Analysis
-
max time kernel
150s -
max time network
97s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
05-12-2024 00:24
General
-
Target
RedLine Stealer.zip
-
Size
17.2MB
-
MD5
d3d1d5504a838b38d27bfdc29a9bf0ea
-
SHA1
f6c351251c4b5fa64b852dc2ae6f85cf870a1508
-
SHA256
4f90b7c87ae9a261936b72f8062c7ffff38f5921dc58794a23084aa0ad95969d
-
SHA512
7f7dd2471f6aec68b1a2d59b1ccac1cef1142ee9fd734db6b320013dddac3c8e828ec0339765aa4df864e275415862df877971dbec803a3d6b350f034982c781
-
SSDEEP
393216:y6AL1DWiFjy2F43KVjCybo8x8CLO0kjl2sDYSUs9Tx:y5L1rFjEKl1oNrJZYyl
Malware Config
Extracted
xworm
5.0
svchost.serveirc.com:1313
MML7YiawHlQLefrX
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7089308942:AAHsTcsMKoz1p6-9kX7OD8cZDlRLQM_DN-A/sendMessage?chat_id=5936200928
Signatures
-
Detect Xworm Payload 2 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Redline family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 6 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RedLine Stealer.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RedLine Stealer\How To Use.txt1⤵
-
C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Loader\Krumo.Loader.exe"C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Loader\Krumo.Loader.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Rarqxqlarwy.exe"C:\Users\Admin\AppData\Local\Temp\Rarqxqlarwy.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Eihb.exe"C:\Users\Admin\AppData\Local\Temp\Eihb.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 17563⤵
- Program crash
-
-
-
C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.Host.exe"C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.Host.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2872 -ip 28721⤵
-
C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe"C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Panel.exe"C:\Users\Admin\AppData\Local\Temp\Panel.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Panel.exe"C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Panel.exe"C:\Users\Admin\AppData\Local\Temp\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAcZrwjhWdnE6gZVHxIPkQ0QAAAAACAAAAAAAQZgAAAAEAACAAAABZKdkaI6AvJIliysxh4fn8L+stcYSN+bpMKYC9pFejDwAAAAAOgAAAAAIAACAAAABd91+LGtfi1vRV+e1g6kab9rvNg/AH6NilQhJ/BOpsDhAAAAAwbHCmZXofeoY0b1/P6d7hQAAAAJkbsFjEap4XuBZ/IeSG4ZxHOhSAI/T+DlLUDNrVFGvzWOTp+b3jOaiUkrS17jMyhWbMISr3pUkn5eVHWeWnhck=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAcZrwjhWdnE6gZVHxIPkQ0QAAAAACAAAAAAAQZgAAAAEAACAAAAC28ohnFjo4Z6k+AcWGqC++SjO6vQ/lZFj4k09Upe2whwAAAAAOgAAAAAIAACAAAADYuGBTs0+G0RqIkT7dfoUvX/xuX/OWDd5L56kxM9AH1BAAAAC2YQu5sKbjzCpWxwvSDgYfQAAAAKzvVtPlrTA5jWC7QuKgyRXWXK1S81gT4jzHIpxSVH2xtP5xNl/4wth5nshCMyCGOPb8OyCPqH4lCNCpojO8d5Q="4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Panel.exe"C:\Users\Admin\AppData\Local\Temp\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAcZrwjhWdnE6gZVHxIPkQ0QAAAAACAAAAAAAQZgAAAAEAACAAAABZKdkaI6AvJIliysxh4fn8L+stcYSN+bpMKYC9pFejDwAAAAAOgAAAAAIAACAAAABd91+LGtfi1vRV+e1g6kab9rvNg/AH6NilQhJ/BOpsDhAAAAAwbHCmZXofeoY0b1/P6d7hQAAAAJkbsFjEap4XuBZ/IeSG4ZxHOhSAI/T+DlLUDNrVFGvzWOTp+b3jOaiUkrS17jMyhWbMISr3pUkn5eVHWeWnhck=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAcZrwjhWdnE6gZVHxIPkQ0QAAAAACAAAAAAAQZgAAAAEAACAAAAC28ohnFjo4Z6k+AcWGqC++SjO6vQ/lZFj4k09Upe2whwAAAAAOgAAAAAIAACAAAADYuGBTs0+G0RqIkT7dfoUvX/xuX/OWDd5L56kxM9AH1BAAAAC2YQu5sKbjzCpWxwvSDgYfQAAAAKzvVtPlrTA5jWC7QuKgyRXWXK1S81gT4jzHIpxSVH2xtP5xNl/4wth5nshCMyCGOPb8OyCPqH4lCNCpojO8d5Q=" "--monitor"5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306B
MD533f89887a1b3559f9c8fe974b797212a
SHA1e33f9884f22fde8d27b30ec05885d8736a110220
SHA256adc0a94f591acdf86ae9fc01bc4b83fcd4dfb57aadc85b9e0041e7e5a59ccbd4
SHA5126eab2ddfb4429089e85186d6a1197dd231e515b9557b94fabd90ee47976efc817ce762420657da5a37f57ef6787f1c48fbfb314304265f44cec234facbea86fd
-
Filesize
118KB
MD5677073949945ca09fe971682561c5f11
SHA1cb33238550faa82cb5d3b5e4116a8c721a4fc96c
SHA256571d22f4659932c89344baf33e0e53dcb790fa9cb196ad7a937ce17f567f5062
SHA512006c596edb2c6cef589319917c70531e0672cd8831a4d6852c0641e9cc9a90d351f687884da67a02055706c334e94b68a17c8a0cf9f6041b633f8f85cd9185f6
-
Filesize
9.3MB
MD5f4e19b67ef27af1434151a512860574e
SHA156304fc2729974124341e697f3b21c84a8dd242a
SHA256c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a
SHA512a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77
-
Filesize
2.2MB
MD5a3ec05d5872f45528bbd05aeecf0a4ba
SHA168486279c63457b0579d86cd44dd65279f22d36f
SHA256d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e
SHA512b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e
-
Filesize
73B
MD5ebd9ad19bba872e97831dfdf0324e2d2
SHA1f9e68fc549915740cdf48072983b6c5f93dfcd36
SHA2566208eb97ad74e38edcd621d192e4ded4e2a337b07634b1582862e0663a7f31ce
SHA5124b84b18b83260948ad79f960bd54f67fcfcaef978cef3f93bdc08260f31c2665e3242708c20e3842935d925203b711a4da0bb03b1605b3c1bc139aa66c820a83
-
Filesize
80KB
MD584bec3b8c6db81ad3f26c2796b02a2b5
SHA17b3e8f34510e196754eb6a21812d96976a24c351
SHA256263251f3218d9e250a8a741ecfa1c5182030d75b75dac3314bdde8c050b2e301
SHA5125690eb7c9dde782ef635edbcf1beab61166bcc651f00334ae1b3554af56b5455c5486c5dc0a70cb7e5bb72bc9742ec77be450ff0f4d5fcdd984e52f9db87aed4
-
Filesize
725B
MD5b7de1d805c991602041a05dbcf222f24
SHA1f1e1516b3f0a17f670abd475b2e51ccd82591a30
SHA256d5964507a22c93f848a86b3eb4c9f39f658bfa6971474f1e60fc0c734501f9a7
SHA512d6b42edbe026c0b3b6938fe8bc93828913ba476db86c842fd4869edc50376aacaaf42e84314bda9c0347db16cd19d431a660a14416a4f15d3cf8b9a40e35faf8
-
Filesize
119KB
MD54fde0f80c408af27a8d3ddeffea12251
SHA1e834291127af150ce287443c5ea607a7ae337484
SHA2561b644cdb1c7247c07d810c0ea10bec34dc5600f3645589690a219de08cf2dedb
