Overview

overview

10

Static

static

3

Engine Spo...an.exe

windows7-x64

10

Engine Spo...an.exe

windows10-2004-x64

10

Engine Spo...ts.dll

windows7-x64

1

Engine Spo...ts.dll

windows10-2004-x64

1

Engine Spo...rk.dll

windows7-x64

1

Engine Spo...rk.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    EngineSpoofer.rar

  • Size

    2.3MB

  • Sample

    241029-a7vx9ayqds

  • MD5

    52dc8751bf0b40c9314582619cbff1c3

  • SHA1

    d8ceaea62ca5702c350561bc2d97f70086bb1f33

  • SHA256

    d57d71500a6a9fe0e7edea86d5f4e71a5488ec3db4b60315567e323df08aea28

  • SHA512

    6731501f069ba435bf275550bd857acdef1c2880dc0f4050476e64277c22b864ae85295fe9e06d4bc4a88f3df3f42c9724a4038790d3bf4b1ed7ef33dd779485

  • SSDEEP

    49152:U4uTEnUNkrCQhzjGffQzYZCBAJflFj867PZ8QdDYH4KWgw4txKmZAE8u3pZ:UzEUNkrzxsfQzYMIFY67PZCPwIxKmyE3

Score
10/10
redlinesectopratxwormseconddiscoveryexecutioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:8080

51.89.201.41:8080
Attributes
  • Install_directory

    %ProgramData%

  • install_file

    ApplicationFrameHost.exe

Extracted

Family

redline

Botnet

Second

C2

51.89.201.41:29254

Targets

    • Target

      Engine Spoofer 2.0.5/Engine - Clean.exe

    • Size

      3.0MB

    • MD5

      007decaa4162946f4afae58675ea24f2

    • SHA1

      a86eb4dffba6fa651ffdc016dc8cab9f6b583f46

    • SHA256

      4d623323722623c396d129c980835c6c008c3fc10833e2e0220bfcd8969151aa

    • SHA512

      1d60d4e882eabbcdcf76689b9c330b23edad748e578fa5db26f7b2f39dd4e6217f99577868d4a30c78d8f68ecedcaf36516736894f0463a69084d799bd0e2cc6

    • SSDEEP

      49152:MeneANrcDamp/RMaBejg2CgEmweT0ibbFlx9SZUGZmCvZKHHkNKNNNpNNNmy:ze4rAa4/R7ejgISeThbFf9SZMqsc

    Score
    10/10
    redlinesectopratxwormseconddiscoveryexecutioninfostealerpersistencerattrojan

    • Detect Xworm Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      Engine Spoofer 2.0.5/MetroFramework.Fonts.dll

    • Size

      656KB

    • MD5

      612080028164b12939751dcccbb68d4a

    • SHA1

      db066593c63d2eff41a5af1b49a3e098b60e0013

    • SHA256

      e96030fddaf7e78401567ee82480ad75ee48d3556199a3f85c0ec669edac2ef4

    • SHA512

      1879c960e27e32941c0c992b84803e7a1f8d243bfc88d17d3d32baca772290b9ea60a6ea90d53170be3bf7f0a58fe71ec901dc66aa560b4bf68b1da56c09fe18

    • SSDEEP

      12288:H+/9JcJlYqCNktA+SXfGpq2fHowSqCNktA+SXfvJR9FrIJJaqCNktA+SXfUC:H+/3qlrCNoh+UqgIwhCNoh+JR9FrIJJw

    Score
    1/10
    behavioral3behavioral4

    • Target

      Engine Spoofer 2.0.5/MetroFramework.dll

    • Size

      149KB

    • MD5

      44538b311e9ec2bcf0a6452702628d99

    • SHA1

      da67301539903775708e9ec913654851e9e8eade

    • SHA256

      baf326f52d39155d722465947f4cc67e6e90cfd0f89954eab959568e9bc342aa

    • SHA512

      b65e3bc1c0f7b4c8f778cf52a36d628301d60aab53fdaf0355163e4865bc3d3adbf8870bb6cefc604708fdf2c0e72258eaf2fe301d524af2f77bc08014c9610a

    • SSDEEP

      3072:LU0T+erz8jYxYg5lzrPHlMUzxXd4kRZPI9q:vT+erz8jYxYgv/lxXGWPS

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks