General

  • Target

    083f0f217bff41523e9faa49bb13e9e5d691a3c51341b12d0c4829d8cfc33292.exe

  • Size

    210KB

  • Sample

    240806-beqy9sthqq

  • MD5

    d412df3af3c10af259fd4cc58e68f00b

  • SHA1

    2de05f08b05fb0abb4b24616db00d0ce1dec420e

  • SHA256

    083f0f217bff41523e9faa49bb13e9e5d691a3c51341b12d0c4829d8cfc33292

  • SHA512

    9bcf5dca3811bed78e59bca04ca934965a93b00c53769de477f33d465279ec10d6355a66e841cecf439d783721784378fd570c0a7ce6af00c3c16aa58a29d808

  • SSDEEP

    3072:01hoF2jJ6wiPa1XzwIxJLp7tUE1NgBS5Bs//dm63NzzEfWw:01hnJ6D1IxPtUyNrsHdmqEf

Malware Config

Extracted

Family

redline

Botnet

Metin

C2

duclog23.duckdns.org:37552

Extracted

Family

xworm

C2

duclog23.duckdns.org:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    Chrome.exe

Targets

    • Target

      083f0f217bff41523e9faa49bb13e9e5d691a3c51341b12d0c4829d8cfc33292.exe

    • Size

      210KB

    • MD5

      d412df3af3c10af259fd4cc58e68f00b

    • SHA1

      2de05f08b05fb0abb4b24616db00d0ce1dec420e

    • SHA256

      083f0f217bff41523e9faa49bb13e9e5d691a3c51341b12d0c4829d8cfc33292

    • SHA512

      9bcf5dca3811bed78e59bca04ca934965a93b00c53769de477f33d465279ec10d6355a66e841cecf439d783721784378fd570c0a7ce6af00c3c16aa58a29d808

    • SSDEEP

      3072:01hoF2jJ6wiPa1XzwIxJLp7tUE1NgBS5Bs//dm63NzzEfWw:01hnJ6D1IxPtUyNrsHdmqEf

    • Detect Xworm Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks