General

  • Target

    Redline Stealer v24.2 cracked [XT_CH].rar

  • Size

    21MB

  • Sample

    230424-s32jcaee51

  • MD5

    64699e499ebd8ed101b0566e4d2aeec3

  • SHA1

    ab17ac5da9b6b51a0e83bc1c71bc807ff8e2bfa3

  • SHA256

    f414e4465043ddc7e7d558b341d2fefaf62a379d8107c7bc7b39a3d3f4c55b56

  • SHA512

    2afbe5af840383fcc4ab7ce3b8ee25023b4f2074bcf6b68890fbeeca52553f7c3e0411cbecd2a7748389f7202c167cea4022b6ff551626a552f05e7942e1ef8e

  • SSDEEP

    393216:4MVV0yWlp/sEvKWVm68FV3rOBZybyWKXzR8+5Vtck00:4U0yWb/sEvKWVm6k3rOBEmWkm1K

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendMessage?chat_id=5529838804

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

pandastealer

Version

1.11

C2

http://thisisgenk.temp.swtest.ru

Extracted

Family

pandastealer

Version

C2

http://�

Extracted

Family

pandastealer

Version

��H

C2

http://�H

Targets

    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Kurome.Builder v24.2.exe

    • Size

      170KB

    • MD5

      470a8267b5eba7eb998d9fa69532f849

    • SHA1

      1152ddb2ab93aae9983e3e8b5c4f367875323e3e

    • SHA256

      6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e

    • SHA512

      5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d

    • SSDEEP

      3072:O+STW8djpN6izj8mZwHQiWZqswqIPu/i9b+J2cOZTMi56+WpL:z8XN6W8mmdUwXPSi9b2c3

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Kurome.Builder_crack.exe

    • Size

      13MB

    • MD5

      ef176d75dff0768b2277cf9b4b7bf443

    • SHA1

      c981e9ba720366c3167cc92584bc7e86fe114d69

    • SHA256

      8d9bef7ae2d1334f6bdf7d7db3ee34da759c23f76c1623930425345787437e4c

    • SHA512

      67200dbb3dccb5207491b542059d236a9f1ab2d644151a3e3ba4c873636fb4ea564fabb8bdecbbdad677e0420d3d9e2b5057985c8d7162ffd5958f421893d9fb

    • SSDEEP

      393216:qm4pYqfmQvJzX0KIBJfrQaVjgF1vlKdV6/zEC55891:qxpYqfmYzAVjgF1vl+ud5U1

    • Panda Stealer payload

    • PandaStealer

      Panda Stealer is a fork of CollectorProject Stealer written in C++.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Mono.Cecil.Mdb.dll

    • Size

      42KB

    • MD5

      1c6aca0f1b1fa1661fc1e43c79334f7c

    • SHA1

      ec0f591a6d12e1ea7dc8714ec7e5ad7a04ef455d

    • SHA256

      411f8ed8c49738fa38a56ed8f991d556227d13602e83186e66ae1c4f821c940b

    • SHA512

      1c59e939d108f15881d29fe4ced4e5fa4a4476394b58b6eb464da77192cb8fe9221b7cd780af4596914d4cce7c3fc53f1bb567f944c58829de8efbe1fd87be76

    • SSDEEP

      768:Ar5EYZep98C87KHeBUZwrEzsEAnbF+em50KktmM4CRIcZwMRTIzMAtpw:Ar59g98C87KHeBUb5AnZG+zdwMRTzAtS

    Score
    1/10
    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Mono.Cecil.Pdb.dll

    • Size

      87KB

    • MD5

      6d5eb860c2be5dbeb470e7d3f3e7dda4

    • SHA1

      80c76660b87c52127b1a7da48e27700f75362041

    • SHA256

      447ede1984bb4acd73bd97c0ec57a11c079cee8301c91fb199ca98c1906d3cc4

    • SHA512

      64cf4fe7de68a35720d2b9338ba9cf182e127d95d72d2ccf7ff5c73a368133663e70c988a460825fa87b2d03717a4447948d5262f56aceb7c3bf1cb3ab5a41a5

    • SSDEEP

      1536:2OCAsdBo+am5OMwr5IlALYKXgAJGsZhTjrjvjCXeO:ZCjta0OMuIlArVJGqT/jveXeO

    Score
    1/10
    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Mono.Cecil.Rocks.dll

    • Size

      27KB

    • MD5

      6e7f0f4fff6c49e3f66127c23b7f1a53

    • SHA1

      14a529f8c7ee9f002d1e93dcf8ff158ab74c7e1a

    • SHA256

      2e2623319bdc362974a78ea4a43f4893011ec257884d24267f4594142fcd436e

    • SHA512

      0c773da6717dd6919cd6241d3cee26ab00bb61ea2dbeff24844a067af4c87ff5cbdb2fe3ada5db4707cee921b3fb353bd12ee22b8490597d4f67ad39bace235e

    • SSDEEP

      384:70ve8JOuJ5iC7n2NwxEXCni+VXcMeDz8PmR1ugLoaeuLMBG9UphJAprjE3uFLHa9:7+m4iCyrXOhG8uRssveum1pMFLHFBvd

    Score
    1/10
    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Mono.Cecil.dll

    • Size

      350KB

    • MD5

      de69bb29d6a9dfb615a90df3580d63b1

    • SHA1

      74446b4dcc146ce61e5216bf7efac186adf7849b

    • SHA256

      f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

    • SHA512

      6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

    • SSDEEP

      6144:jIevdbLPNYe8bikm98KXPHhOWY/fFREomhUFD3z:se1PNL+QRfBg/f/EWFD

    Score
    1/10
    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/stub.dll

    • Size

      96KB

    • MD5

      625ed01fd1f2dc43b3c2492956fddc68

    • SHA1

      48461ef33711d0080d7c520f79a0ec540bda6254

    • SHA256

      6824c2c92eb7cee929f9c6b91e75c8c1fc3bfe80495eba4fa27118d40ad82b2b

    • SHA512

      1889c7cee50092fe7a66469eb255b4013624615bac3a9579c4287bf870310bdc9018b0991f0ad7a9227c79c9bd08fd0c6fc7ebe97f21c16b7c06236f3755a665

    • SSDEEP

      1536:9G6ijoigzKqO1RUTBHQsu/0igR4vYVVlmbfaxv0ujXyyedOn4iwEEl:BSElHQ/ORUYos0ujyzdZl

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Kurome.Host/Kurome.Host.exe

    • Size

      1MB

    • MD5

      b141f114ecbfd918e995d5b40cc4309a

    • SHA1

      403ed39ba990caf4fc82672257875e58ed3a9c3f

    • SHA256

      c11a53f5cdd9d41b754e8cdb8132b7c13f224359302dbb8a4bd9502271feafbe

    • SHA512

      9f2fcef0f8d330d3d7615e642b351bb53da4679df64ee6cc937dd50cdbb318afecca2b56ad2b2a93a9cd6ae41d8e3dfcbc5f876c83f88ec13bc9cef49448315b

    • SSDEEP

      24576:loJEKZ6IEGTMxapRl2PSwHTehy6BP+pXShToJEKZ6IEGTMxapRl2PSwHTehy6BPk:louKZ6iMqRl2PSwzehy6cpXShTouKZ6x

    • Panda Stealer payload

    • PandaStealer

      Panda Stealer is a fork of CollectorProject Stealer written in C++.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Kurome.Host/Kurome.WCF.dll

    • Size

      123KB

    • MD5

      e3d39e30e0cdb76a939905da91fe72c8

    • SHA1

      433fc7dc929380625c8a6077d3a697e22db8ed14

    • SHA256

      4bfa493b75361920e6403c3d85d91a454c16ddda89a97c425257e92b352edd74

    • SHA512

      9bb3477023193496ad20b7d11357e510ba3d02b036d6f35f57d061b1fc4d0f6cb3055ae040d78232c8a732d9241699ddcfac83cc377230109bf193736d9f92b8

    • SSDEEP

      3072:9mWO8dR1mB5UzPU7vdTm8pLetBD0PQbP1:g2dL8ewbJnpBe

    Score
    1/10
    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/._cache_Kurome Loader 20.2.exe

    • Size

      170KB

    • MD5

      470a8267b5eba7eb998d9fa69532f849

    • SHA1

      1152ddb2ab93aae9983e3e8b5c4f367875323e3e

    • SHA256

      6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e

    • SHA512

      5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d

    • SSDEEP

      3072:O+STW8djpN6izj8mZwHQiWZqswqIPu/i9b+J2cOZTMi56+WpL:z8XN6W8mmdUwXPSi9b2c3

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/._cache_KuromeLoader.exe.exe

    • Size

      2MB

    • MD5

      c1bf694a0aab442c2b3d40ec4f56ace5

    • SHA1

      2ea6ef48ac190a26a738e22ad454b91fc58d3218

    • SHA256

      00ae4b11e9757721ff825a6d84e0afefb810ce0e062c836503ca14141ca31a39

    • SHA512

      d8386440e89c1ae538f53bb5a9ee4d8030b6067eb1c6d18fadd118e88d506e11343c0f3cd58bc2636739ade87aef821e2513f0aa8a760bd9787a07a49a48c610

    • SSDEEP

      49152:rnsHyjtk2MYC5GDeCouKZ6iMqRl2PSwzehy6cpXShTouKZ6iMqRl2PSwzehy6cpu:rnsmtk2a9UzehkUzehz

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Panda Stealer payload

    • PandaStealer

      Panda Stealer is a fork of CollectorProject Stealer written in C++.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/Kurome Loader 24.2.exe

    • Size

      923KB

    • MD5

      ad5e1454eb96c012755dcab90cfd69cf

    • SHA1

      17f93458b223542eed1c269d9c64b8c39341b1cd

    • SHA256

      726725262283f68ec3e3f62d13863c7df9b08f54e19c28603407d98631468494

    • SHA512

      1f503e6619ff5cd87838b4618400ae54c24d5f618813cfd8ce7ecdd53f25d74186dda096a1a2ab49848184e22137c05de0fbf010a0ccc9adcc5b58e727da1d46

    • SSDEEP

      12288:0MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Z0N6qsUwXPDgj:0nsJ39LyjbJkQFMhmC+6GD9UaE

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/Kurome.Loader.exe.config

    • Size

      186B

    • MD5

      9070d769fd43fb9def7e9954fba4c033

    • SHA1

      de4699cdf9ad03aef060470c856f44d3faa7ea7f

    • SHA256

      cbaf2ae95b1133026c58ab6362af2f7fb2a1871d7ad58b87bd73137598228d9b

    • SHA512

      170028b66c5d2db2b8c90105b77b0b691bf9528dc9f07d4b3983d93e9e37ea1154095aaf264fb8b5e67c167239697337cc9e585e87ef35faa65a969cac1aa518

    Score
    1/10
    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/Kurome.Loader_crack.exe

    • Size

      1MB

    • MD5

      caeeb7b39d19fb9ae4209d5b82580454

    • SHA1

      5e8e38685c130250b1e6a132302549be4e1a1952

    • SHA256

      d94103367cd58a86f60f0f1560084fb30e3fe137f03eb8a49adf600d31dfacf5

    • SHA512

      6093ea192a677d7632b0f716dcf7a051e1f055334deb9d56acb4f921d08eadfa79ef58477400328a9e3ee6e64043d15c658c4b335cc2f9b6f91a44ce8dd4b46c

    • SSDEEP

      24576:/oJEKZ6IEGTMxapRl2PSwHTehy6BP+pXShToJEKZ6IEGTMxapRl2PSwHTehy6BPF:/ouKZ6iMqRl2PSwzehy6cpXShTouKZ6E

    • Panda Stealer payload

    • PandaStealer

      Panda Stealer is a fork of CollectorProject Stealer written in C++.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/FAQ (English).docx

    • Size

      30KB

    • MD5

      a973ea85439ddfe86379d47e19da4dca

    • SHA1

      78f60711360ddd46849d128e7a5d1b68b1d43f9f

    • SHA256

      c197833a3fd69e98fbf2b02e9da232ff2867e1e684d420fd3975188c0e0e202b

    • SHA512

      4a3fad33cccb15ea2d98bc30141744ba6709afec52d429ac0916aa656f4b611fdeda4b37812f0a72b90de000fc5c0f95bb445e5df67fc4ba6f93de5ce55df510

    • SSDEEP

      768:oi87zWNuZn3IZElFoL+goT2Ir9259IQ+409:oi8mQnXFoigoRr9aIvX9

    Score
    1/10
    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/FAQ(RUS).docx

    • Size

      51KB

    • MD5

      aa9534a22d08fb17b6c50164ca226aba

    • SHA1

      9d68e6e4b0ea3c41ad7f70733dc53628962765ce

    • SHA256

      e3f9590d0a28e8f17d40f9a5a5489a963c6d5e722a324adf0d1d666ea424c89f

    • SHA512

      a4290cf0f3ecbb25078a0d3f870ed6abcab83d831e107f59730cf5fbdbc0268ac831d8f31f18a08794e27e51ba302ecb5bdd4bac85f3887844ed881c363bb8b9

    • SSDEEP

      1536:YmF2FkS3yM0Yj3ePetyogAcLrANZLI3dakgXeV:YNFkGem74Lr+k3v7V

    Score
    1/10
    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/._cache_Panel 20.2.exe

    • Size

      170KB

    • MD5

      470a8267b5eba7eb998d9fa69532f849

    • SHA1

      1152ddb2ab93aae9983e3e8b5c4f367875323e3e

    • SHA256

      6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e

    • SHA512

      5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d

    • SSDEEP

      3072:O+STW8djpN6izj8mZwHQiWZqswqIPu/i9b+J2cOZTMi56+WpL:z8XN6W8mmdUwXPSi9b2c3

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/._cache_Panel.exe

    • Size

      1MB

    • MD5

      9484745bead43302d149113d418a3437

    • SHA1

      f28cdeb7daefa5be6d324a6c99cbb07a00f1b174

    • SHA256

      95b632d09117daa3bd75c70db03a128e222b7e78e0415d4a5ddb1f8664320e32

    • SHA512

      e07b57f95e7794dea137bb4d1517ccbf68c7327941096522f5d5bf5962e340f0a3d0431351c13fa8606e8c48532dcbdf31be364581287edc1ce9dfe4abdae449

    • SSDEEP

      12288:BMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9aN6qsUwXPDt4IN6qsUwXY:BnsJ39LyjbJkQFMhmC+6GD9YaJFawJ

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/Panel 24.2.exe

    • Size

      923KB

    • MD5

      ad5e1454eb96c012755dcab90cfd69cf

    • SHA1

      17f93458b223542eed1c269d9c64b8c39341b1cd

    • SHA256

      726725262283f68ec3e3f62d13863c7df9b08f54e19c28603407d98631468494

    • SHA512

      1f503e6619ff5cd87838b4618400ae54c24d5f618813cfd8ce7ecdd53f25d74186dda096a1a2ab49848184e22137c05de0fbf010a0ccc9adcc5b58e727da1d46

    • SSDEEP

      12288:0MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Z0N6qsUwXPDgj:0nsJ39LyjbJkQFMhmC+6GD9UaE

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/Panel_crack.exe

    • Size

      276KB

    • MD5

      e1633061ed1f482f6beef10963a3cbbc

    • SHA1

      d6b0cda0ed1965190704f5b865bd968c51bd6acc

    • SHA256

      b14063638be7f779b3d4be67f2c3c7529b4324d276f802c440cde259e2121183

    • SHA512

      c5063ca55272dd78c0c137083e987052670ab2091d797ec864a217822f25788600b629cdbb9a6e32053aede7c97202983b65bf7a528b6746585885779b742b4d

