Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
24-04-2023 15:39
General
-
Target
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/Panel_crack.exe
-
Size
276KB
-
MD5
e1633061ed1f482f6beef10963a3cbbc
-
SHA1
d6b0cda0ed1965190704f5b865bd968c51bd6acc
-
SHA256
b14063638be7f779b3d4be67f2c3c7529b4324d276f802c440cde259e2121183
-
SHA512
c5063ca55272dd78c0c137083e987052670ab2091d797ec864a217822f25788600b629cdbb9a6e32053aede7c97202983b65bf7a528b6746585885779b742b4d
-
SSDEEP
6144:5SncRlJ8XN6W8mmdUwXPSi9b2c3lSncRl:44IN6qsUwXPDs4
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendMessage?chat_id=5529838804
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 3 IoCs
-
Async RAT payload 3 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 10 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Panel\RedLine_24_2\Panel\Panel_crack.exe"C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Panel\RedLine_24_2\Panel\Panel_crack.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CONFIG.EXE"C:\Users\Admin\AppData\Local\Temp\CONFIG.EXE"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PANEL.EXE"C:\Users\Admin\AppData\Local\Temp\PANEL.EXE"2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
170KB
MD5470a8267b5eba7eb998d9fa69532f849
SHA11152ddb2ab93aae9983e3e8b5c4f367875323e3e
SHA2566cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e
SHA5125f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d
-
Filesize
170KB
MD5470a8267b5eba7eb998d9fa69532f849
SHA11152ddb2ab93aae9983e3e8b5c4f367875323e3e
SHA2566cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e
SHA5125f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d
-
Filesize
53KB
MD5098062dde5741b0b42e73060a1b95db0
SHA1803e9fd3f740cfebb06333a7e056e6b6dbdc10d1
SHA25663e2cb9d0bfc79659e24fb3b119b249691dc79c5da7c42f7e79a9dcdd8ccd611
SHA51269a18ec7f7fc8e49c2ef9f0ffc62020bd603f6874ecf6cc2c16351aaddad4a3ef37a7575c6f44065aa1cf606d2ad85275a003105cbe4527d9a9b035d6bfd678a
-
Filesize
53KB
MD5098062dde5741b0b42e73060a1b95db0
SHA1803e9fd3f740cfebb06333a7e056e6b6dbdc10d1
SHA25663e2cb9d0bfc79659e24fb3b119b249691dc79c5da7c42f7e79a9dcdd8ccd611
SHA51269a18ec7f7fc8e49c2ef9f0ffc62020bd603f6874ecf6cc2c16351aaddad4a3ef37a7575c6f44065aa1cf606d2ad85275a003105cbe4527d9a9b035d6bfd678a
-
Filesize
2B
MD5fbd7939d674997cdb4692d34de8633c4
SHA1d54ad009d179ae346683cfc3603979bc99339ef7
SHA256f74efabef12ea619e30b79bddef89cffa9dda494761681ca862cff2871a85980
SHA512bc7dea130d219f9d1097a174eb56df348da86f1080c5e5c1ff9e9ef4c4204640ba01b946f3a2fa8ea8adcf2a099e76ccb58d8632c7c51b1d42c5d4f72ce09413
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
5.0MB
-
Filesize
40KB
-
Filesize
192KB
-
Filesize
72KB
-
Filesize
64KB