Analysis

  • max time kernel
    47s
  • max time network
    58s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-04-2023 15:39

General

  • Target

    Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/Kurome.Loader_crack.exe

  • Size

    1.4MB

  • MD5

    caeeb7b39d19fb9ae4209d5b82580454

  • SHA1

    5e8e38685c130250b1e6a132302549be4e1a1952

  • SHA256

    d94103367cd58a86f60f0f1560084fb30e3fe137f03eb8a49adf600d31dfacf5

  • SHA512

    6093ea192a677d7632b0f716dcf7a051e1f055334deb9d56acb4f921d08eadfa79ef58477400328a9e3ee6e64043d15c658c4b335cc2f9b6f91a44ce8dd4b46c

  • SSDEEP

    24576:/oJEKZ6IEGTMxapRl2PSwHTehy6BP+pXShToJEKZ6IEGTMxapRl2PSwHTehy6BPF:/ouKZ6iMqRl2PSwzehy6cpXShTouKZ6E

Malware Config

Extracted

Family

pandastealer

Version

1.11

C2

http://thisisgenk.temp.swtest.ru

Extracted

Family

pandastealer

Version

C2

http://�

Signatures

  • Panda Stealer payload 7 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Kurome.Loader\Kurome.Loader_crack.exe
    "C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Kurome.Loader\Kurome.Loader_crack.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3852
    • C:\Users\Admin\AppData\Local\Temp\build.exe
      "C:\Users\Admin\AppData\Local\Temp\build.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3532
    • C:\Users\Admin\AppData\Local\Temp\Kurome.Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Kurome.Loader.exe"
      2⤵
      • Executes dropped EXE
      PID:4240

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Kurome.Loader.exe

    Filesize

    691KB

    MD5

    d012f21f743803781c23443cae5af637

    SHA1

    a6d20e4e85951090c262f29d7159123a4e4c0cba

    SHA256

    9d005ef806af176d0c715b2ee6f79a7ca5ef1aacd2529d75bf05911522b5bb2b

    SHA512

    dcde9865e1a52b18906cacc38ef8df2e3148819c0217a168df6ee58acb4094ae7e6be52cdffed0e3844c4b7929f375c09ffa7629018f05a1d88fed2be7f5f0fb

  • C:\Users\Admin\AppData\Local\Temp\Kurome.Loader.exe

    Filesize

    691KB

    MD5

    d012f21f743803781c23443cae5af637

    SHA1

    a6d20e4e85951090c262f29d7159123a4e4c0cba

    SHA256

    9d005ef806af176d0c715b2ee6f79a7ca5ef1aacd2529d75bf05911522b5bb2b

    SHA512

    dcde9865e1a52b18906cacc38ef8df2e3148819c0217a168df6ee58acb4094ae7e6be52cdffed0e3844c4b7929f375c09ffa7629018f05a1d88fed2be7f5f0fb

  • C:\Users\Admin\AppData\Local\Temp\build.exe

    Filesize

    681KB

    MD5

    43aa2880830859585b3c6a15e915b8db

    SHA1

    6780b3f4d54a43b22223629e14c676addb3ac400

    SHA256

    378f2b1055dd7f1a150e0d86889b9bd3336225e38fc3c8cafb390ebf347ad46d

    SHA512

    6d35bd792aefe5c1b42caae9e50ed66967a74bb476985e17d3a5bc8d6b87111b7bb1af56cb216bff24f056da33bc14c4bddc81fabbfa07d569bab98ec679289d

  • C:\Users\Admin\AppData\Local\Temp\build.exe

    Filesize

    681KB

    MD5

    43aa2880830859585b3c6a15e915b8db

    SHA1

    6780b3f4d54a43b22223629e14c676addb3ac400

    SHA256

    378f2b1055dd7f1a150e0d86889b9bd3336225e38fc3c8cafb390ebf347ad46d

    SHA512

    6d35bd792aefe5c1b42caae9e50ed66967a74bb476985e17d3a5bc8d6b87111b7bb1af56cb216bff24f056da33bc14c4bddc81fabbfa07d569bab98ec679289d

  • memory/3852-119-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/3852-130-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4240-129-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB