redline | 9de2cbafa58a144deba35a8cf5f137e45915f8beebb95beb08a50e533428e887

General

Target

screensaver.exe
Size

40KB
MD5

532f554a589dcb3b7adbfb1f2792ff35
SHA1

0bc817dc4f4f7350afc7b66e87d72f8376e3af58
SHA256

1c8cc063b64f9c4f5beb55f64cf19efb96e2e9d592c221366ec9ceafc4f9c545
SHA512

d513e4d630cd81e0bc22f8131d4cbe521847845e2f129ba961b1f83e97216af5a21a0e8a77c27fdfe115104901a06b7b56294f7fe52f1f6854e8e1dc3c57c5b1
SSDEEP

768:v9aG+ZAGcowW/A1rAmhNdATtF5PG9IhoOwhk3IEJ:vwAL0A1MEApFo9IGOwahJ

Score

10^/10

redline sectoprat stormkitty xworm xclient credential_access discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

memorialwords.xyz:4444

Mutex

0FDfqtSCPc6omfwK

Attributes

Install_directory
%AppData%
install_file
Adobe\Reader\updater.exe

aes.plain

Extracted

Family

redline

Botnet

xclient

C2

memorialwords.xyz:6666

Signatures

Detect Xworm Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1288-1-0x00000000000C0000-0x00000000000D0000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exe	family_xworm
behavioral1/memory/688-18-0x0000000001370000-0x0000000001380000-memory.dmp	family_xworm
behavioral1/memory/1536-127-0x0000000001380000-0x0000000001390000-memory.dmp	family_xworm
behavioral1/memory/2808-129-0x00000000001B0000-0x00000000001C0000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\xofspx.exe	family_redline
behavioral1/memory/2644-11-0x0000000000E30000-0x0000000000E4E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\xofspx.exe	family_sectoprat
behavioral1/memory/2644-11-0x0000000000E30000-0x0000000000E4E000-memory.dmp	family_sectoprat

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1288-102-0x000000001B9D0000-0x000000001BAEE000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Executes dropped EXE 4 IoCs

Processes:

xofspx.exeupdater.exeupdater.exeupdater.exe

pid process

2644 xofspx.exe
688 updater.exe
1536 updater.exe
2808 updater.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

xofspx.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xofspx.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2716 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

screensaver.exexofspx.exe

pid process

1288 screensaver.exe
2644 xofspx.exe
2644 xofspx.exe

pid	process
2644	xofspx.exe
688	updater.exe
1536	updater.exe
2808	updater.exe

flow	ioc
4	ip-api.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xofspx.exe

pid	process
2716	schtasks.exe

pid	process
1288	screensaver.exe
2644	xofspx.exe
2644	xofspx.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

screensaver.exexofspx.exeupdater.exeupdater.exeupdater.exe

description	pid	process
Token: SeDebugPrivilege	1288	screensaver.exe
Token: SeDebugPrivilege	1288	screensaver.exe
Token: SeDebugPrivilege	2644	xofspx.exe
Token: SeDebugPrivilege	688	updater.exe
Token: SeDebugPrivilege	1536	updater.exe
Token: SeDebugPrivilege	2808	updater.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

screensaver.exe

pid process

1288 screensaver.exe

pid	process
1288	screensaver.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

screensaver.exetaskeng.exe

description	pid	process	target process
PID 1288 wrote to memory of 2716	1288	screensaver.exe	schtasks.exe
PID 1288 wrote to memory of 2716	1288	screensaver.exe	schtasks.exe
PID 1288 wrote to memory of 2716	1288	screensaver.exe	schtasks.exe
PID 1288 wrote to memory of 2644	1288	screensaver.exe	xofspx.exe
PID 1288 wrote to memory of 2644	1288	screensaver.exe	xofspx.exe
PID 1288 wrote to memory of 2644	1288	screensaver.exe	xofspx.exe
PID 1288 wrote to memory of 2644	1288	screensaver.exe	xofspx.exe
PID 2388 wrote to memory of 688	2388	taskeng.exe	updater.exe
PID 2388 wrote to memory of 688	2388	taskeng.exe	updater.exe
PID 2388 wrote to memory of 688	2388	taskeng.exe	updater.exe
PID 2388 wrote to memory of 1536	2388	taskeng.exe	updater.exe
PID 2388 wrote to memory of 1536	2388	taskeng.exe	updater.exe
PID 2388 wrote to memory of 1536	2388	taskeng.exe	updater.exe
PID 2388 wrote to memory of 2808	2388	taskeng.exe	updater.exe
PID 2388 wrote to memory of 2808	2388	taskeng.exe	updater.exe
PID 2388 wrote to memory of 2808	2388	taskeng.exe	updater.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\screensaver.exe
"C:\Users\Admin\AppData\Local\Temp\screensaver.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "updater" /tr "C:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\xofspx.exe
  "C:\Users\Admin\AppData\Local\Temp\xofspx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644

C:\Windows\system32\taskeng.exe
taskeng.exe {ADF17C36-E5E7-45B2-B4FE-3EAB162DA7EE} S-1-5-21-2958949473-3205530200-1453100116-1000:WHMFPZKA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exe
  C:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:688
- C:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exe
  C:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exe
  C:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp450E.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4523.tmp

Filesize
92KB

MD5
4a1a8aca865134d079146e4ecf2fd4b3

SHA1
46756ac1d44b35ac30292f85388d03be5d63ef2f

SHA256
205039e56bf51a20bf5a068d2acbf3c6da57b7ec665a7305d63bbad4955d6dcc

SHA512
8bb23a2c82271b3bf5d638668d4a7c5baaf8b345b378eaaddf298f301a719622154dc400c475c90e5f7fc84c877fb68a75aefb3bed1aa77f2222d29823baf009

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8700.tmp.dat

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\xofspx.exe

Filesize
95KB

MD5
efbdc64139ab0861a5714b87bec21240

SHA1
e68e6811f863e493c2a7104f50513fb0665737ea

SHA256
47198e417630b385a84105464bc155cc8596318a4f4c6c169347f1f28098a8e7

SHA512
6c1229324b3aca049d5167490348bdb83d59759ceee8678ef88735829e0d861bb552addcada1ddf1368f325d06d6db91dd13e61d05531cc4e09a292068ad066c

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exe

Filesize
40KB

MD5
532f554a589dcb3b7adbfb1f2792ff35

SHA1
0bc817dc4f4f7350afc7b66e87d72f8376e3af58

SHA256
1c8cc063b64f9c4f5beb55f64cf19efb96e2e9d592c221366ec9ceafc4f9c545

SHA512
d513e4d630cd81e0bc22f8131d4cbe521847845e2f129ba961b1f83e97216af5a21a0e8a77c27fdfe115104901a06b7b56294f7fe52f1f6854e8e1dc3c57c5b1

Download Submit
memory/688-18-0x0000000001370000-0x0000000001380000-memory.dmp

Filesize
64KB

Download
memory/1288-14-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/1288-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

Filesize
4KB

Download
memory/1288-12-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

Filesize
4KB

Download
memory/1288-2-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/1288-102-0x000000001B9D0000-0x000000001BAEE000-memory.dmp

Filesize
1.1MB

Download
memory/1288-1-0x00000000000C0000-0x00000000000D0000-memory.dmp

Filesize
64KB

Download
memory/1536-127-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2644-13-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2644-11-0x0000000000E30000-0x0000000000E4E000-memory.dmp

Filesize
120KB

Download
memory/2644-10-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/2644-100-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/2644-101-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-129-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads