General
-
Target
1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe
-
Size
15.6MB
-
Sample
240630-bet1xsvbqr
-
MD5
ad3893ee2a8e40f2700236672635f5aa
-
SHA1
80f3c0bc398c473e32eeb1420218be6a5feb291d
-
SHA256
1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727
-
SHA512
748db720695d028c034367f0af26d80ced9700dc497a82ce5a4ce578b39fb24c0f869ddbae3b542b15718523fa3cd29c11f78ded0f9f748ac4954256472a4111
-
SSDEEP
196608:IZu1YQGj4ZSo3jXkpiliRElNhT7kiibJ488hEipzLmCKg4EFJ9UHytjAIgwX4FVE:+u1OjJEIZulNyHytjma0VvjZ6
Malware Config
Extracted
xworm
94.156.8.186:7000
-
Install_directory
%AppData%
-
install_file
svchost.exe
Extracted
redline
cracked
94.156.8.186:37552
Targets
-
-
Target
1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe
-
Size
15.6MB
-
MD5
ad3893ee2a8e40f2700236672635f5aa
-
SHA1
80f3c0bc398c473e32eeb1420218be6a5feb291d
-
SHA256
1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727
-
SHA512
748db720695d028c034367f0af26d80ced9700dc497a82ce5a4ce578b39fb24c0f869ddbae3b542b15718523fa3cd29c11f78ded0f9f748ac4954256472a4111
-
SSDEEP
196608:IZu1YQGj4ZSo3jXkpiliRElNhT7kiibJ488hEipzLmCKg4EFJ9UHytjAIgwX4FVE:+u1OjJEIZulNyHytjma0VvjZ6
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects executables (downlaoders) containing URLs to raw contents of a paste
-
Detects executables containing artifacts associated with disabling Widnows Defender
-
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing credit card regular expressions
-
Detects executables using Telegram Chat Bot
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-