Overview
overview
10Static
static
10Redline St....2.exe
windows10-2004-x64
10Redline St...ck.exe
windows10-2004-x64
10Redline St...ub.exe
windows10-2004-x64
10Redline St...st.exe
windows10-2004-x64
10Redline St....2.exe
windows10-2004-x64
10Redline St...er.exe
windows10-2004-x64
10Redline St....2.exe
windows10-2004-x64
10Redline St...ck.exe
windows10-2004-x64
10Redline St....2.exe
windows10-2004-x64
10Redline St...el.exe
windows10-2004-x64
10Redline St....2.exe
windows10-2004-x64
10Redline St...ck.exe
windows10-2004-x64
10Redline St...me.exe
windows10-2004-x64
8Redline St...48.exe
windows10-2004-x64
7Redline St...ar.exe
windows10-2004-x64
1Analysis
-
max time kernel
29s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24/04/2023, 20:27
Behavioral task
behavioral1
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Kurome.Builder v24.2.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral2
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/Kurome.Builder_crack.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Builder/stub.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral4
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Host/Kurome.Host.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/._cache_Kurome Loader 20.2.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral6
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/._cache_KuromeLoader.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/Kurome Loader 24.2.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral8
Sample
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/Kurome.Loader_crack.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/._cache_Panel 20.2.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral10
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/._cache_Panel.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/Panel 24.2.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral12
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Panel/Panel_crack.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Tools/Chrome.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral14
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Tools/NetFramework48.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral15
Sample
Redline Stealer v24.2 cracked [XT_CH]/Panel/RedLine_24_2/Tools/WinRar.exe
Resource
win10v2004-20230220-en
General
-
Target
Redline Stealer v24.2 cracked [XT_CH]/Kurome.Host/Kurome.Host.exe
-
Size
1.4MB
-
MD5
b141f114ecbfd918e995d5b40cc4309a
-
SHA1
403ed39ba990caf4fc82672257875e58ed3a9c3f
-
SHA256
c11a53f5cdd9d41b754e8cdb8132b7c13f224359302dbb8a4bd9502271feafbe
-
SHA512
9f2fcef0f8d330d3d7615e642b351bb53da4679df64ee6cc937dd50cdbb318afecca2b56ad2b2a93a9cd6ae41d8e3dfcbc5f876c83f88ec13bc9cef49448315b
-
SSDEEP
24576:loJEKZ6IEGTMxapRl2PSwHTehy6BP+pXShToJEKZ6IEGTMxapRl2PSwHTehy6BPk:louKZ6iMqRl2PSwzehy6cpXShTouKZ6x
Malware Config
Extracted
pandastealer
1.11
http://thisisgenk.temp.swtest.ru
Extracted
pandastealer
�
http://�
Signatures
-
Panda Stealer payload 8 IoCs
resource yara_rule behavioral4/files/0x001300000001db57-137.dat family_pandastealer behavioral4/files/0x001300000001db57-139.dat family_pandastealer behavioral4/files/0x001300000001db57-141.dat family_pandastealer behavioral4/files/0x000500000001f1a4-145.dat family_pandastealer behavioral4/memory/3688-153-0x0000000000400000-0x0000000000561000-memory.dmp family_pandastealer behavioral4/memory/4808-154-0x0000000000400000-0x00000000004B4000-memory.dmp family_pandastealer behavioral4/files/0x000500000001f1a4-150.dat family_pandastealer behavioral4/files/0x000500000001f1a4-149.dat family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation Kurome.Host.exe -
Executes dropped EXE 2 IoCs
pid Process 1208 build.exe 4808 Kurome.Host.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1208 build.exe 1208 build.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3688 wrote to memory of 1208 3688 Kurome.Host.exe 83 PID 3688 wrote to memory of 1208 3688 Kurome.Host.exe 83 PID 3688 wrote to memory of 1208 3688 Kurome.Host.exe 83 PID 3688 wrote to memory of 4808 3688 Kurome.Host.exe 84 PID 3688 wrote to memory of 4808 3688 Kurome.Host.exe 84 PID 3688 wrote to memory of 4808 3688 Kurome.Host.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Kurome.Host\Kurome.Host.exe"C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Kurome.Host\Kurome.Host.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1208
-
-
C:\Users\Admin\AppData\Local\Temp\Kurome.Host.exe"C:\Users\Admin\AppData\Local\Temp\Kurome.Host.exe"2⤵
- Executes dropped EXE
PID:4808
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
691KB
MD5d012f21f743803781c23443cae5af637
SHA1a6d20e4e85951090c262f29d7159123a4e4c0cba
SHA2569d005ef806af176d0c715b2ee6f79a7ca5ef1aacd2529d75bf05911522b5bb2b
SHA512dcde9865e1a52b18906cacc38ef8df2e3148819c0217a168df6ee58acb4094ae7e6be52cdffed0e3844c4b7929f375c09ffa7629018f05a1d88fed2be7f5f0fb
-
Filesize
691KB
MD5d012f21f743803781c23443cae5af637
SHA1a6d20e4e85951090c262f29d7159123a4e4c0cba
SHA2569d005ef806af176d0c715b2ee6f79a7ca5ef1aacd2529d75bf05911522b5bb2b
SHA512dcde9865e1a52b18906cacc38ef8df2e3148819c0217a168df6ee58acb4094ae7e6be52cdffed0e3844c4b7929f375c09ffa7629018f05a1d88fed2be7f5f0fb
-
Filesize
691KB
MD5d012f21f743803781c23443cae5af637
SHA1a6d20e4e85951090c262f29d7159123a4e4c0cba
SHA2569d005ef806af176d0c715b2ee6f79a7ca5ef1aacd2529d75bf05911522b5bb2b
SHA512dcde9865e1a52b18906cacc38ef8df2e3148819c0217a168df6ee58acb4094ae7e6be52cdffed0e3844c4b7929f375c09ffa7629018f05a1d88fed2be7f5f0fb
-
Filesize
681KB
MD543aa2880830859585b3c6a15e915b8db
SHA16780b3f4d54a43b22223629e14c676addb3ac400
SHA256378f2b1055dd7f1a150e0d86889b9bd3336225e38fc3c8cafb390ebf347ad46d
SHA5126d35bd792aefe5c1b42caae9e50ed66967a74bb476985e17d3a5bc8d6b87111b7bb1af56cb216bff24f056da33bc14c4bddc81fabbfa07d569bab98ec679289d
-
Filesize
681KB
MD543aa2880830859585b3c6a15e915b8db
SHA16780b3f4d54a43b22223629e14c676addb3ac400
SHA256378f2b1055dd7f1a150e0d86889b9bd3336225e38fc3c8cafb390ebf347ad46d
SHA5126d35bd792aefe5c1b42caae9e50ed66967a74bb476985e17d3a5bc8d6b87111b7bb1af56cb216bff24f056da33bc14c4bddc81fabbfa07d569bab98ec679289d
-
Filesize
681KB
MD543aa2880830859585b3c6a15e915b8db
SHA16780b3f4d54a43b22223629e14c676addb3ac400
SHA256378f2b1055dd7f1a150e0d86889b9bd3336225e38fc3c8cafb390ebf347ad46d
SHA5126d35bd792aefe5c1b42caae9e50ed66967a74bb476985e17d3a5bc8d6b87111b7bb1af56cb216bff24f056da33bc14c4bddc81fabbfa07d569bab98ec679289d