Overview
overview
10Static
static
10Redline St...er.exe
windows10-1703-x64
1Redline St...config
windows10-1703-x64
3Redline St...er.pdb
windows10-1703-x64
3Redline St...db.dll
windows10-1703-x64
1Redline St...db.pdb
windows10-1703-x64
3Redline St...db.dll
windows10-1703-x64
1Redline St...db.pdb
windows10-1703-x64
3Redline St...ks.dll
windows10-1703-x64
1Redline St...ks.pdb
windows10-1703-x64
3Redline St...il.dll
windows10-1703-x64
1Redline St...il.pdb
windows10-1703-x64
3Redline St...er.exe
windows10-1703-x64
10Redline St...ub.exe
windows10-1703-x64
10Redline St...st.exe
windows10-1703-x64
1Redline St...config
windows10-1703-x64
3Redline St...CF.dll
windows10-1703-x64
1Redline St...config
windows10-1703-x64
3Redline St...er.exe
windows10-1703-x64
4Redline St...xe.xml
windows10-1703-x64
1Redline St...).docx
windows10-1703-x64
1Redline St...).docx
windows10-1703-x64
1Redline St...AQ.txt
windows10-1703-x64
1Redline St...config
windows10-1703-x64
3Redline St...ne.exe
windows10-1703-x64
10Redline St...rs.txt
windows10-1703-x64
1Redline St...rs.txt
windows10-1703-x64
1Redline St...s.json
windows10-1703-x64
3Redline St...s.json
windows10-1703-x64
3Redline St...me.exe
windows10-1703-x64
8Redline St...48.exe
windows10-1703-x64
7Redline St...ar.exe
windows10-1703-x64
1Redline St...Me.txt
windows10-1703-x64
1Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
10-03-2023 14:35
Behavioral task
behavioral1
Sample
Redline Stealer 2022 Cracked/Kurome.Builder/Kurome.Builder.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
Redline Stealer 2022 Cracked/Kurome.Builder/Kurome.Builder.exe.config
Resource
win10-20230220-en
Behavioral task
behavioral3
Sample
Redline Stealer 2022 Cracked/Kurome.Builder/Kurome.Builder.pdb
Resource
win10-20230220-en
Behavioral task
behavioral4
Sample
Redline Stealer 2022 Cracked/Kurome.Builder/Mono.Cecil.Mdb.dll
Resource
win10-20230220-en
Behavioral task
behavioral5
Sample
Redline Stealer 2022 Cracked/Kurome.Builder/Mono.Cecil.Mdb.pdb
Resource
win10-20230220-en
Behavioral task
behavioral6
Sample
Redline Stealer 2022 Cracked/Kurome.Builder/Mono.Cecil.Pdb.dll
Resource
win10-20230220-en
Behavioral task
behavioral7
Sample
Redline Stealer 2022 Cracked/Kurome.Builder/Mono.Cecil.Pdb.pdb
Resource
win10-20230220-en
Behavioral task
behavioral8
Sample
Redline Stealer 2022 Cracked/Kurome.Builder/Mono.Cecil.Rocks.dll
Resource
win10-20230220-en
Behavioral task
behavioral9
Sample
Redline Stealer 2022 Cracked/Kurome.Builder/Mono.Cecil.Rocks.pdb
Resource
win10-20230220-en
Behavioral task
behavioral10
Sample
Redline Stealer 2022 Cracked/Kurome.Builder/Mono.Cecil.dll
Resource
win10-20230220-en
Behavioral task
behavioral11
Sample
Redline Stealer 2022 Cracked/Kurome.Builder/Mono.Cecil.pdb
Resource
win10-20230220-en
Behavioral task
behavioral12
Sample
Redline Stealer 2022 Cracked/Kurome.Builder/builder.exe
Resource
win10-20230220-en
Behavioral task
behavioral13
Sample
Redline Stealer 2022 Cracked/Kurome.Builder/stub.exe
Resource
win10-20230220-en
Behavioral task
behavioral14
Sample
Redline Stealer 2022 Cracked/Kurome.Host/Kurome.Host.exe
Resource
win10-20230220-en
Behavioral task
behavioral15
Sample
Redline Stealer 2022 Cracked/Kurome.Host/Kurome.Host.exe.config
Resource
win10-20230220-en
Behavioral task
behavioral16
Sample
Redline Stealer 2022 Cracked/Kurome.Host/Kurome.WCF.dll
Resource
win10-20230220-en
Behavioral task
behavioral17
Sample
Redline Stealer 2022 Cracked/Kurome.Host/Kurome.WCF.dll.config
Resource
win10-20230220-en
Behavioral task
behavioral18
Sample
Redline Stealer 2022 Cracked/Kurome.Loader/Kurome.Loader.exe
Resource
win10-20230220-en
Behavioral task
behavioral19
Sample
Redline Stealer 2022 Cracked/Kurome.Loader/Kurome.Loader.exe.xml
Resource
win10-20230220-en
Behavioral task
behavioral20
Sample
Redline Stealer 2022 Cracked/Panel/RedLine_20_2/FAQ (English).docx
Resource
win10-20230220-en
Behavioral task
behavioral21
Sample
Redline Stealer 2022 Cracked/Panel/RedLine_20_2/FAQ(RUS).docx
Resource
win10-20230220-en
Behavioral task
behavioral22
Sample
Redline Stealer 2022 Cracked/Panel/RedLine_20_2/FAQ.txt
Resource
win10-20230220-en
Behavioral task
behavioral23
Sample
Redline Stealer 2022 Cracked/Panel/RedLine_20_2/Panel/Panel.exe.config
Resource
win10-20230220-en
Behavioral task
behavioral24
Sample
Redline Stealer 2022 Cracked/Panel/RedLine_20_2/Panel/Redline.exe
Resource
win10-20230220-en
Behavioral task
behavioral25
Sample
Redline Stealer 2022 Cracked/Panel/RedLine_20_2/Panel/chromeBrowsers.txt
Resource
win10-20230220-en
Behavioral task
behavioral26
Sample
Redline Stealer 2022 Cracked/Panel/RedLine_20_2/Panel/geckoBrowsers.txt
Resource
win10-20230220-en
Behavioral task
behavioral27
Sample
Redline Stealer 2022 Cracked/Panel/RedLine_20_2/Panel/serviceSettings.json
Resource
win10-20230220-en
Behavioral task
behavioral28
Sample
Redline Stealer 2022 Cracked/Panel/RedLine_20_2/Panel/telegramChatsSettings.json
Resource
win10-20230220-en
Behavioral task
behavioral29
Sample
Redline Stealer 2022 Cracked/Panel/RedLine_20_2/Tools/Chrome.exe
Resource
win10-20230220-en
Behavioral task
behavioral30
Sample
Redline Stealer 2022 Cracked/Panel/RedLine_20_2/Tools/NetFramework48.exe
Resource
win10-20230220-en
Behavioral task
behavioral31
Sample
Redline Stealer 2022 Cracked/Panel/RedLine_20_2/Tools/WinRar.exe
Resource
win10-20230220-en
Behavioral task
behavioral32
Sample
Redline Stealer 2022 Cracked/ReadMe.txt
Resource
win10-20230220-en
General
-
Target
Redline Stealer 2022 Cracked/Kurome.Builder/builder.exe
-
Size
176KB
-
MD5
2bf414e4eead5821479afd1c48ca10fd
-
SHA1
ee27dbb4497e00c234820b0401009680b9739c39
-
SHA256
b4f45f5887e216c7cf4e3635ce16f770de2bcb82c66671bb0c19f0289b090494
-
SHA512
1837be8412fde13bffb050d6aefa8c78605dbd91660425b3d3b31629104dc9efdbce869fd0db6ac5b0b12d397c8cff5a197a97aff8ad27cbbbbdfc816f0c3f52
-
SSDEEP
3072:Y0taY/+zi0ZbYe1g0ujyzdLgJ2Be0XQx3:YAaYmG0Lahyd9
Malware Config
Extracted
njrat
0.7d
HacKed
172.93.231.202:5552
b686448cd18e4753a57a179d9c102a12
-
reg_key
b686448cd18e4753a57a179d9c102a12
-
splitter
|'|'|
Extracted
redline
cheat
127.0.0.1:1337
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\build.exe family_redline C:\Users\Admin\AppData\Roaming\build.exe family_redline behavioral12/memory/4304-128-0x00000000008B0000-0x00000000008CE000-memory.dmp family_redline -
SectopRAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\build.exe family_sectoprat C:\Users\Admin\AppData\Roaming\build.exe family_sectoprat behavioral12/memory/4304-128-0x00000000008B0000-0x00000000008CE000-memory.dmp family_sectoprat -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b686448cd18e4753a57a179d9c102a12.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b686448cd18e4753a57a179d9c102a12.exe Server.exe -
Executes dropped EXE 2 IoCs
Processes:
Server.exebuild.exepid process 4264 Server.exe 4304 build.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\b686448cd18e4753a57a179d9c102a12 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b686448cd18e4753a57a179d9c102a12 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
