redline

General

Target

New Order PO_O8475980U09_Inquiry,pdf.tbz
Size

460KB
Sample

241205-s83nlaxkfm
MD5

39607b5a96e5655609e39105b4fb3821
SHA1

ef4a9e345b2dd7db9527a336747feb6a21722441
SHA256

0415c597da572bf22be7df0f07f3280ceb2140cc53b737225c1296015c6d67ab
SHA512

fb87cb32d965b16507260095bbfdf95f407e98f91410b8c08711c670f6f1a09e903aad1844af095f25bbd379bb5e16fcba6801e7fb803f1241b95edee37cd4b9
SSDEEP

12288:rTJY2wMPADnx0DN7srf7XolTBlYZ09yMB7sQo:/J1PSx0DN+zYlf6QFsQo

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

212.162.149.196:7967

Mutex

7rZTXi0ZDltxTxRZ

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

redline

Botnet

success

C2

212.162.149.196:8062

Targets

- Target
  
  New Order PO_O8475980U09_Inquiry,pdf.exe
- Size
  
  944KB
- MD5
  
  13c7674b5ddf04d0c1ff4c44b12aa4d4
- SHA1
  
  2d46412c7a2046c27b6549a31ad3dd9bf9a0935d
- SHA256
  
  d3e83ecbfc6ead31c132b85910c6dd0c7a0e5bb343231a289cdc4203fbd9d6ad
- SHA512
  
  2da740d5fdcdc49b9985bff25e2fdb187c9fb1545aaccccc895af46bb25a68b7f6966305bb07bf2340da0f223e364f250779d6ccc7d24273136eda141437a665
- SSDEEP
  
  24576:zu6J33O0c+JY5UZ+XC0kGso6FaPAe2tQlvJWY:du0c++OCvkGs9FaPAeUY
Score

10^/10

redline xworm success discovery infostealer rat spyware trojan
- Detect Xworm Payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect Xworm Payload

RedLine payload

Redline family

Xworm

Xworm family

Drops startup file

Executes dropped EXE

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2