Overview
overview
10Static
static
10Redline_20...er.exe
windows7_x64
1Redline_20...er.exe
windows10_x64
1Redline_20...er.exe
windows10-2004_x64
1Redline_20...er.exe
windows11_x64
Redline_20...ld.exe
windows7_x64
10Redline_20...ld.exe
windows10_x64
10Redline_20...ld.exe
windows10-2004_x64
10Redline_20...ld.exe
windows11_x64
Redline_20...st.exe
windows7_x64
1Redline_20...st.exe
windows10_x64
1Redline_20...st.exe
windows10-2004_x64
1Redline_20...st.exe
windows11_x64
Redline_20...er.exe
windows7_x64
4Redline_20...er.exe
windows10_x64
4Redline_20...er.exe
windows10-2004_x64
4Redline_20...er.exe
windows11_x64
Redline_20...el.exe
windows7_x64
10Redline_20...el.exe
windows10_x64
10Redline_20...el.exe
windows10-2004_x64
10Redline_20...el.exe
windows11_x64
Redline_20...me.exe
windows7_x64
8Redline_20...me.exe
windows10_x64
8Redline_20...me.exe
windows10-2004_x64
8Redline_20...me.exe
windows11_x64
Redline_20...48.exe
windows7_x64
8Redline_20...48.exe
windows10_x64
8Redline_20...48.exe
windows10-2004_x64
8Redline_20...48.exe
windows11_x64
Redline_20...ar.exe
windows7_x64
1Redline_20...ar.exe
windows10_x64
1Redline_20...ar.exe
windows10-2004_x64
1Redline_20...ar.exe
windows11_x64
Analysis
-
max time kernel
602s -
max time network
433s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-07-2022 14:20
Behavioral task
behavioral1
Sample
Redline_2021_stealer-main/Kurome.Builder/Kurome.Builder.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Redline_2021_stealer-main/Kurome.Builder/Kurome.Builder.exe
Resource
win10-20220414-en
Behavioral task
behavioral3
Sample
Redline_2021_stealer-main/Kurome.Builder/Kurome.Builder.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral4
Sample
Redline_2021_stealer-main/Kurome.Builder/Kurome.Builder.exe
Resource
win11-20220223-en
Behavioral task
behavioral5
Sample
Redline_2021_stealer-main/Kurome.Builder/build.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Redline_2021_stealer-main/Kurome.Builder/build.exe
Resource
win10-20220414-en
Behavioral task
behavioral7
Sample
Redline_2021_stealer-main/Kurome.Builder/build.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral8
Sample
Redline_2021_stealer-main/Kurome.Builder/build.exe
Resource
win11-20220223-en
Behavioral task
behavioral9
Sample
Redline_2021_stealer-main/Kurome.Host/Kurome.Host.exe
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
Redline_2021_stealer-main/Kurome.Host/Kurome.Host.exe
Resource
win10-20220414-en
Behavioral task
behavioral11
Sample
Redline_2021_stealer-main/Kurome.Host/Kurome.Host.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral12
Sample
Redline_2021_stealer-main/Kurome.Host/Kurome.Host.exe
Resource
win11-20220223-en
Behavioral task
behavioral13
Sample
Redline_2021_stealer-main/Kurome.Loader/Kurome.Loader.exe
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
Redline_2021_stealer-main/Kurome.Loader/Kurome.Loader.exe
Resource
win10-20220414-en
Behavioral task
behavioral15
Sample
Redline_2021_stealer-main/Kurome.Loader/Kurome.Loader.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral16
Sample
Redline_2021_stealer-main/Kurome.Loader/Kurome.Loader.exe
Resource
win11-20220223-en
Behavioral task
behavioral17
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Panel/Panel.exe
Resource
win7-20220414-en
Behavioral task
behavioral18
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Panel/Panel.exe
Resource
win10-20220414-en
Behavioral task
behavioral19
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Panel/Panel.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral20
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Panel/Panel.exe
Resource
win11-20220223-en
Behavioral task
behavioral21
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/Chrome.exe
Resource
win7-20220414-en
Behavioral task
behavioral22
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/Chrome.exe
Resource
win10-20220414-en
Behavioral task
behavioral23
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/Chrome.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral24
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/Chrome.exe
Resource
win11-20220223-en
Behavioral task
behavioral25
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/NetFramework48.exe
Resource
win7-20220414-en
Behavioral task
behavioral26
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/NetFramework48.exe
Resource
win10-20220414-en
Behavioral task
behavioral27
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/NetFramework48.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral28
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/NetFramework48.exe
Resource
win11-20220223-en
Behavioral task
behavioral29
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/WinRar.exe
Resource
win7-20220414-en
Behavioral task
behavioral30
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/WinRar.exe
Resource
win10-20220414-en
Behavioral task
behavioral31
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/WinRar.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral32
Sample
Redline_2021_stealer-main/Panel/RedLine_20_2/Tools/WinRar.exe
Resource
win11-20220223-en
General
-
Target
Redline_2021_stealer-main/Panel/RedLine_20_2/Panel/Panel.exe
-
Size
9.3MB
-
MD5
f4e19b67ef27af1434151a512860574e
-
SHA1
56304fc2729974124341e697f3b21c84a8dd242a
-
SHA256
c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a
-
SHA512
a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
Processes:
resource yara_rule behavioral17/memory/272-68-0x000000001E010000-0x000000001E152000-memory.dmp family_redline behavioral17/memory/272-73-0x000000001E010000-0x000000001E152000-memory.dmp family_redline behavioral17/memory/272-80-0x000000001E160000-0x000000001E2A2000-memory.dmp family_redline behavioral17/memory/272-118-0x000000001E160000-0x000000001E2A2000-memory.dmp family_redline behavioral17/memory/272-117-0x000000001E160000-0x000000001E2A2000-memory.dmp family_redline behavioral17/memory/760-3877-0x000000001F2F0000-0x000000001F30A000-memory.dmp family_redline -
Suspicious use of NtSetInformationThreadHideFromDebugger 60 IoCs
Processes:
Panel.exePanel.exepid process 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe 760 Panel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Panel.exePanel.exepid process 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe 272 Panel.exe 760 Panel.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Panel.exePanel.exedescription pid process Token: SeDebugPrivilege 272 Panel.exe Token: SeDebugPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe Token: 33 760 Panel.exe Token: SeIncBasePriorityPrivilege 760 Panel.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Panel.exedescription pid process target process PID 272 wrote to memory of 760 272 Panel.exe Panel.exe PID 272 wrote to memory of 760 272 Panel.exe Panel.exe PID 272 wrote to memory of 760 272 Panel.exe Panel.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Redline_2021_stealer-main\Panel\RedLine_20_2\Panel\Panel.exe"C:\Users\Admin\AppData\Local\Temp\Redline_2021_stealer-main\Panel\RedLine_20_2\Panel\Panel.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Redline_2021_stealer-main\Panel\RedLine_20_2\Panel\Panel.exe"C:\Users\Admin\AppData\Local\Temp\Redline_2021_stealer-main\Panel\RedLine_20_2\Panel\Panel.exe" "--monitor"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/272-3885-0x000000001AFE3000-0x000000001AFE7000-memory.dmpFilesize
16KB
-
memory/272-3891-0x000000001AFCF000-0x000000001AFDA000-memory.dmpFilesize
44KB
-
memory/272-62-0x0000000180000000-0x0000000180005000-memory.dmpFilesize
20KB
-
memory/272-60-0x0000000180000000-0x0000000180005000-memory.dmpFilesize
20KB
-
memory/272-56-0x0000000180000000-0x0000000180005000-memory.dmpFilesize
20KB
-
memory/272-55-0x0000000180000000-0x0000000180005000-memory.dmpFilesize
20KB
-
memory/272-68-0x000000001E010000-0x000000001E152000-memory.dmpFilesize
1.3MB
-
memory/272-73-0x000000001E010000-0x000000001E152000-memory.dmpFilesize
1.3MB
-
memory/272-80-0x000000001E160000-0x000000001E2A2000-memory.dmpFilesize
1.3MB
-
memory/272-66-0x000000001E010000-0x000000001E152000-memory.dmpFilesize
1.3MB
-
memory/272-83-0x000000001B2F0000-0x000000001B490000-memory.dmpFilesize
1.6MB
-
memory/272-97-0x000000001AE80000-0x000000001AE8A000-memory.dmpFilesize
40KB
-
memory/272-110-0x000000001DD50000-0x000000001DD5A000-memory.dmpFilesize
40KB
-
memory/272-103-0x000000001AE80000-0x000000001AE8A000-memory.dmpFilesize
40KB
-
memory/272-136-0x000000001E110000-0x000000001E12C000-memory.dmpFilesize
112KB
-
memory/272-111-0x000007FEF6830000-0x000007FEF695C000-memory.dmpFilesize
1.2MB
-
memory/272-115-0x000000001DD50000-0x000000001DD5A000-memory.dmpFilesize
40KB
-
memory/272-114-0x000000001DD50000-0x000000001DD5A000-memory.dmpFilesize
40KB
-
memory/272-113-0x000000001DD50000-0x000000001DD5A000-memory.dmpFilesize
40KB
-
memory/272-99-0x000000001AE80000-0x000000001AE8A000-memory.dmpFilesize
40KB
-
memory/272-118-0x000000001E160000-0x000000001E2A2000-memory.dmpFilesize
1.3MB
-
memory/272-117-0x000000001E160000-0x000000001E2A2000-memory.dmpFilesize
1.3MB
-
memory/272-101-0x000000001AE80000-0x000000001AE8A000-memory.dmpFilesize
40KB
-
memory/272-58-0x0000000180000000-0x0000000180005000-memory.dmpFilesize
20KB
-
memory/272-3896-0x000000001AFEE000-0x000000001AFF2000-memory.dmpFilesize
16KB
-
memory/272-3895-0x000000001AFEA000-0x000000001AFEE000-memory.dmpFilesize
16KB
-
memory/272-3894-0x000000001AFEA000-0x000000001AFEE000-memory.dmpFilesize
16KB
-
memory/272-2498-0x000000001AF9E000-0x000000001AFBD000-memory.dmpFilesize
124KB
-
memory/272-3893-0x000000001AFCF000-0x000000001AFDA000-memory.dmpFilesize
44KB
-
memory/272-3892-0x000000001AFC5000-0x000000001AFCA000-memory.dmpFilesize
20KB
-
memory/272-251-0x000000001AF9E000-0x000000001AFBD000-memory.dmpFilesize
124KB
-
memory/272-3890-0x000000001AFC5000-0x000000001AFCA000-memory.dmpFilesize
20KB
-
memory/272-3889-0x000000001AFBD000-0x000000001AFC0000-memory.dmpFilesize
12KB
-
memory/272-3888-0x000000001AFBD000-0x000000001AFC0000-memory.dmpFilesize
12KB
-
memory/272-3887-0x000000001AFE3000-0x000000001AFE7000-memory.dmpFilesize
16KB
-
memory/272-3884-0x000000001AFDF000-0x000000001AFE3000-memory.dmpFilesize
16KB
-
memory/272-54-0x000007FEF5C30000-0x000007FEF661C000-memory.dmpFilesize
9.9MB
-
memory/272-3886-0x000000001AFDF000-0x000000001AFE3000-memory.dmpFilesize
16KB
-
memory/760-3883-0x0000000020B90000-0x0000000020BDA000-memory.dmpFilesize
296KB
-
memory/760-3882-0x000000001AD7E000-0x000000001AD9D000-memory.dmpFilesize
124KB
-
memory/760-1965-0x0000000000000000-mapping.dmp
-
memory/760-3880-0x000000001F480000-0x000000001F530000-memory.dmpFilesize
704KB
-
memory/760-3879-0x000000001F390000-0x000000001F3CA000-memory.dmpFilesize
232KB
-
memory/760-3878-0x000000001F330000-0x000000001F342000-memory.dmpFilesize
72KB
-
memory/760-3877-0x000000001F2F0000-0x000000001F30A000-memory.dmpFilesize
104KB
-
memory/760-2261-0x000000001AD7E000-0x000000001AD9D000-memory.dmpFilesize
124KB
-
memory/760-2047-0x000000001B0D0000-0x000000001B270000-memory.dmpFilesize
1.6MB
-
memory/760-3881-0x000000001FA30000-0x000000001FAA4000-memory.dmpFilesize
464KB