redline | 201f9fbaaa715f934e0f89d07aba1fa080fe17839ea64b776e1e69ce11451783 | Triage

Submit
Reports

Overview

overview

Static

static

1

Luxury Shi....9.zip

windows10-ltsc 2021-x64

Sharing

General

Target

Luxury Shield 12.8.9.zip
Size

9.6MB
Sample

250112-br4qwsynet
MD5

8067ac7cd02c1a3bb18b2a6a56597c3a
SHA1

1df850e23a06480dcd3a1af122a2e14382a4578f
SHA256

201f9fbaaa715f934e0f89d07aba1fa080fe17839ea64b776e1e69ce11451783
SHA512

1286bfab21376c45317c870c266ad65a64ddba4d949c2f96541ace359210a76c2957ba6d5a2b888ec3e63aad919b4c8ee5e06f606e83aa0b41bd4f306131b779
SSDEEP

196608:AxMKs19qZm4Lvx8fMF6J8zD6sL+oPI6vkCsu90NQ1VL9rm0AbBwbtr6LHYVjHnA:A7GEm4Lv2fM8wD5+H6DuK1VI0Al4A

Score

10^/10

redline xworm discovery execution infostealer persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

Luxury Shield 12.8.9.zip

Resource

win10ltsc2021-20241211-en

redline xworm discovery execution infostealer persistence rat trojan

windows10-ltsc 2021-x64

25 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

according-psp.at.ply.gg:38979

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Targets

- Target
  
  Luxury Shield 12.8.9.zip
- Size
  
  9.6MB
- MD5
  
  8067ac7cd02c1a3bb18b2a6a56597c3a
- SHA1
  
  1df850e23a06480dcd3a1af122a2e14382a4578f
- SHA256
  
  201f9fbaaa715f934e0f89d07aba1fa080fe17839ea64b776e1e69ce11451783
- SHA512
  
  1286bfab21376c45317c870c266ad65a64ddba4d949c2f96541ace359210a76c2957ba6d5a2b888ec3e63aad919b4c8ee5e06f606e83aa0b41bd4f306131b779
- SSDEEP
  
  196608:AxMKs19qZm4Lvx8fMF6J8zD6sL+oPI6vkCsu90NQ1VL9rm0AbBwbtr6LHYVjHnA:A7GEm4Lv2fM8wD5+H6DuK1VI0Al4A
Score

10^/10

redline xworm discovery execution infostealer persistence rat trojan
- Detect Xworm Payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinexwormdiscoveryexecutioninfostealerpersistencerattrojan

© 2018-2025

Terms | Privacy