General
-
Target
9378bcf50d0a58428c5b2f7fd2284579927a48fd2e9d8f4f8395f932cb3db1a6.exe
-
Size
763KB
-
Sample
241022-b346ss1fml
-
MD5
36881de84e2d129a6a32e7a5c5537aee
-
SHA1
7e022793522c1f22103a5946ac4b204f3ab58706
-
SHA256
9378bcf50d0a58428c5b2f7fd2284579927a48fd2e9d8f4f8395f932cb3db1a6
-
SHA512
cc3be75f7857cef10939000c49c925aa7baffd3e6507c84cca3bfbdc7223ccbb336bbdd43f5cf023f523790e4e59e7e1f08bf2f969f64ab76e1111e19c533179
-
SSDEEP
12288:rLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QL4ohDPj:ffmMv6Ckr7Mny5QLjzj
Static task
static1
Behavioral task
behavioral1
Sample
9378bcf50d0a58428c5b2f7fd2284579927a48fd2e9d8f4f8395f932cb3db1a6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9378bcf50d0a58428c5b2f7fd2284579927a48fd2e9d8f4f8395f932cb3db1a6.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
xworm
5.0
162.251.122.86:57903
fCXrE8L4kRTm48Ov
-
install_file
USB.exe
Extracted
redline
success
162.251.122.86:5798
Extracted
vipkeylogger
https://api.telegram.org/bot7260827022:AAGnycbSxkSvowZMOoJ8zZlGOgV2Qx7LfZI/sendMessage?chat_id=6487984800
https://api.telegram.org/bot7388739443:AAGtGEMG0kgDM1V9rPLWCt4i7ndysEwwYBA/sendMessage?chat_id=1224745150
Targets
-
-
Target
9378bcf50d0a58428c5b2f7fd2284579927a48fd2e9d8f4f8395f932cb3db1a6.exe
-
Size
763KB
-
MD5
36881de84e2d129a6a32e7a5c5537aee
-
SHA1
7e022793522c1f22103a5946ac4b204f3ab58706
-
SHA256
9378bcf50d0a58428c5b2f7fd2284579927a48fd2e9d8f4f8395f932cb3db1a6
-
SHA512
cc3be75f7857cef10939000c49c925aa7baffd3e6507c84cca3bfbdc7223ccbb336bbdd43f5cf023f523790e4e59e7e1f08bf2f969f64ab76e1111e19c533179
-
SSDEEP
12288:rLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QL4ohDPj:ffmMv6Ckr7Mny5QLjzj
-
Detect Xworm Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-