728504faa4e9ee9be1f2.exebhjlkv.exeRegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f674147118b728504faa4e9ee9be1f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f674147118b728504faa4e9ee9be1f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bhjlkv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2728 schtasks.exe

pid	process
2728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

0f674147118b728504faa4e9ee9be1f2.exepowershell.exe0f674147118b728504faa4e9ee9be1f2.exeRegSvcs.exe

pid	process
2652	0f674147118b728504faa4e9ee9be1f2.exe
2652	0f674147118b728504faa4e9ee9be1f2.exe
2576	powershell.exe
2580	0f674147118b728504faa4e9ee9be1f2.exe
2232	RegSvcs.exe
2232	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

0f674147118b728504faa4e9ee9be1f2.exepowershell.exe0f674147118b728504faa4e9ee9be1f2.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2652	0f674147118b728504faa4e9ee9be1f2.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2580	0f674147118b728504faa4e9ee9be1f2.exe
Token: SeDebugPrivilege	2232	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0f674147118b728504faa4e9ee9be1f2.exe

pid process

2580 0f674147118b728504faa4e9ee9be1f2.exe

pid	process
2580	0f674147118b728504faa4e9ee9be1f2.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

0f674147118b728504faa4e9ee9be1f2.exe0f674147118b728504faa4e9ee9be1f2.exebhjlkv.exe

description	pid	process	target process
PID 2652 wrote to memory of 2576	2652	0f674147118b728504faa4e9ee9be1f2.exe	powershell.exe
PID 2652 wrote to memory of 2576	2652	0f674147118b728504faa4e9ee9be1f2.exe	powershell.exe
PID 2652 wrote to memory of 2576	2652	0f674147118b728504faa4e9ee9be1f2.exe	powershell.exe
PID 2652 wrote to memory of 2576	2652	0f674147118b728504faa4e9ee9be1f2.exe	powershell.exe
PID 2652 wrote to memory of 2728	2652	0f674147118b728504faa4e9ee9be1f2.exe	schtasks.exe
PID 2652 wrote to memory of 2728	2652	0f674147118b728504faa4e9ee9be1f2.exe	schtasks.exe
PID 2652 wrote to memory of 2728	2652	0f674147118b728504faa4e9ee9be1f2.exe	schtasks.exe
PID 2652 wrote to memory of 2728	2652	0f674147118b728504faa4e9ee9be1f2.exe	schtasks.exe
PID 2652 wrote to memory of 2564	2652	0f674147118b728504faa4e9ee9be1f2.exe	0f674147118b728504faa4e9ee9be1f2.exe
PID 2652 wrote to memory of 2564	2652	0f674147118b728504faa4e9ee9be1f2.exe	0f674147118b728504faa4e9ee9be1f2.exe
PID 2652 wrote to memory of 2564	2652	0f674147118b728504faa4e9ee9be1f2.exe	0f674147118b728504faa4e9ee9be1f2.exe
PID 2652 wrote to memory of 2564	2652	0f674147118b728504faa4e9ee9be1f2.exe	0f674147118b728504faa4e9ee9be1f2.exe
PID 2652 wrote to memory of 2580	2652	0f674147118b728504faa4e9ee9be1f2.exe	0f674147118b728504faa4e9ee9be1f2.exe
PID 2652 wrote to memory of 2580	2652	0f674147118b728504faa4e9ee9be1f2.exe	0f674147118b728504faa4e9ee9be1f2.exe
PID 2652 wrote to memory of 2580	2652	0f674147118b728504faa4e9ee9be1f2.exe	0f674147118b728504faa4e9ee9be1f2.exe
PID 2652 wrote to memory of 2580	2652	0f674147118b728504faa4e9ee9be1f2.exe	0f674147118b728504faa4e9ee9be1f2.exe
PID 2652 wrote to memory of 2580	2652	0f674147118b728504faa4e9ee9be1f2.exe	0f674147118b728504faa4e9ee9be1f2.exe
PID 2652 wrote to memory of 2580	2652	0f674147118b728504faa4e9ee9be1f2.exe	0f674147118b728504faa4e9ee9be1f2.exe
PID 2652 wrote to memory of 2580	2652	0f674147118b728504faa4e9ee9be1f2.exe	0f674147118b728504faa4e9ee9be1f2.exe
PID 2652 wrote to memory of 2580	2652	0f674147118b728504faa4e9ee9be1f2.exe	0f674147118b728504faa4e9ee9be1f2.exe
PID 2652 wrote to memory of 2580	2652	0f674147118b728504faa4e9ee9be1f2.exe	0f674147118b728504faa4e9ee9be1f2.exe
PID 2580 wrote to memory of 2616	2580	0f674147118b728504faa4e9ee9be1f2.exe	bhjlkv.exe
PID 2580 wrote to memory of 2616	2580	0f674147118b728504faa4e9ee9be1f2.exe	bhjlkv.exe
PID 2580 wrote to memory of 2616	2580	0f674147118b728504faa4e9ee9be1f2.exe	bhjlkv.exe
PID 2580 wrote to memory of 2616	2580	0f674147118b728504faa4e9ee9be1f2.exe	bhjlkv.exe
PID 2616 wrote to memory of 2232	2616	bhjlkv.exe	RegSvcs.exe
PID 2616 wrote to memory of 2232	2616	bhjlkv.exe	RegSvcs.exe
PID 2616 wrote to memory of 2232	2616	bhjlkv.exe	RegSvcs.exe
PID 2616 wrote to memory of 2232	2616	bhjlkv.exe	RegSvcs.exe
PID 2616 wrote to memory of 2232	2616	bhjlkv.exe	RegSvcs.exe
PID 2616 wrote to memory of 2232	2616	bhjlkv.exe	RegSvcs.exe
PID 2616 wrote to memory of 2232	2616	bhjlkv.exe	RegSvcs.exe
PID 2616 wrote to memory of 2232	2616	bhjlkv.exe	RegSvcs.exe
PID 2616 wrote to memory of 2232	2616	bhjlkv.exe	RegSvcs.exe
PID 2616 wrote to memory of 2232	2616	bhjlkv.exe	RegSvcs.exe
PID 2616 wrote to memory of 2232	2616	bhjlkv.exe	RegSvcs.exe
PID 2616 wrote to memory of 2232	2616	bhjlkv.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\0f674147118b728504faa4e9ee9be1f2.exe
"C:\Users\Admin\AppData\Local\Temp\0f674147118b728504faa4e9ee9be1f2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\swZCJnIb.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\swZCJnIb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7417.tmp"
2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Users\Admin\AppData\Local\Temp\0f674147118b728504faa4e9ee9be1f2.exe
"C:\Users\Admin\AppData\Local\Temp\0f674147118b728504faa4e9ee9be1f2.exe"
2⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\0f674147118b728504faa4e9ee9be1f2.exe
"C:\Users\Admin\AppData\Local\Temp\0f674147118b728504faa4e9ee9be1f2.exe"
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580