build.exeServer.exedescription pid process Token: SeDebugPrivilege 4304 build.exe Token: SeDebugPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe Token: 33 4264 Server.exe Token: SeIncBasePriorityPrivilege 4264 Server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
builder.exeServer.exedescription pid process target process PID 2568 wrote to memory of 4264 2568 builder.exe Server.exe PID 2568 wrote to memory of 4264 2568 builder.exe Server.exe PID 2568 wrote to memory of 4264 2568 builder.exe Server.exe PID 2568 wrote to memory of 4304 2568 builder.exe build.exe PID 2568 wrote to memory of 4304 2568 builder.exe build.exe PID 2568 wrote to memory of 4304 2568 builder.exe build.exe PID 4264 wrote to memory of 4504 4264 Server.exe netsh.exe PID 4264 wrote to memory of 4504 4264 Server.exe netsh.exe PID 4264 wrote to memory of 4504 4264 Server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Redline Stealer 2022 Cracked\Kurome.Builder\builder.exe"C:\Users\Admin\AppData\Local\Temp\Redline Stealer 2022 Cracked\Kurome.Builder\builder.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Server.exe" "Server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\build.exe"C:\Users\Admin\AppData\Roaming\build.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
23KB
MD525b54f7f39b021b1d5e3a15b04a3490f
SHA1ab66577f15e700d5e4ab423402bd21f23a67988d
SHA256c2768f2e91df4955e2582273ffb759e82c5a5aae4e1318b8643e011d0dd0b944
SHA512cf3a318fa4f56408a38a23e82dc12bbdbeb738ab724c0c4b975d438027990945d399c8daeb56f84afaa79c8c182e0c767d86580d4be55552b9e72bf932a85c01
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
23KB
MD525b54f7f39b021b1d5e3a15b04a3490f
SHA1ab66577f15e700d5e4ab423402bd21f23a67988d
SHA256c2768f2e91df4955e2582273ffb759e82c5a5aae4e1318b8643e011d0dd0b944
SHA512cf3a318fa4f56408a38a23e82dc12bbdbeb738ab724c0c4b975d438027990945d399c8daeb56f84afaa79c8c182e0c767d86580d4be55552b9e72bf932a85c01
-
C:\Users\Admin\AppData\Roaming\build.exeFilesize
95KB
MD5ca8b99c9d67aee4b846581461ec6bb2b
SHA17c0fd208b99bc69aaf003693aeafbe73cde4658f
SHA256d53b5ccdc46e2575b7c917ae6414b93028b9fe4df2deda7107a7a470080a9f3a
SHA512027f3e669560a0668706665101bfb7ca258943f80cc660085428516015fb7a106266b34334afabfd95bf43c348d53d2fe6f9cbf7a6a737314d19524e4bc36a83
-
C:\Users\Admin\AppData\Roaming\build.exeFilesize
95KB
MD5ca8b99c9d67aee4b846581461ec6bb2b
SHA17c0fd208b99bc69aaf003693aeafbe73cde4658f
SHA256d53b5ccdc46e2575b7c917ae6414b93028b9fe4df2deda7107a7a470080a9f3a
SHA512027f3e669560a0668706665101bfb7ca258943f80cc660085428516015fb7a106266b34334afabfd95bf43c348d53d2fe6f9cbf7a6a737314d19524e4bc36a83
-
memory/2568-117-0x0000000000C90000-0x0000000000CA0000-memory.dmpFilesize
64KB
-
memory/4264-129-0x00000000030B0000-0x00000000030C0000-memory.dmpFilesize
64KB
-
memory/4264-137-0x00000000030B0000-0x00000000030C0000-memory.dmpFilesize
64KB
-
memory/4304-128-0x00000000008B0000-0x00000000008CE000-memory.dmpFilesize
120KB
-
memory/4304-130-0x0000000005870000-0x0000000005E76000-memory.dmpFilesize
6.0MB
-
memory/4304-131-0x0000000002D70000-0x0000000002D82000-memory.dmpFilesize
72KB
-
memory/4304-132-0x0000000005150000-0x000000000518E000-memory.dmpFilesize
248KB
-
memory/4304-133-0x0000000005190000-0x00000000051DB000-memory.dmpFilesize
300KB
-
memory/4304-134-0x0000000005250000-0x0000000005260000-memory.dmpFilesize
64KB
-
memory/4304-135-0x00000000053D0000-0x00000000054DA000-memory.dmpFilesize
1.0MB
-
memory/4304-138-0x0000000005250000-0x0000000005260000-memory.dmpFilesize
64KB