Overview

overview

10

Static

static

10

Redline St....2.exe

windows10-2004-x64

10

Redline St...ck.exe

windows10-2004-x64

10

Redline St...ub.exe

windows10-2004-x64

10

Redline St...st.exe

windows10-2004-x64

10

Redline St....2.exe

windows10-2004-x64

10

Redline St...er.exe

windows10-2004-x64

10

Redline St....2.exe

windows10-2004-x64

10

Redline St...ck.exe

windows10-2004-x64

10

Redline St....2.exe

windows10-2004-x64

10

Redline St...el.exe

windows10-2004-x64

10

Redline St....2.exe

windows10-2004-x64

10

Redline St...ck.exe

windows10-2004-x64

10

Redline St...me.exe

windows10-2004-x64

8

Redline St...48.exe

windows10-2004-x64

7

Redline St...ar.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    30s
  • max time network
    34s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-04-2023 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Redline Stealer v24.2 cracked [XT_CH]/Kurome.Loader/._cache_Kurome Loader 20.2.exe

  • Size

    170KB

  • MD5

    470a8267b5eba7eb998d9fa69532f849

  • SHA1

    1152ddb2ab93aae9983e3e8b5c4f367875323e3e

  • SHA256

    6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e

  • SHA512

    5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d

  • SSDEEP

    3072:O+STW8djpN6izj8mZwHQiWZqswqIPu/i9b+J2cOZTMi56+WpL:z8XN6W8mmdUwXPSi9b2c3

Score
10/10
asyncratstormkittydefaultratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendMessage?chat_id=5529838804
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Kurome.Loader\._cache_Kurome Loader 20.2.exe
    "C:\Users\Admin\AppData\Local\Temp\Redline Stealer v24.2 cracked [XT_CH]\Kurome.Loader\._cache_Kurome Loader 20.2.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3280
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:960
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:3664
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            3⤵
              PID:5048
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:460
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              3⤵
                PID:3420
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:5108

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\67e7b5895e2598e74e3ccecbd52bf8dc\msgid.dat
              Filesize

              3B

              MD5

              26e359e83860db1d11b6acca57d8ea88

              SHA1

              eb65e208b715d3b42fc535aebcd8d3e7fb5f2c94

              SHA256

              76ebdb6d45c61ca12e622118cc90939ade672adf7890aa2b246405d4884dd75a

              SHA512

              787ee49bdc47713dda397ed679b55d3ed439005e12af8b309305fb21e0c79a79fa6f065617340ab0c29cc2a815ed2d5bc5150f83cd67da85adeec9cb0d0a76af

              Download Submit

            • C:\Users\Admin\AppData\Local\de17979b2c7a726b20affd7ab588ec25\Admin@TPAVZECK_en-US\Browsers\Firefox\Bookmarks.txt
              Filesize

              105B

              MD5

              2e9d094dda5cdc3ce6519f75943a4ff4

              SHA1

              5d989b4ac8b699781681fe75ed9ef98191a5096c

              SHA256

              c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

              SHA512

              d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

              Download Submit

            • C:\Users\Admin\AppData\Local\de17979b2c7a726b20affd7ab588ec25\Admin@TPAVZECK_en-US\System\Process.txt
              Filesize

              4KB

              MD5

              a9616efd1d23664fac80902e9cf6227c

              SHA1

              81f152b6f0674f9b359c96e388d482428fe7ebcd

              SHA256

              20c29e437e726d79310d735801ce3eb54ad4744be0504baf9a638c73f295738c

              SHA512

              c8d203ed7df39c00084e7881db025dc8b60c810e9a36f25fe43837b09c504b030bc53359ed5d63c9e8d94d3a0232856ea486d27a4bb6fac5ef6068ee58f97f1b

              Download Submit

            • memory/3280-133-0x0000000000EA0000-0x0000000000ED0000-memory.dmp

              Filesize

              192KB

              Download

            • memory/3280-134-0x0000000005840000-0x0000000005850000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3280-135-0x00000000059C0000-0x0000000005A26000-memory.dmp

              Filesize

              408KB

              Download

            • memory/3280-204-0x0000000005840000-0x0000000005850000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3280-278-0x0000000006810000-0x00000000068A2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/3280-279-0x0000000006E60000-0x0000000007404000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/3280-280-0x0000000005840000-0x0000000005850000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3280-284-0x00000000067D0000-0x00000000067DA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3280-290-0x00000000067F0000-0x0000000006802000-memory.dmp

              Filesize

              72KB

              Download