Overview

overview

10

Static

static

10

Kirame.Bui...er.exe

windows7-x64

10

Kirame.Bui...er.exe

windows10-2004-x64

10

Kirame.Bui...db.dll

windows7-x64

1

Kirame.Bui...db.dll

windows10-2004-x64

1

Kirame.Bui...db.dll

windows7-x64

1

Kirame.Bui...db.dll

windows10-2004-x64

1

Kirame.Bui...ks.dll

windows7-x64

1

Kirame.Bui...ks.dll

windows10-2004-x64

1

Kirame.Bui...il.dll

windows7-x64

1

Kirame.Bui...il.dll

windows10-2004-x64

1

Kirame.Hos...st.exe

windows7-x64

10

Kirame.Hos...st.exe

windows10-2004-x64

10

Kirame.Hos...me.dll

windows7-x64

1

Kirame.Hos...me.dll

windows10-2004-x64

1

Kirame.Loa...er.exe

windows7-x64

7

Kirame.Loa...er.exe

windows10-2004-x64

7

Panel/RedL...el.exe

windows7-x64

10

Panel/RedL...el.exe

windows10-2004-x64

10

Panel/RedL...me.exe

windows7-x64

6

Panel/RedL...me.exe

windows10-2004-x64

6

Panel/RedL...48.exe

windows7-x64

7

Panel/RedL...48.exe

windows10-2004-x64

7

Panel/RedL...ar.exe

windows7-x64

1

Panel/RedL...ar.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    118929fa7bb48dd46b39a24144202096725293c56c310b56420ddf7976567710

  • Size

    14.9MB

  • Sample

    241104-3cks1szbmf

  • MD5

    3667b953a49081cc09a1bf2d89973e25

  • SHA1

    0f7481b87bfc416e36b75efc5427f936926a1631

  • SHA256

    118929fa7bb48dd46b39a24144202096725293c56c310b56420ddf7976567710

  • SHA512

    4ac73a99dc157a59e33e7d5e72de490a715fecb143ebb17ae27765d7ab40411201ce1b02492f5b5a33f8bd76ee764ee1969e510c0b18a39e7ca50cd68201e8c6

  • SSDEEP

    393216:3d5QBs5upK29d7k68ifsRS9LxIH3jCm/wY0Zxl07AUHpu:34BsUI2xfsR7jd/NOD079pu

Score
10/10
redlinestealerium@dwqmoshdiscoveryinfostealerpersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1047654116228345967/dT7jUV207CYFaDTyw5AjhdZqXpjCIIxGZ_EDkNw3xvWyEvVdBpBpamsgIddePN8lC8mc

Extracted

Family

redline

Botnet

@dwqmosh

C2

neredenkyor.xyz:81

Attributes
  • auth_value

    a94b13695bd4053b8b47b0976366da25

Targets

    • Target

      Kirame.Builder/Kirame.Builder.exe

    • Size

      2.4MB

    • MD5

      2ba1b8fb32916403ad7249df8f7e608d

    • SHA1

      726e1c8c0cc89b9cd94576c51b5f77d4e3defb3b

    • SHA256

      4411cee1d891a03cb0c12726325baeaa6c913c31506c3fff9923da17cb48ef5c

    • SHA512

      6bb9e5b24410aea7629b6d5d0b926abf068b739aa6e232d264fc0954d1e69b27a086aed28fee6d44a876250c6e73da99b74f6053574e4f4136482a3826a46f80

    • SSDEEP

      24576:SiJYwYHYlyCxxGM/sXKR2praFeY6Vus1P2E9fDLVzMbXil3RuQ553131:SiJYOesepV/1P2E9fDfl3L

    Score
    10/10
    redline@dwqmoshdiscoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Kirame.Builder/Mono.Cecil.Mdb.dll

    • Size

      42KB

    • MD5

      1c6aca0f1b1fa1661fc1e43c79334f7c

    • SHA1

      ec0f591a6d12e1ea7dc8714ec7e5ad7a04ef455d

    • SHA256

      411f8ed8c49738fa38a56ed8f991d556227d13602e83186e66ae1c4f821c940b

    • SHA512

      1c59e939d108f15881d29fe4ced4e5fa4a4476394b58b6eb464da77192cb8fe9221b7cd780af4596914d4cce7c3fc53f1bb567f944c58829de8efbe1fd87be76

    • SSDEEP

      768:Ar5EYZep98C87KHeBUZwrEzsEAnbF+em50KktmM4CRIcZwMRTIzMAtpw:Ar59g98C87KHeBUb5AnZG+zdwMRTzAtS

    Score
    1/10
    behavioral3behavioral4

    • Target

      Kirame.Builder/Mono.Cecil.Pdb.dll

    • Size

      87KB

    • MD5

      6d5eb860c2be5dbeb470e7d3f3e7dda4

    • SHA1

      80c76660b87c52127b1a7da48e27700f75362041

    • SHA256

      447ede1984bb4acd73bd97c0ec57a11c079cee8301c91fb199ca98c1906d3cc4

    • SHA512

      64cf4fe7de68a35720d2b9338ba9cf182e127d95d72d2ccf7ff5c73a368133663e70c988a460825fa87b2d03717a4447948d5262f56aceb7c3bf1cb3ab5a41a5

    • SSDEEP

      1536:2OCAsdBo+am5OMwr5IlALYKXgAJGsZhTjrjvjCXeO:ZCjta0OMuIlArVJGqT/jveXeO

    Score
    1/10
    behavioral5behavioral6

    • Target

      Kirame.Builder/Mono.Cecil.Rocks.dll

    • Size

      27KB

    • MD5

      6e7f0f4fff6c49e3f66127c23b7f1a53

    • SHA1

      14a529f8c7ee9f002d1e93dcf8ff158ab74c7e1a

    • SHA256

      2e2623319bdc362974a78ea4a43f4893011ec257884d24267f4594142fcd436e

    • SHA512

      0c773da6717dd6919cd6241d3cee26ab00bb61ea2dbeff24844a067af4c87ff5cbdb2fe3ada5db4707cee921b3fb353bd12ee22b8490597d4f67ad39bace235e

    • SSDEEP

      384:70ve8JOuJ5iC7n2NwxEXCni+VXcMeDz8PmR1ugLoaeuLMBG9UphJAprjE3uFLHa9:7+m4iCyrXOhG8uRssveum1pMFLHFBvd

    Score
    1/10
    behavioral7behavioral8

    • Target

      Kirame.Builder/Mono.Cecil.dll

    • Size

      350KB

    • MD5

      de69bb29d6a9dfb615a90df3580d63b1

    • SHA1

      74446b4dcc146ce61e5216bf7efac186adf7849b

    • SHA256

      f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

    • SHA512

      6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

    • SSDEEP

      6144:jIevdbLPNYe8bikm98KXPHhOWY/fFREomhUFD3z:se1PNL+QRfBg/f/EWFD

    Score
    1/10
    behavioral10behavioral9

    • Target

      Kirame.Host/Kirame.Host.exe

    • Size

      1.6MB

    • MD5

      c7085202e7a5620160f9d4fdf1219df2

    • SHA1

      abe00b161c2f83ee83133b187262bf6289e88339

    • SHA256

      00b2a7341252cef219c7070853a4e7cf4ce086a69de1c10ceee91fe8a6add013

    • SHA512

      8f91ba27d9f83be857c12b2b9339ebd83f2f77c11f3d4610347de3f8a54321e25d1ff197596fc952da0920344990738a8de57921250e03c2c4bc340c4b4e7640

    • SSDEEP

      24576:eQi2Q9NXw2/wPOjdGxYqfw+Jwz/S/6RZs8nVW6k5JHkARt7DBAqn+/:evTq24GjdGSgw+W7SCRnVQTEQ/BA8+

    Score
    10/10
    stealeriumdiscoverystealer

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • Stealerium family

      stealerium

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral11behavioral12

    • Target

      Kirame.Host/Kirame.dll

    • Size

      123KB

    • MD5

      e3d39e30e0cdb76a939905da91fe72c8

    • SHA1

      433fc7dc929380625c8a6077d3a697e22db8ed14

    • SHA256

      4bfa493b75361920e6403c3d85d91a454c16ddda89a97c425257e92b352edd74

    • SHA512

      9bb3477023193496ad20b7d11357e510ba3d02b036d6f35f57d061b1fc4d0f6cb3055ae040d78232c8a732d9241699ddcfac83cc377230109bf193736d9f92b8

    • SSDEEP

      3072:9mWO8dR1mB5UzPU7vdTm8pLetBD0PQbP1:g2dL8ewbJnpBe

    Score
    1/10
    behavioral13behavioral14

    • Target

      Kirame.Loader/Kirame.Loader.exe

    • Size

      779KB

    • MD5

      341544d48dffd2ea814db70b1ab59868

    • SHA1

      27eb7de97fd9aa568cab1c23483058c7ff78cc70

    • SHA256

      88d9c1fde490e92f60b2ec1a3b31f73358449edc3f4a91702d206204be848fdc

    • SHA512

      26adaea9fdc82e30cdd871bd6fa9e39aeb00f31a99449b1313235724a11fae928ae7602f8d61975a128d658b966cb4c735f5585197b7d23c7d5c82b7e427dc45

