Malware Analysis Report

2024-11-16 13:07

Sample ID 241107-dpvrbathnh
Target c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d76f37afa87bcbf02ab3.exe
SHA256 c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d76f37afa87bcbf02ab3
Tags
xworm redline sectoprat cheat discovery infostealer rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d76f37afa87bcbf02ab3

Threat Level: Known bad

The file c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d76f37afa87bcbf02ab3.exe was found to be: Known bad.

Malicious Activity Summary

xworm redline sectoprat cheat discovery infostealer rat spyware stealer trojan

RedLine payload

Xworm

Redline family

Xworm family

RedLine

SectopRAT

Detect Xworm Payload

Sectoprat family

SectopRAT payload

Reads user/profile data of web browsers

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 03:11

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 03:11

Reported

2024-11-07 03:14

Platform

win7-20240903-en

Max time kernel

121s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d76f37afa87bcbf02ab3.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Xworm

trojan rat xworm

Xworm family

xworm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\plweno.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\plweno.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\plweno.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\plweno.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d76f37afa87bcbf02ab3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plweno.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d76f37afa87bcbf02ab3.exe

"C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d76f37afa87bcbf02ab3.exe"

C:\Users\Admin\AppData\Local\Temp\plweno.exe

"C:\Users\Admin\AppData\Local\Temp\plweno.exe"

Network

Country Destination Domain Proto
RU 89.110.95.189:7000 tcp
RU 89.110.95.189:45697 89.110.95.189 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp

Files

memory/2372-0-0x000007FEF5C83000-0x000007FEF5C84000-memory.dmp

memory/2372-1-0x00000000011F0000-0x00000000011FE000-memory.dmp

memory/2372-2-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

memory/2372-3-0x000007FEF5C83000-0x000007FEF5C84000-memory.dmp

memory/2372-4-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\plweno.exe

MD5 6f353cb5e463f29f80df872026d5108f
SHA1 bfbe71a527294b26e0925c79b4d322cdc10b7a19
SHA256 553a5bda03fddd51b2c0c8182d0e5386ee8317df91c72d937162b85283023fc2
SHA512 fc353bc120cf814fc1ca5b0afa22ed6180a15143e34a21a8b7a4a3903a5d9335fa05c50acfd00989c10afce878ed3f60ff0445a2c8139d6aa5c901a0a7b79135

memory/2968-11-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

memory/2968-12-0x0000000000170000-0x000000000018E000-memory.dmp

memory/2968-13-0x0000000074AD0000-0x00000000751BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp349A.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp34AF.tmp

MD5 102841a614a648b375e94e751611b38f
SHA1 1368e0d6d73fa3cee946bdbf474f577afffe2a43
SHA256 c82ee2a0dc2518cb1771e07ce4b91f5ef763dd3dd006819aece867e82a139264
SHA512 ca18a888dca452c6b08ad9f14b4936eb9223346c45c96629c3ee4dd6742e947b6825662b42e793135e205af77ad35e6765ac6a2b42cefed94781b3463a811f0a

memory/2968-86-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

memory/2968-87-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/2968-88-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 03:11

Reported

2024-11-07 03:14

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d76f37afa87bcbf02ab3.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d76f37afa87bcbf02ab3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d76f37afa87bcbf02ab3.exe

"C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d76f37afa87bcbf02ab3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 89.110.95.189:7000 tcp
US 8.8.8.8:53 189.95.110.89.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4200-0-0x00007FFCC2293000-0x00007FFCC2295000-memory.dmp

memory/4200-1-0x0000000000920000-0x000000000092E000-memory.dmp

memory/4200-2-0x00007FFCC2290000-0x00007FFCC2D51000-memory.dmp

memory/4200-3-0x00007FFCC2293000-0x00007FFCC2295000-memory.dmp

memory/4200-4-0x00007FFCC2290000-0x00007FFCC2D51000-memory.dmp