Overview
overview
10Static
static
10Redline St....2.exe
windows10-1703-x64
10Redline St...ck.exe
windows10-1703-x64
10Redline St...db.dll
windows10-1703-x64
1Redline St...db.dll
windows10-1703-x64
1Redline St...ks.dll
windows10-1703-x64
1Redline St...il.dll
windows10-1703-x64
1Redline St...ub.exe
windows10-1703-x64
10Redline St...st.exe
windows10-1703-x64
10Redline St...CF.dll
windows10-1703-x64
1Redline St....2.exe
windows10-1703-x64
10Redline St...er.exe
windows10-1703-x64
10Redline St....2.exe
windows10-1703-x64
10Redline St...xe.xml
windows10-1703-x64
1Redline St...ck.exe
windows10-1703-x64
10Redline St...).docx
windows10-1703-x64
1Redline St...).docx
windows10-1703-x64
1Redline St....2.exe
windows10-1703-x64
10Redline St...el.exe
windows10-1703-x64
10Redline St....2.exe
windows10-1703-x64
10Redline St...ck.exe
windows10-1703-x64
10Redline St...me.exe
windows10-1703-x64
8Redline St...48.exe
windows10-1703-x64
7Redline St...ar.exe
windows10-1703-x64
1Analysis
-
max time kernel
47s -
max time network
58s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
24-04-2023 15:39
Behavioral task
behavioral1
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Kurome.Builder v24.2.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Kurome.Builder_crack.exe
Resource
win10-20230220-en
Behavioral task
behavioral3
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Mono.Cecil.Mdb.dll
Resource
win10-20230220-en
Behavioral task
behavioral4
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Mono.Cecil.Pdb.dll
Resource
win10-20230220-en
Behavioral task
behavioral5
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Mono.Cecil.Rocks.dll
Resource
win10-20230220-en
Behavioral task
behavioral6
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Mono.Cecil.dll
Resource
win10-20230220-en
Behavioral task
behavioral7
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/stub.exe
Resource
win10-20230220-en
Behavioral task
behavioral8
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Host/Kurome.Host.exe
Resource
win10-20230220-en
Behavioral task
behavioral9
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Host/Kurome.WCF.dll
Resource
win10-20230220-en
Behavioral task
behavioral10
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/._cache_Kurome Loader 20.2.exe
Resource
win10-20230220-en
Behavioral task
behavioral11
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/._cache_KuromeLoader.exe
Resource
win10-20230220-en
Behavioral task
behavioral12
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/Kurome Loader 24.2.exe
Resource
win10-20230220-en
Behavioral task
behavioral13
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/Kurome.Loader.exe.xml
Resource
win10-20230220-en
Behavioral task
behavioral14
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/Kurome.Loader_crack.exe
Resource
win10-20230220-en
Behavioral task
behavioral15
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/FAQ (English).docx
Resource
win10-20230220-en
Behavioral task
behavioral16
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/FAQ(RUS).docx
Resource
win10-20230220-en
Behavioral task
behavioral17
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/._cache_Panel 20.2.exe
Resource
win10-20230220-en
Behavioral task
behavioral18
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/._cache_Panel.exe
Resource
win10-20230220-en
Behavioral task
behavioral19
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/Panel 24.2.exe
Resource
win10-20230220-en
Behavioral task
behavioral20
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/Panel_crack.exe
Resource
win10-20230220-en
Behavioral task
behavioral21
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Tools/Chrome.exe
Resource
win10-20230220-en
Behavioral task
