Overview
overview
10Static
static
10Redline St....2.exe
windows10-1703-x64
10Redline St...ck.exe
windows10-1703-x64
10Redline St...db.dll
windows10-1703-x64
1Redline St...db.dll
windows10-1703-x64
1Redline St...ks.dll
windows10-1703-x64
1Redline St...il.dll
windows10-1703-x64
1Redline St...ub.exe
windows10-1703-x64
10Redline St...st.exe
windows10-1703-x64
10Redline St...CF.dll
windows10-1703-x64
1Redline St....2.exe
windows10-1703-x64
10Redline St...er.exe
windows10-1703-x64
10Redline St....2.exe
windows10-1703-x64
10Redline St...xe.xml
windows10-1703-x64
1Redline St...ck.exe
windows10-1703-x64
10Redline St...).docx
windows10-1703-x64
1Redline St...).docx
windows10-1703-x64
1Redline St....2.exe
windows10-1703-x64
10Redline St...el.exe
windows10-1703-x64
10Redline St....2.exe
windows10-1703-x64
10Redline St...ck.exe
windows10-1703-x64
10Redline St...me.exe
windows10-1703-x64
8Redline St...48.exe
windows10-1703-x64
7Redline St...ar.exe
windows10-1703-x64
1Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
24-04-2023 15:39
Behavioral task
behavioral1
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Kurome.Builder v24.2.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Kurome.Builder_crack.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Mono.Cecil.Mdb.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Mono.Cecil.Pdb.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Mono.Cecil.Rocks.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Mono.Cecil.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/stub.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Host/Kurome.Host.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Host/Kurome.WCF.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/._cache_Kurome Loader 20.2.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/._cache_KuromeLoader.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/Kurome Loader 24.2.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/Kurome.Loader.exe.xml
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/Kurome.Loader_crack.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/FAQ (English).docx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/FAQ(RUS).docx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral17
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/._cache_Panel 20.2.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/._cache_Panel.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/Panel 24.2.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral20
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/Panel_crack.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral21
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Tools/Chrome.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral22
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Tools/NetFramework48.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Tools/WinRar.exe
Resource
win10-20230220-en
windows10-1703-x64
General
-
Target
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/Kurome.Loader.exe.xml
-
Size
186B
-
MD5
9070d769fd43fb9def7e9954fba4c033
-
SHA1
de4699cdf9ad03aef060470c856f44d3faa7ea7f
-
SHA256
cbaf2ae95b1133026c58ab6362af2f7fb2a1871d7ad58b87bd73137598228d9b
-
SHA512
170028b66c5d2db2b8c90105b77b0b691bf9528dc9f07d4b3983d93e9e37ea1154095aaf264fb8b5e67c167239697337cc9e585e87ef35faa65a969cac1aa518
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5018312ec376d901 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{571DBEF8-E2B6-11ED-9346-FEBD14D28120} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "389115805" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "741692381" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "756538232" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000af653a432a26840a7b5ec4575ca9dcc0000000002000000000010660000000100002000000023826a6b17f5ed37c6a71024ca8a6620a972cf4b008c816745440147cf0a6750000000000e8000000002000020000000976e8fba7827fa0ba92a1582a71af63b6a1f67af93feafb01c533382dd279a4020000000a0bc2775738d7e8f6acec75a6c7b48f9e2fca3d0a1334fa170c5de84702f0d0440000000ea19a7c0db51ec56792e3b0487b2b5e16d38dc3da7ab2bd7f6e9bd1b4e209651ca122bd101e37d62db1cd6567ac0bcc470970ea4cea9cbcf613db53ddb63ffe2 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 209c462ec376d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31028931" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000af653a432a26840a7b5ec4575ca9dcc000000000200000000001066000000010000200000005232e815663dc41d99ccc073720df592891e51490d1fb720559d54907611df91000000000e8000000002000020000000853ed6d43f9370ff264cc9eb51441313ed38cc2387fb42d6086aec774f9f148920000000dc231b60fc41383346a5f86a222d4275b03dbbad1b9a3518066afef046584c01400000001b322b2231fec959be4f1de67a72e97901d08fe371a0928aa1636c7c5fe11e0164ee6e11a43168d2a11cc1fb1995a535ea0037b8d03f1f53cca04debe5028a42 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "741692381" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31028931" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31028931" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "389164390" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "389132399" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2852 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2852 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2852 iexplore.exe 2852 iexplore.exe 4404 IEXPLORE.EXE 4404 IEXPLORE.EXE 4404 IEXPLORE.EXE 4404 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2436 wrote to memory of 2852 2436 MSOXMLED.EXE 66 PID 2436 wrote to memory of 2852 2436 MSOXMLED.EXE 66 PID 2852 wrote to memory of 4404 2852 iexplore.exe 68 PID 2852 wrote to memory of 4404 2852 iexplore.exe 68 PID 2852 wrote to memory of 4404 2852 iexplore.exe 68
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Kurome.Loader\Kurome.Loader.exe.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Kurome.Loader\Kurome.Loader.exe.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:82945 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4404
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5d6b67afeb31f0d9bfe232166e8b300c5
SHA16ba1a534d40fea9302591aaee8fb6969bfa28e4b
SHA256ab4f8d3ad2a02ad67059703fcb9c7ecd397d9abfce4b4cacdf7ecc11b4e37520
SHA51262c9fc6797c263bf33c8f52d5d41ce276b3df2aaed6433d582987a607ae508f5389f86d5d8a63cc5715964623f5be08d5741ddd70a0fe18f0140eb314815c272
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5beeaef03310738182cabde5fe4938b82
SHA1f3767def70da4f72f1069a817a27d7128b092d21
SHA256c8a375dd23afa187bbc9085c7a462611f9f05ddecdaa01ea406d4f5025e6e4fe
SHA51270af918c92755615e93ecfcd791f5397160442f214a4e0b80c4427508e9cac90cdf23c1eb85a023616452a1c91bdb77c0a27add148eab4b95486e3f3badfd099
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
613B
MD50986860dff0286980c1e2c20aa0d802b
SHA14f5b59e4f3b140e02fa7aa734751bc2a52b7be20
SHA256b0f844591bea03ef41b6340fed8e0b08ffdf974219f34d142b24f61297410bd4
SHA512a3d1c5519c150e0aeecda26290fb4f7bfce36a906f555f4fa98b13aae09cd8a924ca57bc96ea224e0b3d4c44c0739eb32fab5a4fcd4be18a3bab4439a5f3ad19