General

  • Target

    8fa32651f34b25de3c6c0df61bccfb3b

  • Size

    14.9MB

  • Sample

    241110-mwbfpavfnj

  • MD5

    8fa32651f34b25de3c6c0df61bccfb3b

  • SHA1

    eb590f05309d4a69c372f6b7ffb2319ef19bb88e

  • SHA256

    49206ae54a084c4451eff09c3c0b9806454acb92f82402daceab96c7ced0d4bc

  • SHA512

    5f622f1a018ac05f0f905ffd7dbf7bdcc4f5f3cc015e120378349f1a05ade40e3d5e7a34304f2c39700fc7a8afaaabb41ce6177f6b790ed54aea733dba9403d1

  • SSDEEP

    393216:POQCd+s+V6js3gxHQ9PHKbfEiYzHyQaQ/8oll9MxGQ8D3a/:POQCG1icqDKyzQUCXMxsD3a/

Malware Config

Targets

    • Target

      Kurome.Builder/Kurome.Builder.exe

    • Size

      137KB

    • MD5

      cf38a4bde3fe5456dcaf2b28d3bfb709

    • SHA1

      711518af5fa13f921f3273935510627280730543

    • SHA256

      c47b78e566425fc4165a83b2661313e41ee8d66241f7bea7723304a6a751595e

    • SHA512

      3302b270ee028868ff877fa291c51e6c8b12478e7d873ddb9009bb68b55bd3a08a2756619b4415a76a5b4167abd7c7c3b9cc9f44c32a29225ff0fc2f94a1a4cc

    • SSDEEP

      3072:abrwd8T7vH96NLS+ld4qRdxtiZQRWkmVnt749m3DIo9O:aH3TLH96NLS+n46dxICRcVntX

    Score
    3/10
    • Target

      Kurome.Builder/Mono.Cecil.Mdb.dll

    • Size

      42KB

    • MD5

      1c6aca0f1b1fa1661fc1e43c79334f7c

    • SHA1

      ec0f591a6d12e1ea7dc8714ec7e5ad7a04ef455d

    • SHA256

      411f8ed8c49738fa38a56ed8f991d556227d13602e83186e66ae1c4f821c940b

    • SHA512

      1c59e939d108f15881d29fe4ced4e5fa4a4476394b58b6eb464da77192cb8fe9221b7cd780af4596914d4cce7c3fc53f1bb567f944c58829de8efbe1fd87be76

    • SSDEEP

      768:Ar5EYZep98C87KHeBUZwrEzsEAnbF+em50KktmM4CRIcZwMRTIzMAtpw:Ar59g98C87KHeBUb5AnZG+zdwMRTzAtS

    Score
    1/10
    • Target

      Kurome.Builder/Mono.Cecil.Pdb.dll

    • Size

      87KB

    • MD5

      6d5eb860c2be5dbeb470e7d3f3e7dda4

    • SHA1

      80c76660b87c52127b1a7da48e27700f75362041

    • SHA256

      447ede1984bb4acd73bd97c0ec57a11c079cee8301c91fb199ca98c1906d3cc4

    • SHA512

      64cf4fe7de68a35720d2b9338ba9cf182e127d95d72d2ccf7ff5c73a368133663e70c988a460825fa87b2d03717a4447948d5262f56aceb7c3bf1cb3ab5a41a5

    • SSDEEP

      1536:2OCAsdBo+am5OMwr5IlALYKXgAJGsZhTjrjvjCXeO:ZCjta0OMuIlArVJGqT/jveXeO

    Score
    1/10
    • Target

      Kurome.Builder/Mono.Cecil.Rocks.dll

    • Size

      27KB

    • MD5

      6e7f0f4fff6c49e3f66127c23b7f1a53

    • SHA1

      14a529f8c7ee9f002d1e93dcf8ff158ab74c7e1a

    • SHA256

      2e2623319bdc362974a78ea4a43f4893011ec257884d24267f4594142fcd436e

    • SHA512

      0c773da6717dd6919cd6241d3cee26ab00bb61ea2dbeff24844a067af4c87ff5cbdb2fe3ada5db4707cee921b3fb353bd12ee22b8490597d4f67ad39bace235e

    • SSDEEP

      384:70ve8JOuJ5iC7n2NwxEXCni+VXcMeDz8PmR1ugLoaeuLMBG9UphJAprjE3uFLHa9:7+m4iCyrXOhG8uRssveum1pMFLHFBvd

    Score
    1/10
    • Target

      Kurome.Builder/Mono.Cecil.dll

    • Size

      350KB

    • MD5

      de69bb29d6a9dfb615a90df3580d63b1

    • SHA1

      74446b4dcc146ce61e5216bf7efac186adf7849b

    • SHA256

      f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

    • SHA512

      6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

    • SSDEEP

      6144:jIevdbLPNYe8bikm98KXPHhOWY/fFREomhUFD3z:se1PNL+QRfBg/f/EWFD

    Score
    1/10
    • Target

      Kurome.Builder/stub.dll

    • Size

      96KB

    • MD5

      625ed01fd1f2dc43b3c2492956fddc68

    • SHA1

      48461ef33711d0080d7c520f79a0ec540bda6254

    • SHA256

      6824c2c92eb7cee929f9c6b91e75c8c1fc3bfe80495eba4fa27118d40ad82b2b

    • SHA512

      1889c7cee50092fe7a66469eb255b4013624615bac3a9579c4287bf870310bdc9018b0991f0ad7a9227c79c9bd08fd0c6fc7ebe97f21c16b7c06236f3755a665

    • SSDEEP

      1536:9G6ijoigzKqO1RUTBHQsu/0igR4vYVVlmbfaxv0ujXyyedOn4iwEEl:BSElHQ/ORUYos0ujyzdZl

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Target

      Kurome.Host/Kurome.Host.exe

    • Size

      119KB

    • MD5

      4fde0f80c408af27a8d3ddeffea12251

    • SHA1

      e834291127af150ce287443c5ea607a7ae337484

    • SHA256

      1b644cdb1c7247c07d810c0ea10bec34dc5600f3645589690a219de08cf2dedb

    • SHA512

      3693aeaa2cc276060b899f21f6f57f435b75fec5bcd7725b2dd79043b341c12ebc29bd43b287eb22a3e31fd2b50c4fa36bf020f9f3db5e2f75fe8cc747eca5f5

    • SSDEEP

      3072:KEdjrOO8+K46SgVE+mxzqT67iLRi/Gj81GUpYb:KjQjgPmxzq27iLRiuAPp

    Score
    3/10
    • Target

      Kurome.Host/Kurome.WCF.dll

    • Size

      123KB

    • MD5

      e3d39e30e0cdb76a939905da91fe72c8

    • SHA1

      433fc7dc929380625c8a6077d3a697e22db8ed14

    • SHA256

      4bfa493b75361920e6403c3d85d91a454c16ddda89a97c425257e92b352edd74

    • SHA512

      9bb3477023193496ad20b7d11357e510ba3d02b036d6f35f57d061b1fc4d0f6cb3055ae040d78232c8a732d9241699ddcfac83cc377230109bf193736d9f92b8

    • SSDEEP

      3072:9mWO8dR1mB5UzPU7vdTm8pLetBD0PQbP1:g2dL8ewbJnpBe

    Score
    1/10
    • Target

      Kurome.Loader/Kurome.Loader.exe

    • Size

      2.2MB

    • MD5

      a3ec05d5872f45528bbd05aeecf0a4ba

    • SHA1

      68486279c63457b0579d86cd44dd65279f22d36f

    • SHA256

      d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e

    • SHA512

      b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e

    • SSDEEP

      49152:KSmo0SdsEoRykUuulqasMwMcdZa9FHeXXGFr3sylP2/BQ7MWV:lm7UQRyksl9cXwFHeX2t8y21

    Score
    4/10
    • Target

      Panel/RedLine_20_2/FAQ (English).docx

    • Size

      30KB

    • MD5

      a973ea85439ddfe86379d47e19da4dca

    • SHA1

      78f60711360ddd46849d128e7a5d1b68b1d43f9f

    • SHA256

      c197833a3fd69e98fbf2b02e9da232ff2867e1e684d420fd3975188c0e0e202b

    • SHA512

      4a3fad33cccb15ea2d98bc30141744ba6709afec52d429ac0916aa656f4b611fdeda4b37812f0a72b90de000fc5c0f95bb445e5df67fc4ba6f93de5ce55df510

    • SSDEEP

      768:oi87zWNuZn3IZElFoL+goT2Ir9259IQ+409:oi8mQnXFoigoRr9aIvX9

    Score
    4/10
    • Target

      Panel/RedLine_20_2/FAQ(RUS).docx

    • Size

      51KB

    • MD5

      aa9534a22d08fb17b6c50164ca226aba

    • SHA1

      9d68e6e4b0ea3c41ad7f70733dc53628962765ce

    • SHA256

      e3f9590d0a28e8f17d40f9a5a5489a963c6d5e722a324adf0d1d666ea424c89f

    • SHA512

      a4290cf0f3ecbb25078a0d3f870ed6abcab83d831e107f59730cf5fbdbc0268ac831d8f31f18a08794e27e51ba302ecb5bdd4bac85f3887844ed881c363bb8b9

    • SSDEEP

      1536:YmF2FkS3yM0Yj3ePetyogAcLrANZLI3dakgXeV:YNFkGem74Lr+k3v7V

    Score
    4/10
    • Target

      Panel/RedLine_20_2/Panel/Panel.exe

    • Size

      9.3MB

    • MD5

      f4e19b67ef27af1434151a512860574e

    • SHA1

      56304fc2729974124341e697f3b21c84a8dd242a

    • SHA256

      c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a

    • SHA512

      a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

    • SSDEEP

      196608:mJQaPHrQqXs140qMhu8369sV+HLz9SKUeNdDhHidVI1SM52n3iWuUZ/c1sxXoP3p:mJQaPHrQqXs140qMhu8369sV+HLz9SKI

    Score
    10/10
    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Panel/RedLine_20_2/Tools/Chrome.exe

    • Size

      1.1MB

    • MD5

      92cfeb7c07906eac0d4220b8a1ed65b1

    • SHA1

      882b83e903b5b4c7c75f0b1dc31bb7aa8938d8fa

    • SHA256

      38b827a431b89da0d9cdd444373364371f4f6e6bf299e7935f05b2351ca9186c

    • SHA512

      e2ee932f5b81403935a977f9d3c8e2e4f6a4c9a1967b7e1cf61229a7746a24aae486ac6b779fb570f1dff02a3ff30107044f0427ce46474b91d788c78c8fcfbf

    • SSDEEP

      24576:q6JGMnMpfVArKlhbP6GFibQC1QSvKZHHf1FqbI4Cn:47/MPGFibsSipHubPa

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      Panel/RedLine_20_2/Tools/NetFramework48.exe

    • Size

      1.4MB

    • MD5

      86482f2f623a52b8344b00968adc7b43

    • SHA1

      755349ecd6a478fe010e466b29911d2388f6ce94

    • SHA256

      2c7530edbf06b08a0b9f4227c24ec37d95f3998ee7e6933ae22a9943d0adfa57

    • SHA512

      64c168263fd48788d90919cbb9992855aed4ffe9a0f8052cb84f028ca239102c0571dfaf75815d72ad776009f5fc4469c957113fb66da7d4e9c83601e8287f3d

    • SSDEEP

      24576:MGHL3siy9J0/SmtLvUDSRbm4Jah1rVxL+iTOhYdeM+GkdnddMF2ScVC3oKNVpNXo:RL3s7mKeTUDBzrVxxOhYdeMinddG2lCK

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      Panel/RedLine_20_2/Tools/WinRar.exe

    • Size

      3.2MB

    • MD5

      b66dec691784f00061bc43e62030c343

    • SHA1

      779d947d41efafc2995878e56e213411de8fb4cf

    • SHA256

      26b40c79356453c60498772423f99384a3d24dd2d0662d215506768cb9c58370

    • SHA512

      6a89bd581baf372f07e76a3378e6f6eb29cac2e4981a7f0affb4101153407cadfce9f1b6b28d5a003f7d4039577029b2ec6ebcfd58e55288e056614fb03f8ba3

    • SSDEEP

      98304:lJXOBfK92HbAw0CNB3kJElzNsy8vGUvfCo3ABH43:lJ192HbAXCvDlzNsy8vGUyo3AB8

    Score
    1/10
    • Target

      crack.exe

    • Size

      38KB

    • MD5

      b5086eebe0a0a878807a677aeb4fc4f6

    • SHA1

      313913645d57696233293197c9e5cff932535e6e

    • SHA256

      69029912f948d6bd6c3084ca34885cdeef97190865f6838c9a928fad56b3f958

    • SHA512

      1a6e732b0cbd0b89b8b7fe4472d76df46f44d757b550526e88d9c3c01170332d3ef20304a8106cfb47923e466b6dfe6ffdc4b77350c4394ea9ebb72100e0787b

    • SSDEEP

      768:qZikt/BbOQPtFdd1ll8IykeDBpIZPTQmT:qJ/Bbp5lQkGIZHT

    Score
    7/10
    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

redlinesectoprat
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

redlinesectopratdiscoveryinfostealerrattrojan
Score
10/10

behavioral12

redlinesectopratdiscoveryinfostealerrattrojan
Score
10/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

discovery
Score
4/10

behavioral18

discovery
Score
4/10

behavioral19

discovery
Score
4/10

behavioral20

Score
1/10

behavioral21

discovery
Score
4/10

behavioral22

Score
1/10

behavioral23

redlineinfostealer
Score
10/10

behavioral24

redlineinfostealer
Score
10/10

behavioral25

discoverypersistenceprivilege_escalationspywarestealer
Score
6/10

behavioral26

discoverypersistenceprivilege_escalationspywarestealer
Score
6/10

behavioral27

discovery
Score
7/10

behavioral28

discovery
Score
7/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

persistence
Score
7/10

behavioral32

persistence
Score
7/10