Overview
overview
10Static
static
10Kirame.Bui...er.exe
windows7-x64
10Kirame.Bui...er.exe
windows10-2004-x64
10Kirame.Bui...db.dll
windows7-x64
1Kirame.Bui...db.dll
windows10-2004-x64
1Kirame.Bui...db.dll
windows7-x64
1Kirame.Bui...db.dll
windows10-2004-x64
1Kirame.Bui...ks.dll
windows7-x64
1Kirame.Bui...ks.dll
windows10-2004-x64
1Kirame.Bui...il.dll
windows7-x64
1Kirame.Bui...il.dll
windows10-2004-x64
1Kirame.Hos...st.exe
windows7-x64
10Kirame.Hos...st.exe
windows10-2004-x64
10Kirame.Hos...me.dll
windows7-x64
1Kirame.Hos...me.dll
windows10-2004-x64
1Kirame.Loa...er.exe
windows7-x64
7Kirame.Loa...er.exe
windows10-2004-x64
7Panel/RedL...el.exe
windows7-x64
10Panel/RedL...el.exe
windows10-2004-x64
10Panel/RedL...me.exe
windows7-x64
6Panel/RedL...me.exe
windows10-2004-x64
6Panel/RedL...48.exe
windows7-x64
7Panel/RedL...48.exe
windows10-2004-x64
7Panel/RedL...ar.exe
windows7-x64
1Panel/RedL...ar.exe
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 23:22
Behavioral task
behavioral1
Sample
Kirame.Builder/Kirame.Builder.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Kirame.Builder/Kirame.Builder.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Kirame.Builder/Mono.Cecil.Mdb.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
Kirame.Builder/Mono.Cecil.Mdb.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Kirame.Builder/Mono.Cecil.Pdb.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
Kirame.Builder/Mono.Cecil.Pdb.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Kirame.Builder/Mono.Cecil.Rocks.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Kirame.Builder/Mono.Cecil.Rocks.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Kirame.Builder/Mono.Cecil.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Kirame.Builder/Mono.Cecil.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Kirame.Host/Kirame.Host.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
Kirame.Host/Kirame.Host.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Kirame.Host/Kirame.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Kirame.Host/Kirame.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Kirame.Loader/Kirame.Loader.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Kirame.Loader/Kirame.Loader.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Panel/RedLine20_22/Panel/Panel.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Panel/RedLine20_22/Panel/Panel.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Panel/RedLine20_22/Tools/Chrome.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
Panel/RedLine20_22/Tools/Chrome.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Panel/RedLine20_22/Tools/NetFramework48.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Panel/RedLine20_22/Tools/NetFramework48.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Panel/RedLine20_22/Tools/WinRar.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
Panel/RedLine20_22/Tools/WinRar.exe
Resource
win10v2004-20241007-en
General
-
Target
Panel/RedLine20_22/Panel/Panel.exe
-
Size
9.3MB
-
MD5
f4e19b67ef27af1434151a512860574e
-
SHA1
56304fc2729974124341e697f3b21c84a8dd242a
-
SHA256
c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a
-
SHA512
a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77
-
SSDEEP
196608:mJQaPHrQqXs140qMhu8369sV+HLz9SKUeNdDhHidVI1SM52n3iWuUZ/c1sxXoP3p:mJQaPHrQqXs140qMhu8369sV+HLz9SKI
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral17/memory/3288-3888-0x000000001F750000-0x000000001F76A000-memory.dmp family_redline -
Redline family
-
Suspicious use of NtSetInformationThreadHideFromDebugger 56 IoCs
pid Process 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 2924 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe 3288 Panel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2924 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe 3288 Panel.exe 2924 Panel.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2924 Panel.exe Token: SeDebugPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe Token: 33 3288 Panel.exe Token: SeIncBasePriorityPrivilege 3288 Panel.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2924 wrote to memory of 3288 2924 Panel.exe 31 PID 2924 wrote to memory of 3288 2924 Panel.exe 31 PID 2924 wrote to memory of 3288 2924 Panel.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Panel\RedLine20_22\Panel\Panel.exe"C:\Users\Admin\AppData\Local\Temp\Panel\RedLine20_22\Panel\Panel.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\Panel\RedLine20_22\Panel\Panel.exe"C:\Users\Admin\AppData\Local\Temp\Panel\RedLine20_22\Panel\Panel.exe" "--monitor"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288
-