redline

General

Target

39962cdef1efccb262b01e3bc41e4380ed1f925885f1a22178e505f5c440887a.exe
Size

501KB
Sample

240831-bn4aysxfmm
MD5

6b34408cb796d4e16a6caa577ebce6b9
SHA1

f011ab355ac5a00204c033f3ac73848f6ce4c0ee
SHA256

39962cdef1efccb262b01e3bc41e4380ed1f925885f1a22178e505f5c440887a
SHA512

344defa68966df547a0504ee221a2037f737d469e0c496009209f9334589f0f73ac69226bb74ea60eb116332ccaefa0d5c1f8972a5b9d34628d9bfcc4147ea84
SSDEEP

12288:E2iNErX80k+laBnUISbE0u9QgYZoXONvIGc2:E1ij8v+MKjbE0ul+Nx

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

91.92.120.13:7099

Mutex

ZCamGCh7lBqmpyCR

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

redline

Botnet

FOZZ

C2

91.92.120.13:1912

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
smtp.hostinger.com
Port:
587
Username:
[email protected]
Password:
Emrqtr@2024info
Email To:
[email protected]

Targets

- Target
  
  39962cdef1efccb262b01e3bc41e4380ed1f925885f1a22178e505f5c440887a.exe
- Size
  
  501KB
- MD5
  
  6b34408cb796d4e16a6caa577ebce6b9
- SHA1
  
  f011ab355ac5a00204c033f3ac73848f6ce4c0ee
- SHA256
  
  39962cdef1efccb262b01e3bc41e4380ed1f925885f1a22178e505f5c440887a
- SHA512
  
  344defa68966df547a0504ee221a2037f737d469e0c496009209f9334589f0f73ac69226bb74ea60eb116332ccaefa0d5c1f8972a5b9d34628d9bfcc4147ea84
- SSDEEP
  
  12288:E2iNErX80k+laBnUISbE0u9QgYZoXONvIGc2:E1ij8v+MKjbE0ul+Nx
Score

10^/10

redline stormkitty vipkeylogger xworm fozz credential_access discovery execution infostealer keylogger rat spyware stealer trojan
- Detect Xworm Payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2