Overview
overview
10Static
static
10Redline St...52.dll
windows7-x64
1Redline St...52.dll
windows10-2004-x64
1Redline St...ib.dll
windows7-x64
1Redline St...ib.dll
windows10-2004-x64
1Redline St...UI.dll
windows7-x64
1Redline St...UI.dll
windows10-2004-x64
1Redline St...db.dll
windows7-x64
1Redline St...db.dll
windows10-2004-x64
1Redline St...db.dll
windows7-x64
1Redline St...db.dll
windows10-2004-x64
1Redline St...ks.dll
windows7-x64
1Redline St...ks.dll
windows10-2004-x64
1Redline St...il.dll
windows7-x64
1Redline St...il.dll
windows10-2004-x64
1Redline St...on.dll
windows7-x64
1Redline St...on.dll
windows10-2004-x64
1Redline St...ls.dll
windows7-x64
1Redline St...ls.dll
windows10-2004-x64
1Redline St...en.dll
windows7-x64
1Redline St...en.dll
windows10-2004-x64
1Redline St...ib.dll
windows7-x64
1Redline St...ib.dll
windows10-2004-x64
1Redline St...er.exe
windows7-x64
1Redline St...er.exe
windows10-2004-x64
1Redline St...et.dll
windows7-x64
1Redline St...et.dll
windows10-2004-x64
1Redline St...ub.exe
windows7-x64
10Redline St...ub.exe
windows10-2004-x64
10Redline St...rt.bat
windows7-x64
8Redline St...rt.bat
windows10-2004-x64
8Redline St...ed.exe
windows7-x64
7Redline St...ed.exe
windows10-2004-x64
8Analysis
-
max time kernel
122s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12-10-2023 00:34
Behavioral task
behavioral1
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/Bunifu_UI_v1.52.dll
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral2
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/Bunifu_UI_v1.52.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/GuiLib.dll
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral4
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/GuiLib.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/MetroSet UI.dll
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral6
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/MetroSet UI.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/Mono.Cecil.Mdb.dll
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral8
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/Mono.Cecil.Mdb.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/Mono.Cecil.Pdb.dll
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral10
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/Mono.Cecil.Pdb.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/Mono.Cecil.Rocks.dll
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral12
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/Mono.Cecil.Rocks.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/Mono.Cecil.dll
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral14
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/Mono.Cecil.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/Newtonsoft.Json.dll
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral16
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/Newtonsoft.Json.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/RedLine.SharedModels.dll
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral18
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/RedLine.SharedModels.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/System.Drawing.Pen.dll
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral20
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/System.Drawing.Pen.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/Vestris.ResourceLib.dll
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral22
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/Vestris.ResourceLib.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/builder.exe
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral24
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/builder.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/protobuf-net.dll
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral26
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/protobuf-net.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/stub.exe
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral28
Sample
Redline Stealer v22.0 Cracked + Panel/Libraries/stub.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Redline Stealer v22.0 Cracked + Panel/OpenPort.bat
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral30
Sample
Redline Stealer v22.0 Cracked + Panel/OpenPort.bat
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Redline Stealer v22.0 Cracked + Panel/RedLine.MainPanel-cracked.exe
Resource
win7-20230831-en
windows7-x64
General
-
Target
Redline Stealer v22.0 Cracked + Panel/Libraries/stub.exe
-
Size
141KB
-
MD5
9c44ce0cc507f539a3b6aa9c3671f092
-
SHA1
8f2ff23438e4e3e4c19537e90688f21cbe189908
-
SHA256
7b6c6588d3bddb06a0efbbf237cf501c027dac8bd2b82c6835e0a2c8bdfae842
-
SHA512
d0496f88e659961cd29359e15002e32550e00897ab8c4cd7079ad928582b70ef82a0d110378cca8a8404cc3e14f7769cd68a925686a577a726101bc04d633ce3
-
SSDEEP
3072:jJq4D2X3vAY+9ZCXDLcw9XFTb3R35dINX9r0DMi:jJq4Dog7gVdFTb3RDINN
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral27/memory/2160-0-0x0000000001020000-0x000000000104A000-memory.dmp family_redline -
Kills process with taskkill 1 IoCs
pid Process 2724 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2160 stub.exe Token: SeDebugPrivilege 2724 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2636 2160 stub.exe 28 PID 2160 wrote to memory of 2636 2160 stub.exe 28 PID 2160 wrote to memory of 2636 2160 stub.exe 28 PID 2160 wrote to memory of 2636 2160 stub.exe 28 PID 2636 wrote to memory of 2724 2636 cmd.exe 30 PID 2636 wrote to memory of 2724 2636 cmd.exe 30 PID 2636 wrote to memory of 2724 2636 cmd.exe 30 PID 2636 wrote to memory of 2724 2636 cmd.exe 30 PID 2636 wrote to memory of 2796 2636 cmd.exe 32 PID 2636 wrote to memory of 2796 2636 cmd.exe 32 PID 2636 wrote to memory of 2796 2636 cmd.exe 32 PID 2636 wrote to memory of 2796 2636 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Redline Stealer v22.0 Cracked + Panel\Libraries\stub.exe"C:\Users\Admin\AppData\Local\Temp\Redline Stealer v22.0 Cracked + Panel\Libraries\stub.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 2160 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Redline Stealer v22.0 Cracked + Panel\Libraries\stub.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 21603⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵PID:2796
-
-