Overview

overview

10

Static

static

3

Panel/RedL...).docx

windows7-x64

4

Panel/RedL...).docx

windows10-2004-x64

1

Panel/RedL...).docx

windows7-x64

4

Panel/RedL...).docx

windows10-2004-x64

1

Panel/RedL...el.exe

windows7-x64

10

Panel/RedL...el.exe

windows10-2004-x64

10

Panel/RedL...me.exe

windows7-x64

6

Panel/RedL...me.exe

windows10-2004-x64

6

Panel/RedL...48.exe

windows7-x64

7

Panel/RedL...48.exe

windows10-2004-x64

7

Panel/RedL...ar.exe

windows7-x64

1

Panel/RedL...ar.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    67268732bc4b95f46b187a2591492902124980fbb2da759e77931a4da85f258c

  • Size

    14.4MB

  • Sample

    241106-pw6myazjds

  • MD5

    8af9d125b659a7879e30e2acdab04af4

  • SHA1

    e464aa7fb3ae32ff31f9ded60f231186a52ca342

  • SHA256

    67268732bc4b95f46b187a2591492902124980fbb2da759e77931a4da85f258c

  • SHA512

    819083047b70a4f764e9e0cd39a44dc5885d3e5b9dbeeb4dcc11283cbb4389e2cb10a8b287a3de20efe8ec2dc3e157d730d4dea29785d69134ed10a171b1000a

  • SSDEEP

    393216:+DU10TjFTsIpTfrT2SzNHggKcuMjZNcx0my+Pv:+Y10loIpZA1POXcxI+Pv

Score
10/10
redlinexwormdiscoveryinfostealerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

194.145.138.85:1604

Mutex

Iom8xb4NUaLbxykI

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Panel/RedLine_20_2/FAQ (English).docx

    • Size

      30KB

    • MD5

      a973ea85439ddfe86379d47e19da4dca

    • SHA1

      78f60711360ddd46849d128e7a5d1b68b1d43f9f

    • SHA256

      c197833a3fd69e98fbf2b02e9da232ff2867e1e684d420fd3975188c0e0e202b

    • SHA512

      4a3fad33cccb15ea2d98bc30141744ba6709afec52d429ac0916aa656f4b611fdeda4b37812f0a72b90de000fc5c0f95bb445e5df67fc4ba6f93de5ce55df510

    • SSDEEP

      768:oi87zWNuZn3IZElFoL+goT2Ir9259IQ+409:oi8mQnXFoigoRr9aIvX9

    Score
    4/10
    discovery
    behavioral1behavioral2

    • Target

      Panel/RedLine_20_2/FAQ(RUS).docx

    • Size

      51KB

    • MD5

      aa9534a22d08fb17b6c50164ca226aba

    • SHA1

      9d68e6e4b0ea3c41ad7f70733dc53628962765ce

    • SHA256

      e3f9590d0a28e8f17d40f9a5a5489a963c6d5e722a324adf0d1d666ea424c89f

    • SHA512

      a4290cf0f3ecbb25078a0d3f870ed6abcab83d831e107f59730cf5fbdbc0268ac831d8f31f18a08794e27e51ba302ecb5bdd4bac85f3887844ed881c363bb8b9

    • SSDEEP

      1536:YmF2FkS3yM0Yj3ePetyogAcLrANZLI3dakgXeV:YNFkGem74Lr+k3v7V

    Score
    4/10
    discovery
    behavioral3behavioral4

    • Target

      Panel/RedLine_20_2/Panel/Panel.exe

    • Size

      9.4MB

    • MD5

      c708571970a5df0ac078d6926b4a0233

    • SHA1

      30587f2e1b2200fb371c5d2edf79174f9e1d831f

    • SHA256

      6a8bb8bb4e7eba4e87afb75f058b3489fc17f5858fc712678dd44ba9574dc088

    • SHA512

      472e88d5009d4b9701b8d3654d3820b57ae4e9ccda2f3fd70e6230c4b8aca51bc58eb2b0d4583b4b5b888a66a94cd462c6f642e02da260b92558d3cfabc6e6fc

    • SSDEEP

      196608:cIS8FZi3v80O6qRvXvkmJ0QsTsKpmnssE3ruVL2V9z:c0KFr4/v9J0zpBuVw

    Score
    10/10
    redlinexworminfostealerrattrojan

    • Detect Xworm Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      Panel/RedLine_20_2/Tools/Chrome.exe

    • Size

      1.1MB

    • MD5

      92cfeb7c07906eac0d4220b8a1ed65b1

    • SHA1

      882b83e903b5b4c7c75f0b1dc31bb7aa8938d8fa

    • SHA256

      38b827a431b89da0d9cdd444373364371f4f6e6bf299e7935f05b2351ca9186c

    • SHA512

      e2ee932f5b81403935a977f9d3c8e2e4f6a4c9a1967b7e1cf61229a7746a24aae486ac6b779fb570f1dff02a3ff30107044f0427ce46474b91d788c78c8fcfbf

    • SSDEEP

      24576:q6JGMnMpfVArKlhbP6GFibQC1QSvKZHHf1FqbI4Cn:47/MPGFibsSipHubPa

    Score
    6/10
    discoverypersistenceprivilege_escalationspywarestealer

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral7behavioral8

    • Target

      Panel/RedLine_20_2/Tools/NetFramework48.exe

    • Size

      1.4MB

    • MD5

      86482f2f623a52b8344b00968adc7b43

    • SHA1

      755349ecd6a478fe010e466b29911d2388f6ce94

    • SHA256

      2c7530edbf06b08a0b9f4227c24ec37d95f3998ee7e6933ae22a9943d0adfa57

    • SHA512

      64c168263fd48788d90919cbb9992855aed4ffe9a0f8052cb84f028ca239102c0571dfaf75815d72ad776009f5fc4469c957113fb66da7d4e9c83601e8287f3d

    • SSDEEP

      24576:MGHL3siy9J0/SmtLvUDSRbm4Jah1rVxL+iTOhYdeM+GkdnddMF2ScVC3oKNVpNXo:RL3s7mKeTUDBzrVxxOhYdeMinddG2lCK

    Score
    7/10
    discovery

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral10behavioral9

    • Target

      Panel/RedLine_20_2/Tools/WinRar.exe

    • Size

      3.2MB

    • MD5

      b66dec691784f00061bc43e62030c343

    • SHA1

      779d947d41efafc2995878e56e213411de8fb4cf

    • SHA256

      26b40c79356453c60498772423f99384a3d24dd2d0662d215506768cb9c58370

    • SHA512

      6a89bd581baf372f07e76a3378e6f6eb29cac2e4981a7f0affb4101153407cadfce9f1b6b28d5a003f7d4039577029b2ec6ebcfd58e55288e056614fb03f8ba3

    • SSDEEP

      98304:lJXOBfK92HbAw0CNB3kJElzNsy8vGUvfCo3ABH43:lJ192HbAXCvDlzNsy8vGUyo3AB8

    Score
    1/10
    behavioral11behavioral12

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

5
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks