Overview

overview

10

Static

static

10

Redline St....2.exe

windows10-2004-x64

10

Redline St...ck.exe

windows10-2004-x64

10

Redline St...ub.exe

windows10-2004-x64

10

Redline St...st.exe

windows10-2004-x64

10

Redline St....2.exe

windows10-2004-x64

10

Redline St...er.exe

windows10-2004-x64

10

Redline St....2.exe

windows10-2004-x64

10

Redline St...ck.exe

windows10-2004-x64

10

Redline St....2.exe

windows10-2004-x64

10

Redline St...el.exe

windows10-2004-x64

10

Redline St....2.exe

windows10-2004-x64

10

Redline St...ck.exe

windows10-2004-x64

10

Redline St...me.exe

windows10-2004-x64

8

Redline St...48.exe

windows10-2004-x64

7

Redline St...ar.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    30s
  • max time network
    34s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-04-2023 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/Panel_crack.exe

  • Size

    276KB

  • MD5

    e1633061ed1f482f6beef10963a3cbbc

  • SHA1

    d6b0cda0ed1965190704f5b865bd968c51bd6acc

  • SHA256

    b14063638be7f779b3d4be67f2c3c7529b4324d276f802c440cde259e2121183

  • SHA512

    c5063ca55272dd78c0c137083e987052670ab2091d797ec864a217822f25788600b629cdbb9a6e32053aede7c97202983b65bf7a528b6746585885779b742b4d

  • SSDEEP

    6144:5SncRlJ8XN6W8mmdUwXPSi9b2c3lSncRl:44IN6qsUwXPDs4

Score
10/10
asyncratstormkittydefaultratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendMessage?chat_id=5529838804
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 4 IoCs
  • Async RAT payload 4 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 9 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Panel\RedLine_24_2\Panel\Panel_crack.exe
    "C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Panel\RedLine_24_2\Panel\Panel_crack.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Users\Admin\AppData\Local\Temp\CONFIG.EXE
      "C:\Users\Admin\AppData\Local\Temp\CONFIG.EXE"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5008
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:4880
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
              PID:2940
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              4⤵
                PID:1664
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3924
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                4⤵
                  PID:4112
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show networks mode=bssid
                  4⤵
                    PID:3308
              • C:\Users\Admin\AppData\Local\Temp\PANEL.EXE
                "C:\Users\Admin\AppData\Local\Temp\PANEL.EXE"
                2⤵
                • Executes dropped EXE
                PID:2144

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            3
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\190c09ed86c21ffc10ffe899f31fef7d\msgid.dat
              Filesize

              3B

              MD5

              6883966fd8f918a4aa29be29d2c386fb

              SHA1

              3a085d1bc5fa41313c4e0910e7341af761b0f7db

              SHA256

              2cfc8ccbd7c0b17615323b41e815651ff2ae9ffae45a4599c0499b98ff940429

              SHA512

              0732c6f705cca61fe7074d0daa4a5d585a46d4d4b935c990e309a292d61271b63d1336eff9629ef312dae85ae4cc50c68cc8660ff12aa2034084604572570aa9

              Download Submit
            • C:\Users\Admin\AppData\Local\8d871c3c9291c8758c12de46266187fe\Admin@TPAVZECK_en-US\Browsers\Firefox\Bookmarks.txt
              Filesize

              105B

              MD5

              2e9d094dda5cdc3ce6519f75943a4ff4

              SHA1

              5d989b4ac8b699781681fe75ed9ef98191a5096c

              SHA256

              c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

              SHA512

              d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

              Download Submit
            • C:\Users\Admin\AppData\Local\8d871c3c9291c8758c12de46266187fe\Admin@TPAVZECK_en-US\System\Process.txt
              Filesize

