redline | b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6

General

Target

b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6.exe
Size

347KB
MD5

daf2c3b134b7eb351027b07f9134093a
SHA1

bef5e2fbbb6409182e19025aa6eef37de9e2d9b5
SHA256

b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6
SHA512

1041b5b3dcd1463a286dc9dada110f26dffc6ff8a8791527488e4527f09e13d82da79c9cab61aabf0e87cf04840b1ab5a839c0a427d39c1ba33f543c013e10d5
SSDEEP

6144:irT55Efr24puFmFySo/NJrMyzqPOEK6l6wQVaIucpahQMqgCNz1ZB3WpWIUAHcpv:m5Cfr2LQyh/rLcdQVhucjM1CDQQPpNGH

Score

10^/10

redline xworm foz discovery infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

212.162.149.53:7071

Mutex

9GNxvcpH1EHQrLdj

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

redline

Botnet

FOZ

C2

212.162.149.53:36014

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000013b4c-5.dat	family_xworm
behavioral1/memory/2336-8-0x00000000010E0000-0x00000000010F0000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001739c-13.dat	family_redline
behavioral1/memory/2844-17-0x0000000000920000-0x0000000000972000-memory.dmp	family_redline

Redline family
redline
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 2 IoCs

pid	Process
2336	XClient.exe
2844	build.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2336	XClient.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2336	XClient.exe
2844	build.exe
2844	build.exe
2844	build.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	XClient.exe
Token: SeDebugPrivilege	2844	build.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2336	XClient.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2336	2308	b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6.exe	31
PID 2308 wrote to memory of 2336	2308	b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6.exe	31
PID 2308 wrote to memory of 2336	2308	b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6.exe	31
PID 2308 wrote to memory of 2844	2308	b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6.exe	32
PID 2308 wrote to memory of 2844	2308	b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6.exe	32
PID 2308 wrote to memory of 2844	2308	b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6.exe	32
PID 2308 wrote to memory of 2844	2308	b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6.exe	32

C:\Users\Admin\AppData\Local\Temp\b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6.exe
"C:\Users\Admin\AppData\Local\Temp\b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
40KB

MD5
1c5cf825e29b63a62c3c8b1589d51a1e

SHA1
ea4f1dceeeea35b6bd17f4040511bbd0341246a8

SHA256
d868406f1fdc6a5c15a70f03f6279fb8a3fe190ea5a4911bf6839fc483c753b0

SHA512
c780aff70b930ea221ffd96081c02116f76d2c7b20590fff6ab04038e2aef50ad57eb8f28a67c4dfdb6a00e3fe393e1238d448c3f346585242ee18d180203fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
300KB

MD5
1ed2ecae05aaa1c505136f5252287cc7

SHA1
2c73c09437c4c1d5e90013a6ca7a65ac0a5fadc5

SHA256
d771f70ba342e5d4cd7f129a4a2b4a6c6c7293233135f266db33f356986a70f9

SHA512
ca82139310ea62ec8703f6fcb19d843644a5ce40323e8f7857c9fd3173bb0796eb20f9002209b9fcbfa7ce9858fe3b932e070f8449bc2736b6712d39515d9219

Download Submit
memory/2308-0-0x000007FEF5863000-0x000007FEF5864000-memory.dmp

Filesize
4KB

Download
memory/2308-1-0x0000000000AB0000-0x0000000000B0E000-memory.dmp

Filesize
376KB

Download
memory/2308-4-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

Filesize
9.9MB

Download
memory/2308-16-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-8-0x00000000010E0000-0x00000000010F0000-memory.dmp

Filesize
64KB

Download
memory/2336-15-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-22-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-23-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

Filesize
9.9MB

Download
memory/2844-17-0x0000000000920000-0x0000000000972000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads