Extracted

Extracted

• • Target

    635e75f0dbd929bfd1ab929d781c7755caf502e41af8f29652c2ac0852c012e7.exe

  • Size

    1.8MB

  • MD5

    dea6345737332d700577ded23c693a87

  • SHA1

    73678213f6ecd0fce19a7c2508157b503cc79d42

  • SHA256

    635e75f0dbd929bfd1ab929d781c7755caf502e41af8f29652c2ac0852c012e7

  • SHA512

    8669c259283c2b56b3e5c2933a5a65e7a57d295fb8ef5cb3152c919633b0f194517bca06a5d82b741ca91b69b27766e0571720936e5ce9256f2e27454e1079aa

  • SSDEEP

    49152:BUl3Wi7HLc9jTL+Kr33WwdJ735WxDsiHM2fVOgHkF:QWi7HLc9XLHDHpuDM2fY+4

  Score

  10^/10

  redlinexwormsuccessdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

  • Detect Xworm Payload

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1