redline

Resubmissions

07-02-2025 18:21

250207-wzas1a1rbs 10

07-02-2025 18:14

250207-wvew6asrbr 10

14-02-2024 18:20

240214-wyrecshf8w 10

Sharing

Copy URL

Twitter E-mail

General

Target

Redline.zip
Size

15.0MB
Sample

240214-wyrecshf8w
MD5

0f686985e788860aa57fd6c0394b31ac
SHA1

16a28142b90396bdec88b542856afc6a1d61de63
SHA256

c9ae7d325d8f08613bb8dff54d14591f4fbdd4f289509092b4fbb16c6b855d71
SHA512

42547b6a691c89ed58b8aa0bbd4e11b1c4411bd5291c10a8f575d5c2b8418fb2ed59f14a9838db3864468d751b396abbae0bf0389e407dc7c6e0013c47dfa036
SSDEEP

393216:Qo/GNMywpahzUACC3ubztEDnaYSH0DrmLMlvWqYiABvXpyVIqtR5R:Qo/GUCUAJ3uVmaiDr1Wln1ZyV/R5R

Score

10^/10

Malware Config

Targets

- Target
  
  Redline-Botnet-_ed--drcrypter.ru-/Redline Botnet Cracked [drcrypter.ru]/Kurome.Builder/Kurome.Builder.exe
- Size
  
  137KB
- MD5
  
  cf38a4bde3fe5456dcaf2b28d3bfb709
- SHA1
  
  711518af5fa13f921f3273935510627280730543
- SHA256
  
  c47b78e566425fc4165a83b2661313e41ee8d66241f7bea7723304a6a751595e
- SHA512
  
  3302b270ee028868ff877fa291c51e6c8b12478e7d873ddb9009bb68b55bd3a08a2756619b4415a76a5b4167abd7c7c3b9cc9f44c32a29225ff0fc2f94a1a4cc
- SSDEEP
  
  3072:abrwd8T7vH96NLS+ld4qRdxtiZQRWkmVnt749m3DIo9O:aH3TLH96NLS+n46dxICRcVntX
Score

1^/10
behavioral1 behavioral2
- Target
  
  Redline-Botnet-_ed--drcrypter.ru-/Redline Botnet Cracked [drcrypter.ru]/Kurome.Builder/stub.dll
- Size
  
  96KB
- MD5
  
  625ed01fd1f2dc43b3c2492956fddc68
- SHA1
  
  48461ef33711d0080d7c520f79a0ec540bda6254
- SHA256
  
  6824c2c92eb7cee929f9c6b91e75c8c1fc3bfe80495eba4fa27118d40ad82b2b
- SHA512
  
  1889c7cee50092fe7a66469eb255b4013624615bac3a9579c4287bf870310bdc9018b0991f0ad7a9227c79c9bd08fd0c6fc7ebe97f21c16b7c06236f3755a665
- SSDEEP
  
  1536:9G6ijoigzKqO1RUTBHQsu/0igR4vYVVlmbfaxv0ujXyyedOn4iwEEl:BSElHQ/ORUYos0ujyzdZl
Score

10^/10

redline sectoprat infostealer rat trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
behavioral3 behavioral4
- Target
  
  Redline-Botnet-_ed--drcrypter.ru-/Redline Botnet Cracked [drcrypter.ru]/Kurome.Host/Kurome.Host.exe
- Size
  
  119KB
- MD5
  
  4fde0f80c408af27a8d3ddeffea12251
- SHA1
  
  e834291127af150ce287443c5ea607a7ae337484
- SHA256
  
  1b644cdb1c7247c07d810c0ea10bec34dc5600f3645589690a219de08cf2dedb
- SHA512
  
  3693aeaa2cc276060b899f21f6f57f435b75fec5bcd7725b2dd79043b341c12ebc29bd43b287eb22a3e31fd2b50c4fa36bf020f9f3db5e2f75fe8cc747eca5f5
- SSDEEP
  
  3072:KEdjrOO8+K46SgVE+mxzqT67iLRi/Gj81GUpYb:KjQjgPmxzq27iLRiuAPp
Score

1^/10
behavioral5 behavioral6
- Target
  
  Redline-Botnet-_ed--drcrypter.ru-/Redline Botnet Cracked [drcrypter.ru]/Kurome.Loader/Kurome.Loader.exe
- Size
  
  2.2MB
- MD5
  
  a3ec05d5872f45528bbd05aeecf0a4ba
- SHA1
  
  68486279c63457b0579d86cd44dd65279f22d36f
- SHA256
  
  d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e
- SHA512
  
  b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e
- SSDEEP
  
  49152:KSmo0SdsEoRykUuulqasMwMcdZa9FHeXXGFr3sylP2/BQ7MWV:lm7UQRyksl9cXwFHeX2t8y21
Score

4^/10
behavioral7 behavioral8
- Target
  
  Redline-Botnet-_ed--drcrypter.ru-/Redline Botnet Cracked [drcrypter.ru]/Panel/RedLine_20_2/Panel/Panel.exe
- Size
  
  9.3MB
- MD5
  
  f4e19b67ef27af1434151a512860574e
- SHA1
  
  56304fc2729974124341e697f3b21c84a8dd242a
- SHA256
  
  c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a
- SHA512
  
  a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77
- SSDEEP
  
  196608:mJQaPHrQqXs140qMhu8369sV+HLz9SKUeNdDhHidVI1SM52n3iWuUZ/c1sxXoP3p:mJQaPHrQqXs140qMhu8369sV+HLz9SKI
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral9
- Target
  
  Redline-Botnet-_ed--drcrypter.ru-/Redline Botnet Cracked [drcrypter.ru]/Panel/RedLine_20_2/Tools/Chrome.exe
- Size
  
  1.1MB
- MD5
  
  92cfeb7c07906eac0d4220b8a1ed65b1
- SHA1
  
  882b83e903b5b4c7c75f0b1dc31bb7aa8938d8fa
- SHA256
  
  38b827a431b89da0d9cdd444373364371f4f6e6bf299e7935f05b2351ca9186c
- SHA512
  
  e2ee932f5b81403935a977f9d3c8e2e4f6a4c9a1967b7e1cf61229a7746a24aae486ac6b779fb570f1dff02a3ff30107044f0427ce46474b91d788c78c8fcfbf
- SSDEEP
  
  24576:q6JGMnMpfVArKlhbP6GFibQC1QSvKZHHf1FqbI4Cn:47/MPGFibsSipHubPa
Score

7^/10

persistence spyware stealer discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Modifies Installed Components in the registry
  persistence
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral11 behavioral12
- Target
  
  Redline-Botnet-_ed--drcrypter.ru-/Redline Botnet Cracked [drcrypter.ru]/Panel/RedLine_20_2/Tools/NetFramework48.exe
- Size
  
  1.4MB
- MD5
  
  86482f2f623a52b8344b00968adc7b43
- SHA1
  
  755349ecd6a478fe010e466b29911d2388f6ce94
- SHA256
  
  2c7530edbf06b08a0b9f4227c24ec37d95f3998ee7e6933ae22a9943d0adfa57
- SHA512
  
  64c168263fd48788d90919cbb9992855aed4ffe9a0f8052cb84f028ca239102c0571dfaf75815d72ad776009f5fc4469c957113fb66da7d4e9c83601e8287f3d
- SSDEEP
  
  24576:MGHL3siy9J0/SmtLvUDSRbm4Jah1rVxL+iTOhYdeM+GkdnddMF2ScVC3oKNVpNXo:RL3s7mKeTUDBzrVxxOhYdeMinddG2lCK
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral13 behavioral14
- Target
  
  Redline-Botnet-_ed--drcrypter.ru-/Redline Botnet Cracked [drcrypter.ru]/Panel/RedLine_20_2/Tools/WinRar.exe
- Size
  
  3.2MB
- MD5
  
  b66dec691784f00061bc43e62030c343
- SHA1
  
  779d947d41efafc2995878e56e213411de8fb4cf
- SHA256
  
  26b40c79356453c60498772423f99384a3d24dd2d0662d215506768cb9c58370
- SHA512
  
  6a89bd581baf372f07e76a3378e6f6eb29cac2e4981a7f0affb4101153407cadfce9f1b6b28d5a003f7d4039577029b2ec6ebcfd58e55288e056614fb03f8ba3
- SSDEEP
  
  98304:lJXOBfK92HbAw0CNB3kJElzNsy8vGUvfCo3ABH43:lJ192HbAXCvDlzNsy8vGUyo3AB8
Score

6^/10
- Legitimate hosting services abused for malware hosting/C2
behavioral15 behavioral16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Targets

RedLine payload

SectopRAT

SectopRAT payload

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Reads user/profile data of web browsers

Modifies Installed Components in the registry

Sets file execution options in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16