Extracted

• • Target

    Release/DwmLutGUI.exe

  • Size

    48KB

  • MD5

    940026092c35c84f5de3369dbec24576

  • SHA1

    679ec6ca51d3e47dfac2a1cdbe3b0b153be1b2b6

  • SHA256

    4ac8778ddb796a771072f22cce6bba6fe36bcd7f10b66379ccc6c40fe7ff0a2b

  • SHA512

    40a8893e3ebceb30d3f73eee5d5b6de8a2cff76387ec04955327b834bd487d0b3d7f9bcd251266a9b6aff634a527f3c1a089dc034836cd9d4df8d3918e9eb94c

  • SSDEEP

    768:O/FOFRvMtpRGM7pnXm1V0q5nCI2CH8kSiJVDDDDDxVDDDDDsytYcFwVc6K:8E2XHq5nCI2K8kSiUewVcl

  Score

  10^/10

  redlinerhadamanthysxwormadwaredefense_evasiondiscoveryexecutioninfostealermotwpersistencephishingprivilege_escalationratstealertrojan

  • Detect Xworm Payload

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Event Triggered Execution: Image File Execution Options Injection

    persistence

  • Sets service image path in registry

    persistence

  • Drops startup file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    phishingmotw

  • Network Share Discovery

    Attempt to gather information on host network.

    discovery

  • Checks system information in the registry

    System information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  • Enumerates processes with tasklist

    discovery

  • Suspicious use of SetThreadContext

  behavioral1