redline | 5f93d1ba8286162e4e7ebe907745b186d2301534fd8b39a84f129f3857f16c30 | Triage

Sharing

General

Target

5f93d1ba8286162e4e7ebe907745b186d2301534fd8b39a84f129f3857f16c30.exe
Size

821KB
Sample

241127-c3twhasnby
MD5

7c36f1554bb662abddb2fafb5db3037d
SHA1

4d2b146919805242a1699139d2937bae4fddfd4b
SHA256

5f93d1ba8286162e4e7ebe907745b186d2301534fd8b39a84f129f3857f16c30
SHA512

caa4b4b05fdd1a5b68979ed0c2388c727dd3d89d34a2351e7e392e1dd1764a87a0af1106e7beaa65a287cd625088daeb9ccfcad4fed8ca39b273fa7142c53665
SSDEEP

24576:PBKn35eX+HnjaKB2LJKI923eTuOmvzzx428hYTGu:EpjHnj3B2VKI92uuOmrOSTGu

Score

10^/10

redline xworm foz discovery execution infostealer persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

212.162.149.53:7071

Mutex

9GNxvcpH1EHQrLdj

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

redline

Botnet

FOZ

C2

212.162.149.53:36014

Targets

- Target
  
  5f93d1ba8286162e4e7ebe907745b186d2301534fd8b39a84f129f3857f16c30.exe
- Size
  
  821KB
- MD5
  
  7c36f1554bb662abddb2fafb5db3037d
- SHA1
  
  4d2b146919805242a1699139d2937bae4fddfd4b
- SHA256
  
  5f93d1ba8286162e4e7ebe907745b186d2301534fd8b39a84f129f3857f16c30
- SHA512
  
  caa4b4b05fdd1a5b68979ed0c2388c727dd3d89d34a2351e7e392e1dd1764a87a0af1106e7beaa65a287cd625088daeb9ccfcad4fed8ca39b273fa7142c53665
- SSDEEP
  
  24576:PBKn35eX+HnjaKB2LJKI923eTuOmvzzx428hYTGu:EpjHnj3B2VKI92uuOmrOSTGu
Score

10^/10

redline xworm foz discovery execution infostealer persistence rat trojan
- Detect Xworm Payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinexwormfozdiscoveryexecutioninfostealerpersistencerattrojan

behavioral2

redlinexwormfozdiscoveryexecutioninfostealerpersistencerattrojan