General
-
Target
0ffabbcd65e9d16a98cfd6573e430faef64da2140408741e6ca69fa33ccd7e4c.exe
-
Size
125KB
-
Sample
240614-be4kcsserm
-
MD5
0c7129cc873a7ae0a20b38275f792eb8
-
SHA1
d182944e585357d572ff7f04f31ea8cd633f7f83
-
SHA256
0ffabbcd65e9d16a98cfd6573e430faef64da2140408741e6ca69fa33ccd7e4c
-
SHA512
9f5d5fb23d0efa317d321d6a37e24c6ee97005dd70ee8a2d7116ae94243e339a7fcbf5c41d7edda96bdda2042642a8ce03fdde53a6bf77c9dff358edb6109b16
-
SSDEEP
3072:/6V/R6cUvnDmwPU9101LS8U5wUBeixhRk+XbXT9PsHP:CNR6JPDmwPUbi05wYeH+XbZP2
Static task
static1
Behavioral task
behavioral1
Sample
0ffabbcd65e9d16a98cfd6573e430faef64da2140408741e6ca69fa33ccd7e4c.exe
Resource
win7-20240611-en
Malware Config
Extracted
redline
cheat
103.168.67.9:57395
Extracted
xworm
0LLXgeoJ4l4QFpG6
-
install_file
USBDriver.exe
-
pastebin_url
https://pastebin.com/raw/FrUYqTuA
Targets
-
-
Target
0ffabbcd65e9d16a98cfd6573e430faef64da2140408741e6ca69fa33ccd7e4c.exe
-
Size
125KB
-
MD5
0c7129cc873a7ae0a20b38275f792eb8
-
SHA1
d182944e585357d572ff7f04f31ea8cd633f7f83
-
SHA256
0ffabbcd65e9d16a98cfd6573e430faef64da2140408741e6ca69fa33ccd7e4c
-
SHA512
9f5d5fb23d0efa317d321d6a37e24c6ee97005dd70ee8a2d7116ae94243e339a7fcbf5c41d7edda96bdda2042642a8ce03fdde53a6bf77c9dff358edb6109b16
-
SSDEEP
3072:/6V/R6cUvnDmwPU9101LS8U5wUBeixhRk+XbXT9PsHP:CNR6JPDmwPUbi05wYeH+XbZP2
-
Detect Xworm Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects executables (downlaoders) containing URLs to raw contents of a paste
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-