    • SSDEEP

      6144:5SncRlJ8XN6W8mmdUwXPSi9b2c3lSncRl:44IN6qsUwXPDs4

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Tools/Chrome.exe

    • Size

      1MB

    • MD5

      92cfeb7c07906eac0d4220b8a1ed65b1

    • SHA1

      882b83e903b5b4c7c75f0b1dc31bb7aa8938d8fa

    • SHA256

      38b827a431b89da0d9cdd444373364371f4f6e6bf299e7935f05b2351ca9186c

    • SHA512

      e2ee932f5b81403935a977f9d3c8e2e4f6a4c9a1967b7e1cf61229a7746a24aae486ac6b779fb570f1dff02a3ff30107044f0427ce46474b91d788c78c8fcfbf

    • SSDEEP

      24576:q6JGMnMpfVArKlhbP6GFibQC1QSvKZHHf1FqbI4Cn:47/MPGFibsSipHubPa

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Tools/NetFramework48.exe

    • Size

      1MB

    • MD5

      86482f2f623a52b8344b00968adc7b43

    • SHA1

      755349ecd6a478fe010e466b29911d2388f6ce94

    • SHA256

      2c7530edbf06b08a0b9f4227c24ec37d95f3998ee7e6933ae22a9943d0adfa57

    • SHA512

      64c168263fd48788d90919cbb9992855aed4ffe9a0f8052cb84f028ca239102c0571dfaf75815d72ad776009f5fc4469c957113fb66da7d4e9c83601e8287f3d

    • SSDEEP

      24576:MGHL3siy9J0/SmtLvUDSRbm4Jah1rVxL+iTOhYdeM+GkdnddMF2ScVC3oKNVpNXo:RL3s7mKeTUDBzrVxxOhYdeMinddG2lCK

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Tools/WinRar.exe

    • Size

      3MB

    • MD5

      b66dec691784f00061bc43e62030c343

    • SHA1

      779d947d41efafc2995878e56e213411de8fb4cf

    • SHA256

      26b40c79356453c60498772423f99384a3d24dd2d0662d215506768cb9c58370

    • SHA512

      6a89bd581baf372f07e76a3378e6f6eb29cac2e4981a7f0affb4101153407cadfce9f1b6b28d5a003f7d4039577029b2ec6ebcfd58e55288e056614fb03f8ba3

    • SSDEEP

      98304:lJXOBfK92HbAw0CNB3kJElzNsy8vGUvfCo3ABH43:lJ192HbAXCvDlzNsy8vGUyo3AB8

    Score
    1/10

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

5
T1060

Defense Evasion

Modify Registry

6
T1112

Credential Access

Credentials in Files

10
T1081

Discovery

Query Registry

16
T1012

System Information Discovery

22
T1082

Collection

Data from Local System

10
T1005

Tasks

static1

ratdefaultasyncratstormkittyredlinesectopratpandastealer
Score
10/10

behavioral1

asyncratstormkittydefaultratspywarestealer
Score
10/10

behavioral2

pandastealerspywarestealer
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

redlinesectopratinfostealerrattrojan
Score
10/10

behavioral8

pandastealerspywarestealer
Score
10/10

behavioral9

Score
1/10

behavioral10

asyncratstormkittydefaultratspywarestealer
Score
10/10

behavioral11

asyncratpandastealerstormkittyratstealer
Score
10/10

behavioral12

asyncratstormkittydefaultpersistenceratspywarestealer
Score
10/10

behavioral13

Score
1/10

behavioral14

pandastealerspywarestealer
Score
10/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

asyncratstormkittydefaultratspywarestealer
Score
10/10

behavioral18

asyncratstormkittyratstealer
Score
10/10

behavioral19

asyncratstormkittydefaultpersistenceratspywarestealer
Score
10/10

behavioral20

asyncratstormkittydefaultratspywarestealer
Score
10/10

behavioral21

discoverypersistencespywarestealer
Score
8/10

behavioral22

Score
7/10

behavioral23

Score
1/10