General
-
Target
perm.exe
-
Size
4.6MB
-
Sample
241215-qk4jwaxjgn
-
MD5
cd15473be3b87cf2f089fe3a652d0d08
-
SHA1
5fecdc548d7c9e134940509d4b002dd36deda1ef
-
SHA256
27088c28c0f31bf50d35890675acb14a9da0b2bf574a03c79040e640bd1fbe96
-
SHA512
cdd2f2dbc59942999082bd62bd869b66bf80b525d7b7244cb6527540bb288a50844f6d078f21c319d6888d02efca5a73ed054c16a544958ef40e215a54336477
-
SSDEEP
98304:1d7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6KM:u+y4ihkl/Wo/afHP9
Malware Config
Targets
-
-
Target
perm.exe
-
Size
4.6MB
-
MD5
cd15473be3b87cf2f089fe3a652d0d08
-
SHA1
5fecdc548d7c9e134940509d4b002dd36deda1ef
-
SHA256
27088c28c0f31bf50d35890675acb14a9da0b2bf574a03c79040e640bd1fbe96
-
SHA512
cdd2f2dbc59942999082bd62bd869b66bf80b525d7b7244cb6527540bb288a50844f6d078f21c319d6888d02efca5a73ed054c16a544958ef40e215a54336477
-
SSDEEP
98304:1d7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6KM:u+y4ihkl/Wo/afHP9
Score10/10-
Detect Xworm Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Sectoprat family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-