Overview
overview
10Static
static
Kirame.Bui...er.exe
windows10-2004-x64
10Kirame.Hos...st.exe
windows10-2004-x64
7Kirame.Loa...er.exe
windows10-2004-x64
8Panel/RedL...el.exe
windows10-2004-x64
10Panel/RedL...me.exe
windows10-2004-x64
8Panel/RedL...48.exe
windows10-2004-x64
8Panel/RedL...ar.exe
windows10-2004-x64
1General
-
Target
Redline.Stealer.08.11.2022.zip
-
Size
14.9MB
-
Sample
221205-1xmr1abe33
-
MD5
3667b953a49081cc09a1bf2d89973e25
-
SHA1
0f7481b87bfc416e36b75efc5427f936926a1631
-
SHA256
118929fa7bb48dd46b39a24144202096725293c56c310b56420ddf7976567710
-
SHA512
4ac73a99dc157a59e33e7d5e72de490a715fecb143ebb17ae27765d7ab40411201ce1b02492f5b5a33f8bd76ee764ee1969e510c0b18a39e7ca50cd68201e8c6
-
SSDEEP
393216:3d5QBs5upK29d7k68ifsRS9LxIH3jCm/wY0Zxl07AUHpu:34BsUI2xfsR7jd/NOD079pu
Static task
static1
Behavioral task
behavioral1
Sample
Kirame.Builder/Kirame.Builder.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
Kirame.Host/Kirame.Host.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
Kirame.Loader/Kirame.Loader.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
Panel/RedLine20_22/Panel/Panel.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
Panel/RedLine20_22/Tools/Chrome.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral6
Sample
Panel/RedLine20_22/Tools/NetFramework48.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
Panel/RedLine20_22/Tools/WinRar.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
redline
@dwqmosh
neredenkyor.xyz:81
-
auth_value
a94b13695bd4053b8b47b0976366da25
Targets
-
-
Target
Kirame.Builder/Kirame.Builder.exe
-
Size
2.4MB
-
MD5
2ba1b8fb32916403ad7249df8f7e608d
-
SHA1
726e1c8c0cc89b9cd94576c51b5f77d4e3defb3b
-
SHA256
4411cee1d891a03cb0c12726325baeaa6c913c31506c3fff9923da17cb48ef5c
-
SHA512
6bb9e5b24410aea7629b6d5d0b926abf068b739aa6e232d264fc0954d1e69b27a086aed28fee6d44a876250c6e73da99b74f6053574e4f4136482a3826a46f80
-
SSDEEP
24576:SiJYwYHYlyCxxGM/sXKR2praFeY6Vus1P2E9fDLVzMbXil3RuQ553131:SiJYOesepV/1P2E9fDfl3L
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of SetThreadContext
-
-
-
Target
Kirame.Host/Kirame.Host.exe
-
Size
1.6MB
-
MD5
c7085202e7a5620160f9d4fdf1219df2
-
SHA1
abe00b161c2f83ee83133b187262bf6289e88339
-
SHA256
00b2a7341252cef219c7070853a4e7cf4ce086a69de1c10ceee91fe8a6add013
-
SHA512
8f91ba27d9f83be857c12b2b9339ebd83f2f77c11f3d4610347de3f8a54321e25d1ff197596fc952da0920344990738a8de57921250e03c2c4bc340c4b4e7640
-
SSDEEP
24576:eQi2Q9NXw2/wPOjdGxYqfw+Jwz/S/6RZs8nVW6k5JHkARt7DBAqn+/:evTq24GjdGSgw+W7SCRnVQTEQ/BA8+
Score7/10-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
Kirame.Loader/Kirame.Loader.exe
-
Size
779KB
-
MD5
341544d48dffd2ea814db70b1ab59868
-
SHA1
27eb7de97fd9aa568cab1c23483058c7ff78cc70
-
SHA256
88d9c1fde490e92f60b2ec1a3b31f73358449edc3f4a91702d206204be848fdc
-
SHA512
26adaea9fdc82e30cdd871bd6fa9e39aeb00f31a99449b1313235724a11fae928ae7602f8d61975a128d658b966cb4c735f5585197b7d23c7d5c82b7e427dc45
-
SSDEEP
6144:6rxmnlXOdKHVE+1KEVmYVZDbrsVLKxWe/s9qfvowhaAMV3eXgfQULGb3WOaZGwbi:eml1OAUYeKxWe0eJueQffLG7rPWoi89
Score8/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
Panel/RedLine20_22/Panel/Panel.exe
-
Size
9.3MB
-
MD5
f4e19b67ef27af1434151a512860574e
-
SHA1
56304fc2729974124341e697f3b21c84a8dd242a
-
SHA256
c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a
-
SHA512
a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77
-
SSDEEP
196608:mJQaPHrQqXs140qMhu8369sV+HLz9SKUeNdDhHidVI1SM52n3iWuUZ/c1sxXoP3p:mJQaPHrQqXs140qMhu8369sV+HLz9SKI
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
-
-
Target
Panel/RedLine20_22/Tools/Chrome.exe
-
Size
1.1MB
-
MD5
92cfeb7c07906eac0d4220b8a1ed65b1
-
SHA1
882b83e903b5b4c7c75f0b1dc31bb7aa8938d8fa
-
SHA256
38b827a431b89da0d9cdd444373364371f4f6e6bf299e7935f05b2351ca9186c
-
SHA512
e2ee932f5b81403935a977f9d3c8e2e4f6a4c9a1967b7e1cf61229a7746a24aae486ac6b779fb570f1dff02a3ff30107044f0427ce46474b91d788c78c8fcfbf
-
SSDEEP
24576:q6JGMnMpfVArKlhbP6GFibQC1QSvKZHHf1FqbI4Cn:47/MPGFibsSipHubPa
Score8/10-
Executes dropped EXE
-
Registers COM server for autorun
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
-
-
Target
Panel/RedLine20_22/Tools/NetFramework48.exe
-
Size
1.4MB
-
MD5
86482f2f623a52b8344b00968adc7b43
-
SHA1
755349ecd6a478fe010e466b29911d2388f6ce94
-
SHA256
2c7530edbf06b08a0b9f4227c24ec37d95f3998ee7e6933ae22a9943d0adfa57
-
SHA512
64c168263fd48788d90919cbb9992855aed4ffe9a0f8052cb84f028ca239102c0571dfaf75815d72ad776009f5fc4469c957113fb66da7d4e9c83601e8287f3d
-
SSDEEP
24576:MGHL3siy9J0/SmtLvUDSRbm4Jah1rVxL+iTOhYdeM+GkdnddMF2ScVC3oKNVpNXo:RL3s7mKeTUDBzrVxxOhYdeMinddG2lCK
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Panel/RedLine20_22/Tools/WinRar.exe
-
Size
3.2MB
-
MD5
b66dec691784f00061bc43e62030c343
-
SHA1
779d947d41efafc2995878e56e213411de8fb4cf
-
SHA256
26b40c79356453c60498772423f99384a3d24dd2d0662d215506768cb9c58370
-
SHA512
6a89bd581baf372f07e76a3378e6f6eb29cac2e4981a7f0affb4101153407cadfce9f1b6b28d5a003f7d4039577029b2ec6ebcfd58e55288e056614fb03f8ba3
-
SSDEEP
98304:lJXOBfK92HbAw0CNB3kJElzNsy8vGUvfCo3ABH43:lJ192HbAXCvDlzNsy8vGUyo3AB8
Score1/10 -