Overview

overview

10

Static

static

5

Fedex_Ship...ts.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Fedex_Shipping_Documents.rar

  • Size

    901KB

  • Sample

    250408-pn3w3stqy5

  • MD5

    acff58108f52d862fac637c5dcc3bf9c

  • SHA1

    bb8d10938e5242780fbee7361280b25e47545ad5

  • SHA256

    6bba8663169c72f11d56d22a04f6b78eb758c566c17e359a885c259cf90e9776

  • SHA512

    d6f38a1294f56860c3bef0a59a46d1e3b50b3b5052d80e6f6e5c657bbee737bf59a545463daa1377717345a2ed7ba3eec22119ca3a5df2c225f71679e0cf2d5f

  • SSDEEP

    24576:r5HH7CRLnC2QxQ67VGjuPcB7KsNJbRooUGK+uOA+4mv4UAcLp:kRJ0VSukB7VJbRp3KhOK8nBt

Score
10/10
redlinexwormsuccessdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

204.10.161.147:7081

Mutex

XoFHv1TT4hWErxRo

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

redline

Botnet

success

C2

204.10.161.147:7082

Targets

    • Target

      Fedex_Shipping_Documents.com

    • Size

      1.4MB

    • MD5

      daf25df46bf63a632e21edeb637a4adf

    • SHA1

      c1e037a58a2baf4e2610bf5e3ef936aa2443cf03

    • SHA256

      54a728dbac9d9338a6ce84720d8a113c8c9305cdb407cc030fdc0f626802f10b

    • SHA512

      b51265fbcf33b29f1bb598886bc5f3f3f98d0ddad5b0e86674b2d7586f487dae20c407f36272708fc623be44440cae2e6532c41be44b341c6619fa2541bf8d47

    • SSDEEP

      24576:bu6J33O0c+JY5UZ+XC0kGso6FaoL8UyLJ0g9Jytb7mkmWiXY+uO8UjWblNFyWY:Vu0c++OCvkGs9FaoIug94eAUjWbDY

    Score
    10/10
    redlinexwormsuccessdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

    • Detect Xworm Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Tasks