C:\Users\Admin\AppData\Local\Temp\bhjlkv.exe
"C:\Users\Admin\AppData\Local\Temp\bhjlkv.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7417.tmp
Filesize
1KB

MD5
a8a99b6ad8e21834187f156363286159

SHA1
5cee1b060a82bdb58984e654d41d292508fc6439

SHA256
f895b797a4bcf4e5d8c2fce4ba4ed82db207042937cb7e672f14971a2f717475

SHA512
b017c6100926bb454e385624125bfbb0267b8c974127fbbd34b462feefb42a480ff280647416c2ab5de89f99a9a7eff69df2fdea15a0dfbc77e25c61c5ffa94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF9B.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFC0.tmp
Filesize
92KB

MD5
c61f0bee83c8a956f2cf4ceba90bebc9

SHA1
f4f61f0e65b7669be468cacaf8e00b2f30cb46cc

SHA256
601c578f842ad1a4c743f3bf049d691225697819abe9b75bfe156264412e28dc

SHA512
e6949a72e8bc26fd2910339ae75f22a36a0ad0bf9579bb2a0ada2ee2b8fb3a1b3891756eec774d4a64263e937c6ae768249e64874c559bb2f1b69d2d38bfceaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFFB.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
\Users\Admin\AppData\Local\Temp\bhjlkv.exe
Filesize
522KB

MD5
48848dc652fd9227f5383c9abfc5bae1

SHA1
c0e7bc68784a9bafe9f0c43d7a3b1f52f724e22e

SHA256
97c6fe300a253318d1d0a83a4199786c478ddcafaf6eec44804b8fb6f06902bd

SHA512
aba97da36bc65355c9aed66755ebdfec5b274ce490d117ad3cd74173b041264dffac7d80ec411affd424ecb52a7842edb721748edbcae70d1ba65d2c3b49460a

Download Submit
memory/2232-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2232-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2232-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2232-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2232-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2232-70-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2232-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2232-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2580-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2580-13-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2580-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2580-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2580-20-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2580-35-0x0000000006720000-0x0000000006840000-memory.dmp

Filesize
1.1MB

Download
memory/2580-36-0x0000000004AB0000-0x0000000004ABE000-memory.dmp

Filesize
56KB

Download
memory/2580-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2580-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2616-34-0x00000000005E0000-0x00000000005F6000-memory.dmp

Filesize
88KB

Download
memory/2616-60-0x0000000001040000-0x00000000010A0000-memory.dmp

Filesize
384KB

Download
memory/2616-33-0x00000000010F0000-0x0000000001178000-memory.dmp

Filesize
544KB

Download
memory/2652-3-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2652-5-0x0000000000E10000-0x0000000000E62000-memory.dmp

Filesize
328KB

Download
memory/2652-4-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/2652-24-0x0000000074890000-0x0000000074F7E000-memory.dmp

Filesize
6.9MB

Download
memory/2652-0-0x000000007489E000-0x000000007489F000-memory.dmp

Filesize
4KB

Download
memory/2652-1-0x0000000000E70000-0x0000000000F6E000-memory.dmp

Filesize
1016KB

Download
memory/2652-2-0x0000000074890000-0x0000000074F7E000-memory.dmp

Filesize
6.9MB

Download