Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Cpanel Checker Account By X-Splinter.exe

  • Size

    3.7MB

  • Sample

    240919-xxtc1awdlp

  • MD5

    39401e5df746918a500b9787cd2f5233

  • SHA1

    4dc2cc83675da4edd09eb7d0d3c1117cda68a536

  • SHA256

    c4281edbe6427622819aa12cffb5b31278da4a9cb7dcd6385bb60fba81ba4630

  • SHA512

    7f8640bd0e321a463fd0170ae0db408a9802ce69447511d94c24e3dad47ab3524218c601c0ac791161b57ec6d505f19087ee4d3cd778ab9af374c98c9a6bceab

  • SSDEEP

    49152:CJv8la8vBAw5THCAwDj+mpjgcyyPleLHqG3FejOpu99eeFK8RIPz47y1LcdOJhVW:ccvBovyg433Fejageg6TcdOXV

Malware Config

Extracted

Family

redline

Botnet

Diamotrix

C2

176.111.174.140:1912

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

176.111.174.140:6606

176.111.174.140:7707

176.111.174.140:8808

Mutex

oTA1Qk0GTnww

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

aes.plain

Targets

    • Target

      Cpanel Checker Account By X-Splinter.exe

    • Size

      3.7MB

    • MD5

      39401e5df746918a500b9787cd2f5233

    • SHA1

      4dc2cc83675da4edd09eb7d0d3c1117cda68a536

    • SHA256

      c4281edbe6427622819aa12cffb5b31278da4a9cb7dcd6385bb60fba81ba4630

    • SHA512

      7f8640bd0e321a463fd0170ae0db408a9802ce69447511d94c24e3dad47ab3524218c601c0ac791161b57ec6d505f19087ee4d3cd778ab9af374c98c9a6bceab

    • SSDEEP

      49152:CJv8la8vBAw5THCAwDj+mpjgcyyPleLHqG3FejOpu99eeFK8RIPz47y1LcdOJhVW:ccvBovyg433Fejageg6TcdOXV

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Async RAT payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks