redline | 80923a0d7111b0a1fa4326e3a9a0d9ecb7ce66e276f8672aa79e2b5d99473fab | Triage

Submit
Reports

Overview

overview

Static

static

3

EBC4B354D6...04.exe

windows7-x64

EBC4B354D6...04.exe

windows10-2004-x64

Sharing

General

Target

EBC4B354D6EC654829F9DE447D0C7B04.exe
Size

839KB
Sample

240625-vcs6dsvakr
MD5

ebc4b354d6ec654829f9de447d0c7b04
SHA1

9e5d3ccae0d22bd27f8ae39b2f35b274dabd7fd1
SHA256

80923a0d7111b0a1fa4326e3a9a0d9ecb7ce66e276f8672aa79e2b5d99473fab
SHA512

1cb3487cf2f1864d22d3148b30ecf70794567af3a84c9ba5f2d16b5dac38017347c4efb92e4978ebfe57588c5883a2ebe4af33e83eaafad99de202548fd0048e
SSDEEP

24576:3CIQgVHOEqG7111cZRHVzutBSRhmG5ep:yAH1KL1zwBSRhmAI

Score

10^/10

redline sectoprat stormkitty xworm x3.0 foundry execution infostealer rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

EBC4B354D6EC654829F9DE447D0C7B04.exe

Resource

win7-20240220-en

redline sectoprat stormkitty xworm x3.0 foundry execution infostealer rat spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

EBC4B354D6EC654829F9DE447D0C7B04.exe

Resource

win10v2004-20240226-en

redline sectoprat stormkitty xworm x3.0 foundry execution infostealer rat spyware stealer trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

79.110.49.209:7000

Mutex

biVc5L0dNUTxuebk

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

redline

Botnet

X3.0 Foundry

C2

79.110.49.209:37552

Targets

- Target
  
  EBC4B354D6EC654829F9DE447D0C7B04.exe
- Size
  
  839KB
- MD5
  
  ebc4b354d6ec654829f9de447d0c7b04
- SHA1
  
  9e5d3ccae0d22bd27f8ae39b2f35b274dabd7fd1
- SHA256
  
  80923a0d7111b0a1fa4326e3a9a0d9ecb7ce66e276f8672aa79e2b5d99473fab
- SHA512
  
  1cb3487cf2f1864d22d3148b30ecf70794567af3a84c9ba5f2d16b5dac38017347c4efb92e4978ebfe57588c5883a2ebe4af33e83eaafad99de202548fd0048e
- SSDEEP
  
  24576:3CIQgVHOEqG7111cZRHVzutBSRhmG5ep:yAH1KL1zwBSRhmAI
Score

10^/10

redline sectoprat stormkitty xworm x3.0 foundry execution infostealer rat spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

Install Root Certificate

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

redlinesectopratstormkittyxwormx3.0 foundryexecutioninfostealerratspywarestealertrojan

behavioral2

redlinesectopratstormkittyxwormx3.0 foundryexecutioninfostealerratspywarestealertrojan

© 2018-2024

Terms | Privacy