SHA5123693aeaa2cc276060b899f21f6f57f435b75fec5bcd7725b2dd79043b341c12ebc29bd43b287eb22a3e31fd2b50c4fa36bf020f9f3db5e2f75fe8cc747eca5f5
-
Filesize
189B
MD55a7f52d69e6fca128023469ae760c6d5
SHA19d7f75734a533615042f510934402c035ac492f7
SHA256498c7f8e872f9cef0cf04f7d290cf3804c82a007202c9b484128c94d03040fd0
SHA5124dc8ae80ae9e61d2801441b6928a85dcf9d6d73656d064ffbc0ce9ee3ad531bfb140e9f802e39da2a83af6de606b115e5ccd3da35d9078b413b1d1846cbd1b4f
-
Filesize
123KB
MD5e3d39e30e0cdb76a939905da91fe72c8
SHA1433fc7dc929380625c8a6077d3a697e22db8ed14
SHA2564bfa493b75361920e6403c3d85d91a454c16ddda89a97c425257e92b352edd74
SHA5129bb3477023193496ad20b7d11357e510ba3d02b036d6f35f57d061b1fc4d0f6cb3055ae040d78232c8a732d9241699ddcfac83cc377230109bf193736d9f92b8
-
Filesize
2.2MB
MD5eac11bc16c0fda030e431a794119473f
SHA17ccff2bbb88f35e6cee7c58ec264abee962aa556
SHA2568fb55b92f639950c9bbc3c3920a5780ca2d58100e03388d4568dfb48b006372e
SHA51272ae606ca6267cd1ee9dc4f339367d969dd5ee419d91faa757023cb3d3104f0d2eb55ba83208a308bdc5cfcd6d75b7c3fc9966a87d2e77d2f3ab3f87bfb28d25
-
Filesize
9.4MB
MD531fa09a4239fb382ab8be3c30fb35f2f
SHA1c31a3400a47a9c47e051b5f7d2f8f9e6346a121b
SHA256ebf94a98b7f5016ddfb9c7b13a689f0c71e8b6b65c495fbd093cc874e3bb86e4
SHA51236fd6ea03ff46b490d901bcca543d85c74fe3a02145f65b07eb2a1c4c491c48aa80e90ba98f5a5ee0a0f3c9933f27c72d42d7f71f2095b2ef74dc9e9c7ed8fe5
-
Filesize
26KB
MD5494890d393a5a8c54771186a87b0265e
SHA1162fa5909c1c3f84d34bda5d3370a957fe58c9c8
SHA256f2a5a06359713226aeacfe239eeb8ae8606f4588d8e58a19947c3a190efbdfc7
SHA51240fbd033f288fee074fc36e899796efb30d3c582784b834fc583706f19a0b8d5a134c6d1405afe563d2676072e4eefc4e169b2087867cab77a3fa1aa1a7c9395
-
Filesize
3.4MB
MD5059d51f43f1a774bc5aa76d19c614670
SHA1171329bf0f48190cf4d59ce106b139e63507457d
SHA2562eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d
SHA512a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7
-
Filesize
584KB
-
Filesize
1.6MB
-
Filesize
112KB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
1.3MB
-
Filesize
40KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.6MB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
1.6MB
-
Filesize
10.8MB
-
Filesize
2.5MB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
9.5MB
-
Filesize
1.5MB
-
Filesize
624KB
-
Filesize
3.4MB
-
Filesize
160KB
-
Filesize
304KB
-
Filesize
144KB
-
Filesize
192KB
-
Filesize
1024KB
-
Filesize
1.5MB
-
Filesize
320KB
-
Filesize
1.0MB
-
Filesize
824KB
-
Filesize
3.4MB
-
Filesize
2.5MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
408KB
-
Filesize
6.1MB
-
Filesize
152KB
-
Filesize
2.2MB
-
Filesize
72KB
-
Filesize
1024KB
-
Filesize
96KB
-
Filesize
104KB
-
Filesize
6.1MB
-
Filesize
232KB
-
Filesize
704KB
-
Filesize
72KB
-
Filesize
464KB
-
Filesize
3.4MB
-
Filesize
240KB
-
Filesize
136KB
-
Filesize
296KB
-
Filesize
320KB
-
Filesize
316KB
-
Filesize
1.0MB
-
Filesize
192KB
-
Filesize
144KB
-
Filesize
5.6MB
-
Filesize
2.2MB
-
Filesize
6.1MB