              4KB

              MD5

              a1b1d01dabd40a8c4265e032b1503b9d

              SHA1

              cae24c4ce11039fd8e926e351e69a55c9f15a889

              SHA256

              ce64a24cd81e5019f229b17bfaf605c2df54d358cf634a8f5f8c25c33f65ca53

              SHA512

              53210d4c6878dde2c3efac628d1bdf21d7f4ad927f7559f9b645d255b5a88934fb370a1835eac7d1e5b1fc3eb05dfc7975d28206674fac2bc425d4164123c9d1

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\CONFIG.EXE
              Filesize

              170KB

              MD5

              470a8267b5eba7eb998d9fa69532f849

              SHA1

              1152ddb2ab93aae9983e3e8b5c4f367875323e3e

              SHA256

              6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e

              SHA512

              5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\CONFIG.EXE
              Filesize

              170KB

              MD5

              470a8267b5eba7eb998d9fa69532f849

              SHA1

              1152ddb2ab93aae9983e3e8b5c4f367875323e3e

              SHA256

              6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e

              SHA512

              5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\CONFIG.EXE
              Filesize

              170KB

              MD5

              470a8267b5eba7eb998d9fa69532f849

              SHA1

              1152ddb2ab93aae9983e3e8b5c4f367875323e3e

              SHA256

              6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e

              SHA512

              5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\PANEL.EXE
              Filesize

              53KB

              MD5

              098062dde5741b0b42e73060a1b95db0

              SHA1

              803e9fd3f740cfebb06333a7e056e6b6dbdc10d1

              SHA256

              63e2cb9d0bfc79659e24fb3b119b249691dc79c5da7c42f7e79a9dcdd8ccd611

              SHA512

              69a18ec7f7fc8e49c2ef9f0ffc62020bd603f6874ecf6cc2c16351aaddad4a3ef37a7575c6f44065aa1cf606d2ad85275a003105cbe4527d9a9b035d6bfd678a

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\PANEL.EXE
              Filesize

              53KB

              MD5

              098062dde5741b0b42e73060a1b95db0

              SHA1

              803e9fd3f740cfebb06333a7e056e6b6dbdc10d1

              SHA256

              63e2cb9d0bfc79659e24fb3b119b249691dc79c5da7c42f7e79a9dcdd8ccd611

              SHA512

              69a18ec7f7fc8e49c2ef9f0ffc62020bd603f6874ecf6cc2c16351aaddad4a3ef37a7575c6f44065aa1cf606d2ad85275a003105cbe4527d9a9b035d6bfd678a

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\PANEL.EXE
              Filesize

              53KB

              MD5

              098062dde5741b0b42e73060a1b95db0

              SHA1

              803e9fd3f740cfebb06333a7e056e6b6dbdc10d1

              SHA256

              63e2cb9d0bfc79659e24fb3b119b249691dc79c5da7c42f7e79a9dcdd8ccd611

              SHA512

              69a18ec7f7fc8e49c2ef9f0ffc62020bd603f6874ecf6cc2c16351aaddad4a3ef37a7575c6f44065aa1cf606d2ad85275a003105cbe4527d9a9b035d6bfd678a

              Download Submit
            • memory/2388-154-0x0000000004A80000-0x0000000004AE6000-memory.dmp
              Filesize

              408KB

              Download
            • memory/2388-223-0x0000000002480000-0x0000000002490000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2388-153-0x0000000002480000-0x0000000002490000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2388-296-0x0000000005890000-0x0000000005922000-memory.dmp
              Filesize

              584KB

              Download
            • memory/2388-297-0x0000000005EE0000-0x0000000006484000-memory.dmp
              Filesize

              5.6MB

              Download
            • memory/2388-298-0x0000000002480000-0x0000000002490000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2388-302-0x00000000059C0000-0x00000000059CA000-memory.dmp
              Filesize

              40KB

              Download
            • memory/2388-152-0x00000000000E0000-0x0000000000110000-memory.dmp
              Filesize

              192KB

              Download
            • memory/2388-308-0x0000000006850000-0x0000000006862000-memory.dmp
              Filesize

              72KB

              Download
            • memory/2388-332-0x0000000002480000-0x0000000002490000-memory.dmp
              Filesize

              64KB

              Download