Overview
overview
10Static
static
Kirame.Bui...er.exe
windows10-2004-x64
10Kirame.Hos...st.exe
windows10-2004-x64
7Kirame.Loa...er.exe
windows10-2004-x64
8Panel/RedL...el.exe
windows10-2004-x64
10Panel/RedL...me.exe
windows10-2004-x64
8Panel/RedL...48.exe
windows10-2004-x64
8Panel/RedL...ar.exe
windows10-2004-x64
1Analysis
-
max time kernel
26s -
max time network
32s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 22:01
Static task
static1
Behavioral task
behavioral1
Sample
Kirame.Builder/Kirame.Builder.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
Kirame.Host/Kirame.Host.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
Kirame.Loader/Kirame.Loader.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
Panel/RedLine20_22/Panel/Panel.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
Panel/RedLine20_22/Tools/Chrome.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral6
Sample
Panel/RedLine20_22/Tools/NetFramework48.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
Panel/RedLine20_22/Tools/WinRar.exe
Resource
win10v2004-20220812-en
General
-
Target
Kirame.Builder/Kirame.Builder.exe
-
Size
2.4MB
-
MD5
2ba1b8fb32916403ad7249df8f7e608d
-
SHA1
726e1c8c0cc89b9cd94576c51b5f77d4e3defb3b
-
SHA256
4411cee1d891a03cb0c12726325baeaa6c913c31506c3fff9923da17cb48ef5c
-
SHA512
6bb9e5b24410aea7629b6d5d0b926abf068b739aa6e232d264fc0954d1e69b27a086aed28fee6d44a876250c6e73da99b74f6053574e4f4136482a3826a46f80
-
SSDEEP
24576:SiJYwYHYlyCxxGM/sXKR2praFeY6Vus1P2E9fDLVzMbXil3RuQ553131:SiJYOesepV/1P2E9fDfl3L
Malware Config
Extracted
redline
@dwqmosh
neredenkyor.xyz:81
-
auth_value
a94b13695bd4053b8b47b0976366da25
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/214988-133-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Kirame.Builder.exedescription pid process target process PID 3612 set thread context of 214988 3612 Kirame.Builder.exe AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Kirame.Builder.exedescription pid process target process PID 3612 wrote to memory of 214988 3612 Kirame.Builder.exe AppLaunch.exe PID 3612 wrote to memory of 214988 3612 Kirame.Builder.exe AppLaunch.exe PID 3612 wrote to memory of 214988 3612 Kirame.Builder.exe AppLaunch.exe PID 3612 wrote to memory of 214988 3612 Kirame.Builder.exe AppLaunch.exe PID 3612 wrote to memory of 214988 3612 Kirame.Builder.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kirame.Builder\Kirame.Builder.exe"C:\Users\Admin\AppData\Local\Temp\Kirame.Builder\Kirame.Builder.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/214988-132-0x0000000000000000-mapping.dmp
-
memory/214988-133-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/214988-138-0x0000000005CB0000-0x00000000062C8000-memory.dmpFilesize
6.1MB
-
memory/214988-139-0x00000000056B0000-0x00000000056C2000-memory.dmpFilesize
72KB
-
memory/214988-140-0x00000000057E0000-0x00000000058EA000-memory.dmpFilesize
1.0MB
-
memory/214988-141-0x0000000005710000-0x000000000574C000-memory.dmpFilesize
240KB