General

  • Target

    RedLine Stealer.zip

  • Size

    17.2MB

  • Sample

    241212-ad565atjfs

  • MD5

    d3d1d5504a838b38d27bfdc29a9bf0ea

  • SHA1

    f6c351251c4b5fa64b852dc2ae6f85cf870a1508

  • SHA256

    4f90b7c87ae9a261936b72f8062c7ffff38f5921dc58794a23084aa0ad95969d

  • SHA512

    7f7dd2471f6aec68b1a2d59b1ccac1cef1142ee9fd734db6b320013dddac3c8e828ec0339765aa4df864e275415862df877971dbec803a3d6b350f034982c781

  • SSDEEP

    393216:y6AL1DWiFjy2F43KVjCybo8x8CLO0kjl2sDYSUs9Tx:y5L1rFjEKl1oNrJZYyl

Malware Config

Extracted

Family

xworm

Version

5.0

C2

svchost.serveirc.com:1313

Mutex

MML7YiawHlQLefrX

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7089308942:AAHsTcsMKoz1p6-9kX7OD8cZDlRLQM_DN-A/sendMessage?chat_id=5936200928

aes.plain

Targets

    • Target

      RedLine Stealer.zip

    • Size

      17.2MB

    • MD5

      d3d1d5504a838b38d27bfdc29a9bf0ea

    • SHA1

      f6c351251c4b5fa64b852dc2ae6f85cf870a1508

    • SHA256

      4f90b7c87ae9a261936b72f8062c7ffff38f5921dc58794a23084aa0ad95969d

    • SHA512

      7f7dd2471f6aec68b1a2d59b1ccac1cef1142ee9fd734db6b320013dddac3c8e828ec0339765aa4df864e275415862df877971dbec803a3d6b350f034982c781

    • SSDEEP

      393216:y6AL1DWiFjy2F43KVjCybo8x8CLO0kjl2sDYSUs9Tx:y5L1rFjEKl1oNrJZYyl

    • Detect Xworm Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks