General

  • Target

    9378bcf50d0a58428c5b2f7fd2284579927a48fd2e9d8f4f8395f932cb3db1a6.exe

  • Size

    763KB

  • Sample

    241022-b346ss1fml

  • MD5

    36881de84e2d129a6a32e7a5c5537aee

  • SHA1

    7e022793522c1f22103a5946ac4b204f3ab58706

  • SHA256

    9378bcf50d0a58428c5b2f7fd2284579927a48fd2e9d8f4f8395f932cb3db1a6

  • SHA512

    cc3be75f7857cef10939000c49c925aa7baffd3e6507c84cca3bfbdc7223ccbb336bbdd43f5cf023f523790e4e59e7e1f08bf2f969f64ab76e1111e19c533179

  • SSDEEP

    12288:rLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QL4ohDPj:ffmMv6Ckr7Mny5QLjzj

Malware Config

Extracted

Family

xworm

Version

5.0

C2

162.251.122.86:57903

Mutex

fCXrE8L4kRTm48Ov

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

redline

Botnet

success

C2

162.251.122.86:5798

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7260827022:AAGnycbSxkSvowZMOoJ8zZlGOgV2Qx7LfZI/sendMessage?chat_id=6487984800

https://api.telegram.org/bot7388739443:AAGtGEMG0kgDM1V9rPLWCt4i7ndysEwwYBA/sendMessage?chat_id=1224745150

Targets

    • Target

      9378bcf50d0a58428c5b2f7fd2284579927a48fd2e9d8f4f8395f932cb3db1a6.exe

    • Size

      763KB

    • MD5

      36881de84e2d129a6a32e7a5c5537aee

    • SHA1

      7e022793522c1f22103a5946ac4b204f3ab58706

    • SHA256

      9378bcf50d0a58428c5b2f7fd2284579927a48fd2e9d8f4f8395f932cb3db1a6

    • SHA512

      cc3be75f7857cef10939000c49c925aa7baffd3e6507c84cca3bfbdc7223ccbb336bbdd43f5cf023f523790e4e59e7e1f08bf2f969f64ab76e1111e19c533179

    • SSDEEP

      12288:rLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QL4ohDPj:ffmMv6Ckr7Mny5QLjzj

    • Detect Xworm Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks