Overview

overview

10

Static

static

Kirame.Bui...er.exe

windows10-2004-x64

10

Kirame.Hos...st.exe

windows10-2004-x64

7

Kirame.Loa...er.exe

windows10-2004-x64

8

Panel/RedL...el.exe

windows10-2004-x64

10

Panel/RedL...me.exe

windows10-2004-x64

8

Panel/RedL...48.exe

windows10-2004-x64

8

Panel/RedL...ar.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Redline.Stealer.08.11.2022.zip

  • Size

    14.9MB

  • Sample

    221205-1xmr1abe33

  • MD5

    3667b953a49081cc09a1bf2d89973e25

  • SHA1

    0f7481b87bfc416e36b75efc5427f936926a1631

  • SHA256

    118929fa7bb48dd46b39a24144202096725293c56c310b56420ddf7976567710

  • SHA512

    4ac73a99dc157a59e33e7d5e72de490a715fecb143ebb17ae27765d7ab40411201ce1b02492f5b5a33f8bd76ee764ee1969e510c0b18a39e7ca50cd68201e8c6

  • SSDEEP

    393216:3d5QBs5upK29d7k68ifsRS9LxIH3jCm/wY0Zxl07AUHpu:34BsUI2xfsR7jd/NOD079pu

Score
10/10
redline@dwqmoshcollectioninfostealerpersistencespywarestealer

Malware Config

Extracted

Family

redline

Botnet

@dwqmosh

C2

neredenkyor.xyz:81

Attributes
  • auth_value

    a94b13695bd4053b8b47b0976366da25

Targets

    • Target

      Kirame.Builder/Kirame.Builder.exe

    • Size

      2.4MB

    • MD5

      2ba1b8fb32916403ad7249df8f7e608d

    • SHA1

      726e1c8c0cc89b9cd94576c51b5f77d4e3defb3b

    • SHA256

      4411cee1d891a03cb0c12726325baeaa6c913c31506c3fff9923da17cb48ef5c

    • SHA512

      6bb9e5b24410aea7629b6d5d0b926abf068b739aa6e232d264fc0954d1e69b27a086aed28fee6d44a876250c6e73da99b74f6053574e4f4136482a3826a46f80

    • SSDEEP

      24576:SiJYwYHYlyCxxGM/sXKR2praFeY6Vus1P2E9fDLVzMbXil3RuQ553131:SiJYOesepV/1P2E9fDfl3L

    Score
    10/10
    redline@dwqmoshinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      Kirame.Host/Kirame.Host.exe

    • Size

      1.6MB

    • MD5

      c7085202e7a5620160f9d4fdf1219df2

    • SHA1

      abe00b161c2f83ee83133b187262bf6289e88339

    • SHA256

      00b2a7341252cef219c7070853a4e7cf4ce086a69de1c10ceee91fe8a6add013

    • SHA512

      8f91ba27d9f83be857c12b2b9339ebd83f2f77c11f3d4610347de3f8a54321e25d1ff197596fc952da0920344990738a8de57921250e03c2c4bc340c4b4e7640

    • SSDEEP

      24576:eQi2Q9NXw2/wPOjdGxYqfw+Jwz/S/6RZs8nVW6k5JHkARt7DBAqn+/:evTq24GjdGSgw+W7SCRnVQTEQ/BA8+

    Score
    7/10
    collectionspywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral2

    • Target

      Kirame.Loader/Kirame.Loader.exe

    • Size

      779KB

    • MD5

      341544d48dffd2ea814db70b1ab59868

    • SHA1

      27eb7de97fd9aa568cab1c23483058c7ff78cc70

    • SHA256

      88d9c1fde490e92f60b2ec1a3b31f73358449edc3f4a91702d206204be848fdc

    • SHA512

      26adaea9fdc82e30cdd871bd6fa9e39aeb00f31a99449b1313235724a11fae928ae7602f8d61975a128d658b966cb4c735f5585197b7d23c7d5c82b7e427dc45

    • SSDEEP

      6144:6rxmnlXOdKHVE+1KEVmYVZDbrsVLKxWe/s9qfvowhaAMV3eXgfQULGb3WOaZGwbi:eml1OAUYeKxWe0eJueQffLG7rPWoi89

    Score
    8/10

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral3

    • Target

      Panel/RedLine20_22/Panel/Panel.exe

    • Size

      9.3MB

    • MD5

      f4e19b67ef27af1434151a512860574e

    • SHA1

      56304fc2729974124341e697f3b21c84a8dd242a

    • SHA256

      c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a

    • SHA512

      a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

    • SSDEEP

      196608:mJQaPHrQqXs140qMhu8369sV+HLz9SKUeNdDhHidVI1SM52n3iWuUZ/c1sxXoP3p:mJQaPHrQqXs140qMhu8369sV+HLz9SKI

    Score
    10/10
    redlineinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    behavioral4

    • Target

      Panel/RedLine20_22/Tools/Chrome.exe

    • Size

      1.1MB

    • MD5

      92cfeb7c07906eac0d4220b8a1ed65b1

    • SHA1

      882b83e903b5b4c7c75f0b1dc31bb7aa8938d8fa

    • SHA256

      38b827a431b89da0d9cdd444373364371f4f6e6bf299e7935f05b2351ca9186c

    • SHA512

      e2ee932f5b81403935a977f9d3c8e2e4f6a4c9a1967b7e1cf61229a7746a24aae486ac6b779fb570f1dff02a3ff30107044f0427ce46474b91d788c78c8fcfbf

    • SSDEEP

      24576:q6JGMnMpfVArKlhbP6GFibQC1QSvKZHHf1FqbI4Cn:47/MPGFibsSipHubPa

    Score
    8/10
    persistence

    • Executes dropped EXE

    • Registers COM server for autorun

      persistence

    • Sets file execution options in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral5

    • Target

      Panel/RedLine20_22/Tools/NetFramework48.exe

    • Size

      1.4MB

    • MD5

      86482f2f623a52b8344b00968adc7b43

    • SHA1

      755349ecd6a478fe010e466b29911d2388f6ce94

    • SHA256

      2c7530edbf06b08a0b9f4227c24ec37d95f3998ee7e6933ae22a9943d0adfa57

    • SHA512

      64c168263fd48788d90919cbb9992855aed4ffe9a0f8052cb84f028ca239102c0571dfaf75815d72ad776009f5fc4469c957113fb66da7d4e9c83601e8287f3d

    • SSDEEP

      24576:MGHL3siy9J0/SmtLvUDSRbm4Jah1rVxL+iTOhYdeM+GkdnddMF2ScVC3oKNVpNXo:RL3s7mKeTUDBzrVxxOhYdeMinddG2lCK

    Score
    8/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral6

    • Target

      Panel/RedLine20_22/Tools/WinRar.exe

    • Size

      3.2MB

    • MD5

      b66dec691784f00061bc43e62030c343

    • SHA1

      779d947d41efafc2995878e56e213411de8fb4cf

    • SHA256

      26b40c79356453c60498772423f99384a3d24dd2d0662d215506768cb9c58370

    • SHA512

      6a89bd581baf372f07e76a3378e6f6eb29cac2e4981a7f0affb4101153407cadfce9f1b6b28d5a003f7d4039577029b2ec6ebcfd58e55288e056614fb03f8ba3

    • SSDEEP

      98304:lJXOBfK92HbAw0CNB3kJElzNsy8vGUvfCo3ABH43:lJ192HbAXCvDlzNsy8vGUyo3AB8

    Score
    1/10
    behavioral7

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

6
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks