Overview

overview

10

Static

static

1

Download-R...er.zip

windows11-21h2-x64

10

Analysis

  • max time kernel
    2699s
  • max time network
    2600s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-12-2024 19:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Download-RedLine-Stealer-Latest-Cleaned-main/RedLine Stealer.zip

  • Size

    17.2MB

  • MD5

    d3d1d5504a838b38d27bfdc29a9bf0ea

  • SHA1

    f6c351251c4b5fa64b852dc2ae6f85cf870a1508

  • SHA256

    4f90b7c87ae9a261936b72f8062c7ffff38f5921dc58794a23084aa0ad95969d

  • SHA512

    7f7dd2471f6aec68b1a2d59b1ccac1cef1142ee9fd734db6b320013dddac3c8e828ec0339765aa4df864e275415862df877971dbec803a3d6b350f034982c781

  • SSDEEP

    393216:y6AL1DWiFjy2F43KVjCybo8x8CLO0kjl2sDYSUs9Tx:y5L1rFjEKl1oNrJZYyl

Score
10/10
redlinexwormdiscoveryinfostealerrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

svchost.serveirc.com:1313

Mutex

MML7YiawHlQLefrX

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7089308942:AAHsTcsMKoz1p6-9kX7OD8cZDlRLQM_DN-A/sendMessage?chat_id=5936200928

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 20 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Download-RedLine-Stealer-Latest-Cleaned-main\RedLine Stealer.zip"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3496
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2216
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RedLine Stealer\How To Use.txt
      1⤵
        PID:960
      • C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe
        "C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4104
        • C:\Users\Admin\AppData\Local\Temp\Panel.exe
          "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2028
          • C:\Users\Admin\AppData\Local\Temp\Panel.exe
            "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
            3⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:5104
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4616
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1880
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        C:\Users\Admin\AppData\Roaming\svchost.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4216
      • C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Loader\Krumo.Loader.exe
        "C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Loader\Krumo.Loader.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4148
        • C:\Users\Admin\AppData\Local\Temp\Rarqxqlarwy.exe
          "C:\Users\Admin\AppData\Local\Temp\Rarqxqlarwy.exe"
          2⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          PID:2192
        • C:\Users\Admin\AppData\Local\Temp\Eihb.exe
          "C:\Users\Admin\AppData\Local\Temp\Eihb.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5044
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1760
            3⤵
            • Program crash
            PID:4936
      • C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.Host.exe
        "C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.Host.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2472
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5044 -ip 5044
        1⤵
          PID:4156
        • C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Loader\Krumo.Loader.exe
          "C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Loader\Krumo.Loader.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:5048
          • C:\Users\Admin\AppData\Local\Temp\Rarqxqlarwy.exe
            "C:\Users\Admin\AppData\Local\Temp\Rarqxqlarwy.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            PID:2024
          • C:\Users\Admin\AppData\Local\Temp\Eihb.exe
            "C:\Users\Admin\AppData\Local\Temp\Eihb.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2744
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1752
              3⤵
              • Program crash
              PID:4928
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          C:\Users\Admin\AppData\Roaming\svchost.exe
          1⤵
          • Executes dropped EXE
          PID:5084
        • C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.Host.exe
          "C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.Host.exe"
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1068
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2744 -ip 2744
          1⤵
            PID:4628
          • C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe
            "C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:492
            • C:\Users\Admin\AppData\Local\Temp\Panel.exe
              "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4044
              • C:\Users\Admin\AppData\Local\Temp\Panel.exe
                "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
                3⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3768
                • C:\Users\Admin\AppData\Local\Temp\Panel.exe
                  "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAzXBYs4SYNUa0R/9OpRl7qgAAAAACAAAAAAAQZgAAAAEAACAAAACxYeZHxbsIzEwXN8Au1nol/MYbCYN6kZtA7LZZD/qe4QAAAAAOgAAAAAIAACAAAAAXj1Ws8l7ZVtDmnAlvQz3RYXoGDpP5jC7NP3/C1q47TRAAAADmjGNO3jkVaUwfGSbjxEWGQAAAALCWtwfE3CIAJe4Ms2obZrSaOKKb85v2aykAi021da642rzwHlSLwPWEE1w9XKee/qiBTModG/+/fVSOTnpbhOc=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAzXBYs4SYNUa0R/9OpRl7qgAAAAACAAAAAAAQZgAAAAEAACAAAAB/H+kD0rvrrwdKw7eEkkxLYN5QvQ6aC1puuE5P64Kv1gAAAAAOgAAAAAIAACAAAAAkMeYJURcmMGb3PC25itquXY+nHJgRv6aMVoIhpqxNpBAAAAAdnKYsyuZdJHChWKmyQheGQAAAAK1MiucE2L61OJoO2ETK+xRCA7UJAjHca1BVnAiPBgMo3+f8GfUBvsyrAHTo31nrkqlAqiSFssae41XDXRlG0F8="
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:5736
                  • C:\Users\Admin\AppData\Local\Temp\Panel.exe
                    "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAzXBYs4SYNUa0R/9OpRl7qgAAAAACAAAAAAAQZgAAAAEAACAAAACxYeZHxbsIzEwXN8Au1nol/MYbCYN6kZtA7LZZD/qe4QAAAAAOgAAAAAIAACAAAAAXj1Ws8l7ZVtDmnAlvQz3RYXoGDpP5jC7NP3/C1q47TRAAAADmjGNO3jkVaUwfGSbjxEWGQAAAALCWtwfE3CIAJe4Ms2obZrSaOKKb85v2aykAi021da642rzwHlSLwPWEE1w9XKee/qiBTModG/+/fVSOTnpbhOc=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAzXBYs4SYNUa0R/9OpRl7qgAAAAACAAAAAAAQZgAAAAEAACAAAAB/H+kD0rvrrwdKw7eEkkxLYN5QvQ6aC1puuE5P64Kv1gAAAAAOgAAAAAIAACAAAAAkMeYJURcmMGb3PC25itquXY+nHJgRv6aMVoIhpqxNpBAAAAAdnKYsyuZdJHChWKmyQheGQAAAAK1MiucE2L61OJoO2ETK+xRCA7UJAjHca1BVnAiPBgMo3+f8GfUBvsyrAHTo31nrkqlAqiSFssae41XDXRlG0F8=" "--monitor"
                    5⤵
                    • Executes dropped EXE
                    • Modifies registry class
                    • Suspicious use of SetWindowsHookEx
                    PID:2600
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
              2⤵
              • Executes dropped EXE
              PID:5108
          • C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe
            "C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:576
            • C:\Users\Admin\AppData\Local\Temp\Panel.exe
              "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:5080
              • C:\Users\Admin\AppData\Local\Temp\Panel.exe
                "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
                3⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:6016
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
              2⤵
              • Executes dropped EXE
              PID:2712
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:5508
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:1672
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:1668
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:3868
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:3824
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:4836
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:4900
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:1756
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:4184
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:5124
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:5516
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:4752
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:2480
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:3064
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:3248
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:4020
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:5096
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:3232
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:5056
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:2584
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:4936
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:5576
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:1504
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:5516
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:5956
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:4100
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:2716
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:1808
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:1572
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:3676
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:1596
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:3652
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:1428
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:1216
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:5460
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:840
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:1496
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:5656
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:5928
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:5212
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            1⤵
              PID:5600
            • C:\Users\Admin\AppData\Roaming\svchost.exe
              C:\Users\Admin\AppData\Roaming\svchost.exe
              1⤵
                PID:2488

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Krumo.Loader.exe.log
                Filesize

                1KB

                MD5

                b4e91d2e5f40d5e2586a86cf3bb4df24

                SHA1

                31920b3a41aa4400d4a0230a7622848789b38672

                SHA256

                5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

                SHA512

                968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Panel.exe.log
                Filesize

                654B

                MD5

                2cbbb74b7da1f720b48ed31085cbd5b8

                SHA1

                79caa9a3ea8abe1b9c4326c3633da64a5f724964

                SHA256

                e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

                SHA512

                ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Kurome.Host.exe.log
                Filesize

                1KB

                MD5

                1fac34169b9261b51fcb7b3c4434faeb

                SHA1

                07b94eb9ff0ecf49e1dba237328790cb883477b4

                SHA256

                c76a7825ba90a2a6745337b5b8ae329e61d4be50224681b98762d286142a7bdc

                SHA512

                70288a4a4f3d55a0375471efdc808309d641ceb3ef28a162db2fa1d9f0999c3855de499a131adb3529eb6fb9445f58d085b21619f08dad79596e95036fce423a

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Rarqxqlarwy.exe.log
                Filesize

                425B

                MD5

                bb27934be8860266d478c13f2d65f45e

                SHA1

                a69a0e171864dcac9ade1b04fc0313e6b4024ccb

                SHA256

                85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4

                SHA512

                87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Eihb.exe
                Filesize

                118KB

                MD5

                677073949945ca09fe971682561c5f11

                SHA1

                cb33238550faa82cb5d3b5e4116a8c721a4fc96c

                SHA256

                571d22f4659932c89344baf33e0e53dcb790fa9cb196ad7a937ce17f567f5062

                SHA512

                006c596edb2c6cef589319917c70531e0672cd8831a4d6852c0641e9cc9a90d351f687884da67a02055706c334e94b68a17c8a0cf9f6041b633f8f85cd9185f6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Panel.exe
                Filesize

                9.3MB

                MD5

                f4e19b67ef27af1434151a512860574e

                SHA1

                56304fc2729974124341e697f3b21c84a8dd242a

                SHA256

                c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a

                SHA512

                a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Rarqxqlarwy.exe
                Filesize

                2.2MB

                MD5

                a3ec05d5872f45528bbd05aeecf0a4ba

                SHA1

                68486279c63457b0579d86cd44dd65279f22d36f

                SHA256

                d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e

                SHA512

                b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                Filesize

                80KB

                MD5

                84bec3b8c6db81ad3f26c2796b02a2b5

                SHA1

                7b3e8f34510e196754eb6a21812d96976a24c351

                SHA256

                263251f3218d9e250a8a741ecfa1c5182030d75b75dac3314bdde8c050b2e301

                SHA512

                5690eb7c9dde782ef635edbcf1beab61166bcc651f00334ae1b3554af56b5455c5486c5dc0a70cb7e5bb72bc9742ec77be450ff0f4d5fcdd984e52f9db87aed4

                Download Submit

              • C:\Users\Admin\Desktop\RedLine Stealer\How To Use.txt
                Filesize

                725B

                MD5

                b7de1d805c991602041a05dbcf222f24

                SHA1

                f1e1516b3f0a17f670abd475b2e51ccd82591a30

                SHA256

                d5964507a22c93f848a86b3eb4c9f39f658bfa6971474f1e60fc0c734501f9a7

                SHA512

                d6b42edbe026c0b3b6938fe8bc93828913ba476db86c842fd4869edc50376aacaaf42e84314bda9c0347db16cd19d431a660a14416a4f15d3cf8b9a40e35faf8

                Download Submit

              • C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.Host.exe
                Filesize

                119KB

                MD5

                4fde0f80c408af27a8d3ddeffea12251

                SHA1

                e834291127af150ce287443c5ea607a7ae337484

                SHA256

                1b644cdb1c7247c07d810c0ea10bec34dc5600f3645589690a219de08cf2dedb

                SHA512

                3693aeaa2cc276060b899f21f6f57f435b75fec5bcd7725b2dd79043b341c12ebc29bd43b287eb22a3e31fd2b50c4fa36bf020f9f3db5e2f75fe8cc747eca5f5

                Download Submit

              • C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.Host.exe.config
                Filesize

                189B

                MD5

                5a7f52d69e6fca128023469ae760c6d5

                SHA1

                9d7f75734a533615042f510934402c035ac492f7

                SHA256

                498c7f8e872f9cef0cf04f7d290cf3804c82a007202c9b484128c94d03040fd0

                SHA512

                4dc8ae80ae9e61d2801441b6928a85dcf9d6d73656d064ffbc0ce9ee3ad531bfb140e9f802e39da2a83af6de606b115e5ccd3da35d9078b413b1d1846cbd1b4f

                Download Submit

              • C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.WCF.dll
                Filesize

                123KB

                MD5

                e3d39e30e0cdb76a939905da91fe72c8

                SHA1

                433fc7dc929380625c8a6077d3a697e22db8ed14

                SHA256

                4bfa493b75361920e6403c3d85d91a454c16ddda89a97c425257e92b352edd74

                SHA512

                9bb3477023193496ad20b7d11357e510ba3d02b036d6f35f57d061b1fc4d0f6cb3055ae040d78232c8a732d9241699ddcfac83cc377230109bf193736d9f92b8

                Download Submit

              • C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Loader\Krumo.Loader.exe
                Filesize

                2.2MB

                MD5

                eac11bc16c0fda030e431a794119473f

                SHA1

                7ccff2bbb88f35e6cee7c58ec264abee962aa556

                SHA256

                8fb55b92f639950c9bbc3c3920a5780ca2d58100e03388d4568dfb48b006372e

                SHA512

                72ae606ca6267cd1ee9dc4f339367d969dd5ee419d91faa757023cb3d3104f0d2eb55ba83208a308bdc5cfcd6d75b7c3fc9966a87d2e77d2f3ab3f87bfb28d25

                Download Submit

              • C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe
                Filesize

                9.4MB

                MD5

                31fa09a4239fb382ab8be3c30fb35f2f

                SHA1

                c31a3400a47a9c47e051b5f7d2f8f9e6346a121b

                SHA256

                ebf94a98b7f5016ddfb9c7b13a689f0c71e8b6b65c495fbd093cc874e3bb86e4

                SHA512

                36fd6ea03ff46b490d901bcca543d85c74fe3a02145f65b07eb2a1c4c491c48aa80e90ba98f5a5ee0a0f3c9933f27c72d42d7f71f2095b2ef74dc9e9c7ed8fe5

                Download Submit

              • C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe.config
                Filesize

                26KB

                MD5

                494890d393a5a8c54771186a87b0265e

                SHA1

                162fa5909c1c3f84d34bda5d3370a957fe58c9c8

                SHA256

                f2a5a06359713226aeacfe239eeb8ae8606f4588d8e58a19947c3a190efbdfc7

                SHA512

                40fbd033f288fee074fc36e899796efb30d3c582784b834fc583706f19a0b8d5a134c6d1405afe563d2676072e4eefc4e169b2087867cab77a3fa1aa1a7c9395

                Download Submit

              • C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
                Filesize

                3.4MB

                MD5

                059d51f43f1a774bc5aa76d19c614670

                SHA1

                171329bf0f48190cf4d59ce106b139e63507457d

                SHA256

                2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

                SHA512

                a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

                Download Submit

              • memory/492-4253-0x000000001C720000-0x000000001C89C000-memory.dmp

                Filesize

                1.5MB

                Download

              • memory/1068-4246-0x0000000005850000-0x000000000589C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/2028-95-0x000000001ADB0000-0x000000001AF50000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/2028-115-0x000000001DAB0000-0x000000001DBF2000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2028-128-0x000000001DE80000-0x000000001DFC2000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2028-155-0x000000001DBE0000-0x000000001DBEA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2028-156-0x00007FFF1D380000-0x00007FFF1D4CF000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2028-147-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2028-145-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2028-143-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2028-142-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2028-181-0x000000001F6D0000-0x000000001F6EC000-memory.dmp

                Filesize

                112KB

                Download

              • memory/2028-120-0x000000001DAB0000-0x000000001DBF2000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2028-116-0x000000001DAB0000-0x000000001DBF2000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2028-104-0x0000000180000000-0x0000000180005000-memory.dmp

                Filesize

                20KB

                Download

              • memory/2028-105-0x0000000180000000-0x0000000180005000-memory.dmp

                Filesize

                20KB

                Download

              • memory/2028-107-0x0000000180000000-0x0000000180005000-memory.dmp

                Filesize

                20KB

                Download

              • memory/2028-109-0x0000000180000000-0x0000000180005000-memory.dmp

                Filesize

                20KB

                Download

              • memory/2028-111-0x0000000180000000-0x0000000180005000-memory.dmp

                Filesize

                20KB

                Download

              • memory/2028-94-0x000000001ADB0000-0x000000001AF50000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/2028-91-0x00007FFF0B430000-0x00007FFF0BEF2000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2028-93-0x000000001ADB0000-0x000000001AF50000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/2192-4117-0x0000000000750000-0x0000000000986000-memory.dmp

                Filesize

                2.2MB

                Download

              • memory/2192-4120-0x00000000067A0000-0x0000000006DB0000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/2472-4155-0x0000000006E90000-0x0000000006F90000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/2472-4151-0x0000000006560000-0x000000000662E000-memory.dmp

                Filesize

                824KB

                Download

              • memory/2472-4156-0x0000000006DA0000-0x0000000006DD0000-memory.dmp

                Filesize

                192KB

                Download

              • memory/2472-4154-0x0000000006270000-0x00000000062C0000-memory.dmp

                Filesize

                320KB

                Download

              • memory/2472-4153-0x00000000061F0000-0x0000000006218000-memory.dmp

                Filesize

                160KB

                Download

              • memory/2472-4152-0x0000000006C80000-0x0000000006D8A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/2472-4150-0x0000000006140000-0x000000000618C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/2472-4149-0x00000000062D0000-0x0000000006556000-memory.dmp