behavioral22
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Tools/NetFramework48.exe
Resource
win10-20230220-en
Behavioral task
behavioral23
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Tools/WinRar.exe
Resource
win10-20230220-en
General
-
Target
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/Kurome.Loader_crack.exe
-
Size
1.4MB
-
MD5
caeeb7b39d19fb9ae4209d5b82580454
-
SHA1
5e8e38685c130250b1e6a132302549be4e1a1952
-
SHA256
d94103367cd58a86f60f0f1560084fb30e3fe137f03eb8a49adf600d31dfacf5
-
SHA512
6093ea192a677d7632b0f716dcf7a051e1f055334deb9d56acb4f921d08eadfa79ef58477400328a9e3ee6e64043d15c658c4b335cc2f9b6f91a44ce8dd4b46c
-
SSDEEP
24576:/oJEKZ6IEGTMxapRl2PSwHTehy6BP+pXShToJEKZ6IEGTMxapRl2PSwHTehy6BPF:/ouKZ6iMqRl2PSwzehy6cpXShTouKZ6E
Malware Config
Extracted
pandastealer
1.11
http://thisisgenk.temp.swtest.ru
Extracted
pandastealer
�
http://�
Signatures
-
Panda Stealer payload 7 IoCs
resource yara_rule behavioral14/memory/3852-119-0x0000000000400000-0x0000000000561000-memory.dmp family_pandastealer behavioral14/files/0x000500000001a560-122.dat family_pandastealer behavioral14/files/0x000500000001a560-123.dat family_pandastealer behavioral14/files/0x000800000001af06-127.dat family_pandastealer behavioral14/files/0x000800000001af06-128.dat family_pandastealer behavioral14/memory/4240-129-0x0000000000400000-0x00000000004B4000-memory.dmp family_pandastealer behavioral14/memory/3852-130-0x0000000000400000-0x0000000000561000-memory.dmp family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Executes dropped EXE 2 IoCs
pid Process 3532 build.exe 4240 Kurome.Loader.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3532 build.exe 3532 build.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3852 wrote to memory of 3532 3852 Kurome.Loader_crack.exe 66 PID 3852 wrote to memory of 3532 3852 Kurome.Loader_crack.exe 66 PID 3852 wrote to memory of 3532 3852 Kurome.Loader_crack.exe 66 PID 3852 wrote to memory of 4240 3852 Kurome.Loader_crack.exe 67 PID 3852 wrote to memory of 4240 3852 Kurome.Loader_crack.exe 67 PID 3852 wrote to memory of 4240 3852 Kurome.Loader_crack.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Kurome.Loader\Kurome.Loader_crack.exe"C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Kurome.Loader\Kurome.Loader_crack.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3532
-
-
C:\Users\Admin\AppData\Local\Temp\Kurome.Loader.exe"C:\Users\Admin\AppData\Local\Temp\Kurome.Loader.exe"2⤵
- Executes dropped EXE
PID:4240
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
691KB
MD5d012f21f743803781c23443cae5af637
SHA1a6d20e4e85951090c262f29d7159123a4e4c0cba
SHA2569d005ef806af176d0c715b2ee6f79a7ca5ef1aacd2529d75bf05911522b5bb2b
SHA512dcde9865e1a52b18906cacc38ef8df2e3148819c0217a168df6ee58acb4094ae7e6be52cdffed0e3844c4b7929f375c09ffa7629018f05a1d88fed2be7f5f0fb
-
Filesize
691KB
MD5d012f21f743803781c23443cae5af637
SHA1a6d20e4e85951090c262f29d7159123a4e4c0cba
SHA2569d005ef806af176d0c715b2ee6f79a7ca5ef1aacd2529d75bf05911522b5bb2b
SHA512dcde9865e1a52b18906cacc38ef8df2e3148819c0217a168df6ee58acb4094ae7e6be52cdffed0e3844c4b7929f375c09ffa7629018f05a1d88fed2be7f5f0fb
-
Filesize
681KB
MD543aa2880830859585b3c6a15e915b8db
SHA16780b3f4d54a43b22223629e14c676addb3ac400
SHA256378f2b1055dd7f1a150e0d86889b9bd3336225e38fc3c8cafb390ebf347ad46d
SHA5126d35bd792aefe5c1b42caae9e50ed66967a74bb476985e17d3a5bc8d6b87111b7bb1af56cb216bff24f056da33bc14c4bddc81fabbfa07d569bab98ec679289d
-
Filesize
681KB
MD543aa2880830859585b3c6a15e915b8db
SHA16780b3f4d54a43b22223629e14c676addb3ac400
SHA256378f2b1055dd7f1a150e0d86889b9bd3336225e38fc3c8cafb390ebf347ad46d
SHA5126d35bd792aefe5c1b42caae9e50ed66967a74bb476985e17d3a5bc8d6b87111b7bb1af56cb216bff24f056da33bc14c4bddc81fabbfa07d569bab98ec679289d