    • SSDEEP

      6144:6rxmnlXOdKHVE+1KEVmYVZDbrsVLKxWe/s9qfvowhaAMV3eXgfQULGb3WOaZGwbi:eml1OAUYeKxWe0eJueQffLG7rPWoi89

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral15behavioral16

    • Target

      Panel/RedLine20_22/Panel/Panel.exe

    • Size

      9.3MB

    • MD5

      f4e19b67ef27af1434151a512860574e

    • SHA1

      56304fc2729974124341e697f3b21c84a8dd242a

    • SHA256

      c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a

    • SHA512

      a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

    • SSDEEP

      196608:mJQaPHrQqXs140qMhu8369sV+HLz9SKUeNdDhHidVI1SM52n3iWuUZ/c1sxXoP3p:mJQaPHrQqXs140qMhu8369sV+HLz9SKI

    Score
    10/10
    redlineinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral17behavioral18

    • Target

      Panel/RedLine20_22/Tools/Chrome.exe

    • Size

      1.1MB

    • MD5

      92cfeb7c07906eac0d4220b8a1ed65b1

    • SHA1

      882b83e903b5b4c7c75f0b1dc31bb7aa8938d8fa

    • SHA256

      38b827a431b89da0d9cdd444373364371f4f6e6bf299e7935f05b2351ca9186c

    • SHA512

      e2ee932f5b81403935a977f9d3c8e2e4f6a4c9a1967b7e1cf61229a7746a24aae486ac6b779fb570f1dff02a3ff30107044f0427ce46474b91d788c78c8fcfbf

    • SSDEEP

      24576:q6JGMnMpfVArKlhbP6GFibQC1QSvKZHHf1FqbI4Cn:47/MPGFibsSipHubPa

    Score
    6/10
    discoverypersistenceprivilege_escalationspywarestealer

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral19behavioral20

    • Target

      Panel/RedLine20_22/Tools/NetFramework48.exe

    • Size

      1.4MB

    • MD5

      86482f2f623a52b8344b00968adc7b43

    • SHA1

      755349ecd6a478fe010e466b29911d2388f6ce94

    • SHA256

      2c7530edbf06b08a0b9f4227c24ec37d95f3998ee7e6933ae22a9943d0adfa57

    • SHA512

      64c168263fd48788d90919cbb9992855aed4ffe9a0f8052cb84f028ca239102c0571dfaf75815d72ad776009f5fc4469c957113fb66da7d4e9c83601e8287f3d

    • SSDEEP

      24576:MGHL3siy9J0/SmtLvUDSRbm4Jah1rVxL+iTOhYdeM+GkdnddMF2ScVC3oKNVpNXo:RL3s7mKeTUDBzrVxxOhYdeMinddG2lCK

    Score
    7/10
    discovery

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral21behavioral22

    • Target

      Panel/RedLine20_22/Tools/WinRar.exe

    • Size

      3.2MB

    • MD5

      b66dec691784f00061bc43e62030c343

    • SHA1

      779d947d41efafc2995878e56e213411de8fb4cf

    • SHA256

      26b40c79356453c60498772423f99384a3d24dd2d0662d215506768cb9c58370

    • SHA512

      6a89bd581baf372f07e76a3378e6f6eb29cac2e4981a7f0affb4101153407cadfce9f1b6b28d5a003f7d4039577029b2ec6ebcfd58e55288e056614fb03f8ba3

    • SSDEEP

      98304:lJXOBfK92HbAw0CNB3kJElzNsy8vGUvfCo3ABH43:lJ192HbAXCvDlzNsy8vGUyo3AB8

    Score
    1/10
    behavioral23behavioral24

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

6
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

stealerium
Score
10/10

behavioral1

redline@dwqmoshdiscoveryinfostealer
Score
10/10

behavioral2

redline@dwqmoshdiscoveryinfostealer
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

stealeriumdiscoverystealer
Score
10/10

behavioral12

stealeriumdiscoverystealer
Score
10/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
7/10

behavioral16

Score
7/10

behavioral17

redlineinfostealer
Score
10/10

behavioral18

redlineinfostealer
Score
10/10

behavioral19

discoverypersistenceprivilege_escalationspywarestealer
Score
6/10

behavioral20

discoverypersistenceprivilege_escalationspywarestealer
Score
6/10

behavioral21

discovery
Score
7/10

behavioral22

discovery
Score
7/10

behavioral23

Score
1/10

behavioral24

Score
1/10