Overview

overview

10

Static

static

5

Fedex_Ship...ts.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Fedex_Shipping_Documents.zip

  • Size

    901KB

  • Sample

    250408-pn3w3styht

  • MD5

    6e7f79b4d50e65f790271de459c898b5

  • SHA1

    c821678d2deffbc8935e6f4a2979c0881e23e3a0

  • SHA256

    d22eb2405a129915a37e58437b63c2806fbc3289b74a948a6b4011174e64bbcc

  • SHA512

    d2a593149f62bdf5ed324d8c800ae7721813d8b798b3e6b72a9b7db93d269bc702f81cdfa8b85e20a62ad778436de4d69c0fb84f8ffe3e8552bfa4fb38753972

  • SSDEEP

    24576:V5LP4SVGRrnCUAViO6BGnqPcRTKgNVLfo2gG2+UOk8YmTGUygLg:YjRNO6B4qkRT3VLfNr2ZOYGdt8

Score
10/10
redlinexwormsuccessdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

success

C2

204.10.161.147:7082

Extracted

Family

xworm

Version

5.0

C2

204.10.161.147:7081

Mutex

XoFHv1TT4hWErxRo

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Targets

    • Target

      Fedex_Shipping_Documents.com

    • Size

      1.4MB

    • MD5

      daf25df46bf63a632e21edeb637a4adf

    • SHA1

      c1e037a58a2baf4e2610bf5e3ef936aa2443cf03

    • SHA256

      54a728dbac9d9338a6ce84720d8a113c8c9305cdb407cc030fdc0f626802f10b

    • SHA512

      b51265fbcf33b29f1bb598886bc5f3f3f98d0ddad5b0e86674b2d7586f487dae20c407f36272708fc623be44440cae2e6532c41be44b341c6619fa2541bf8d47

    • SSDEEP

      24576:bu6J33O0c+JY5UZ+XC0kGso6FaoL8UyLJ0g9Jytb7mkmWiXY+uO8UjWblNFyWY:Vu0c++OCvkGs9FaoIug94eAUjWbDY

    Score
    10/10
    redlinexwormsuccessdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

    • Detect Xworm Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Tasks