General
-
Target
ohtie89k.exe
-
Size
148KB
-
Sample
241110-t6hfba1aml
-
MD5
ba57c75d6c4e2936f6cad4a1ba4c29d1
-
SHA1
8299498803759fbb63a323b0ad64694d72d0c352
-
SHA256
c54714fec4a8cab57d0f0304210fc2f4f50f6fbcee80fc2d3db9cf30a31853d2
-
SHA512
3dcf87f4242b0c71c35c28f9f68e9994df8ce0888119ace1d4433303d22d856e45bf47dd88d7c4c5b32c2806f60187470f1548296bbfd7d27f87bb6526f7a10b
-
SSDEEP
3072:sFZbBnzDocMDOhTxVpK4x3ZlhNxB2S+T0Wu4wvAaqifHulgOw:SBnrMDuR95HjxBT+T0zk4Yh
Malware Config
Extracted
redline
newest
mylogsprvt.zapto.org:45630
Extracted
xworm
mylogsprvt.zapto.org:8899
SmH2L0949LC6zVSS
-
install_file
USB.exe
Targets
-
-
Target
ohtie89k.exe
-
Size
148KB
-
MD5
ba57c75d6c4e2936f6cad4a1ba4c29d1
-
SHA1
8299498803759fbb63a323b0ad64694d72d0c352
-
SHA256
c54714fec4a8cab57d0f0304210fc2f4f50f6fbcee80fc2d3db9cf30a31853d2
-
SHA512
3dcf87f4242b0c71c35c28f9f68e9994df8ce0888119ace1d4433303d22d856e45bf47dd88d7c4c5b32c2806f60187470f1548296bbfd7d27f87bb6526f7a10b
-
SSDEEP
3072:sFZbBnzDocMDOhTxVpK4x3ZlhNxB2S+T0Wu4wvAaqifHulgOw:SBnrMDuR95HjxBT+T0zk4Yh
Score10/10-
Detect Xworm Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Sectoprat family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1