                Filesize

                2.5MB

                Download

              • memory/2472-4133-0x0000000000F00000-0x0000000000F24000-memory.dmp

                Filesize

                144KB

                Download

              • memory/2472-4139-0x0000000005B50000-0x0000000005EB2000-memory.dmp

                Filesize

                3.4MB

                Download

              • memory/2472-4140-0x0000000005EC0000-0x000000000603C000-memory.dmp

                Filesize

                1.5MB

                Download

              • memory/2472-4148-0x0000000005AD0000-0x0000000005B36000-memory.dmp

                Filesize

                408KB

                Download

              • memory/2472-4144-0x0000000005890000-0x00000000058B6000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2472-4145-0x0000000006660000-0x0000000006C78000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/2472-4146-0x0000000005980000-0x0000000005992000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2472-4147-0x0000000005A20000-0x0000000005A5C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/2600-17012-0x00000000280C0000-0x00000000280DA000-memory.dmp

                Filesize

                104KB

                Download

              • memory/3768-12115-0x0000000000810000-0x000000000085F000-memory.dmp

                Filesize

                316KB

                Download

              • memory/3768-12116-0x0000000022010000-0x000000002211A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/3768-12117-0x0000000022190000-0x00000000221C0000-memory.dmp

                Filesize

                192KB

                Download

              • memory/3768-12118-0x0000000021F90000-0x0000000021FB2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/3768-12119-0x0000000025A30000-0x0000000025D9C000-memory.dmp

                Filesize

                3.4MB

                Download

              • memory/3768-12134-0x0000000021FE0000-0x0000000021FF8000-memory.dmp

                Filesize

                96KB

                Download

              • memory/3768-8661-0x000000001FFD0000-0x00000000205E8000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3768-8696-0x00000000205F0000-0x00000000206F0000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4104-66-0x0000000000770000-0x00000000010E6000-memory.dmp

                Filesize

                9.5MB

                Download

              • memory/4148-4093-0x00000000005E0000-0x0000000000820000-memory.dmp

                Filesize

                2.2MB

                Download

              • memory/4616-90-0x0000000000030000-0x000000000004A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/5044-4118-0x0000000000CA0000-0x0000000000CC4000-memory.dmp

                Filesize

                144KB

                Download

              • memory/5044-4119-0x0000000005D70000-0x0000000006316000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/5048-4192-0x000000001AEC0000-0x000000001AF52000-memory.dmp

                Filesize

                584KB

                Download

              • memory/5048-4193-0x000000001AF60000-0x000000001AFC6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/5048-4194-0x000000001B830000-0x000000001BAB6000-memory.dmp

                Filesize

                2.5MB

                Download

              • memory/5048-4191-0x000000001BB50000-0x000000001C0F6000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/5048-4190-0x000000001B230000-0x000000001B592000-memory.dmp

                Filesize

                3.4MB

                Download

              • memory/5084-4197-0x000000001C100000-0x000000001C19C000-memory.dmp

                Filesize

                624KB

                Download

              • memory/5104-4003-0x0000000020190000-0x0000000020240000-memory.dmp

                Filesize

                704KB

                Download

              • memory/5104-3988-0x00000000200A0000-0x00000000200DA000-memory.dmp

                Filesize

                232KB

                Download

              • memory/5104-4037-0x0000000020330000-0x00000000203A4000-memory.dmp

                Filesize

                464KB

                Download

              • memory/5104-4051-0x0000000021540000-0x000000002158A000-memory.dmp

                Filesize

                296KB

                Download

              • memory/5104-4052-0x00000000203B0000-0x0000000020400000-memory.dmp

                Filesize

                320KB

                Download

              • memory/5104-4061-0x0000000021620000-0x0000000021632000-memory.dmp

                Filesize

                72KB

                Download

              • memory/5104-4062-0x0000000023F90000-0x0000000023FCC000-memory.dmp

                Filesize

                240KB

                Download

              • memory/5104-3958-0x000000001FDF0000-0x000000001FE0A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/5104-3974-0x0000000020040000-0x0000000020052000-memory.dmp

                Filesize

                72KB

                Download