redline | 4f90b7c87ae9a261936b72f8062c7ffff38f5921dc58794a23084aa0ad95969d

Analysis

max time kernel
150s
max time network
141s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-12-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RedLine Stealer.zip
Size

17.2MB
MD5

d3d1d5504a838b38d27bfdc29a9bf0ea
SHA1

f6c351251c4b5fa64b852dc2ae6f85cf870a1508
SHA256

4f90b7c87ae9a261936b72f8062c7ffff38f5921dc58794a23084aa0ad95969d
SHA512

7f7dd2471f6aec68b1a2d59b1ccac1cef1142ee9fd734db6b320013dddac3c8e828ec0339765aa4df864e275415862df877971dbec803a3d6b350f034982c781
SSDEEP

393216:y6AL1DWiFjy2F43KVjCybo8x8CLO0kjl2sDYSUs9Tx:y5L1rFjEKl1oNrJZYyl

Score

10^/10

redline xworm discovery infostealer rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

svchost.serveirc.com:1313

Mutex

MML7YiawHlQLefrX

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7089308942:AAHsTcsMKoz1p6-9kX7OD8cZDlRLQM_DN-A/sendMessage?chat_id=5936200928

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002ab8a-139.dat	family_xworm
behavioral1/memory/2752-147-0x00000000004F0000-0x000000000050A000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1724-4022-0x000000001F8C0000-0x000000001F8DA000-memory.dmp	family_redline

Redline family
redline
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 9 IoCs

pid	Process
1848	Kurome.Host.exe
2148	Krumo.Loader.exe
4212	Rarqxqlarwy.exe
4228	Eihb.exe
2592	Panel.exe
5108	Panel.exe
2752	svchost.exe
1724	Panel.exe
5028	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1848	Kurome.Host.exe
1848	Kurome.Host.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 60 IoCs

pid	Process
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe
1724	Panel.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BasicElegant.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$sicStylish.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\Casual.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Casual.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\Centered.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$sicElegant.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$sicSimple.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BWCapitalized.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Classic.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Numbered.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$rd2013BW.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BasicStylish.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BasicSimple.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Capitalized.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BWClassic.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BWNumbered.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\Word2013BW.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$ntered.dotx	WINWORD.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll	Rarqxqlarwy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4640	4228	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eihb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rarqxqlarwy.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1504	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
568	WINWORD.EXE
568	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe
1724	Panel.exe
5108	Panel.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1708	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1708	7zFM.exe
Token: 35	1708	7zFM.exe
Token: SeSecurityPrivilege	1708	7zFM.exe
Token: SeSecurityPrivilege	1708	7zFM.exe
Token: SeDebugPrivilege	1848	Kurome.Host.exe
Token: SeDebugPrivilege	4228	Eihb.exe
Token: SeDebugPrivilege	4212	Rarqxqlarwy.exe
Token: SeDebugPrivilege	2752	svchost.exe
Token: SeDebugPrivilege	5108	Panel.exe
Token: SeDebugPrivilege	2752	svchost.exe
Token: SeDebugPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe
Token: SeIncBasePriorityPrivilege	1724	Panel.exe
Token: 33	1724	Panel.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1708	7zFM.exe
1708	7zFM.exe
1708	7zFM.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
5108	Panel.exe
1724	Panel.exe
568	WINWORD.EXE
568	WINWORD.EXE
568	WINWORD.EXE
568	WINWORD.EXE
568	WINWORD.EXE
568	WINWORD.EXE
568	WINWORD.EXE
568	WINWORD.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 4212	2148	Krumo.Loader.exe	85
PID 2148 wrote to memory of 4212	2148	Krumo.Loader.exe	85
PID 2148 wrote to memory of 4212	2148	Krumo.Loader.exe	85
PID 2148 wrote to memory of 4228	2148	Krumo.Loader.exe	87
PID 2148 wrote to memory of 4228	2148	Krumo.Loader.exe	87
PID 2148 wrote to memory of 4228	2148	Krumo.Loader.exe	87
PID 2592 wrote to memory of 5108	2592	Panel.exe	89
PID 2592 wrote to memory of 5108	2592	Panel.exe	89
PID 2592 wrote to memory of 2752	2592	Panel.exe	90
PID 2592 wrote to memory of 2752	2592	Panel.exe	90
PID 2752 wrote to memory of 1504	2752	svchost.exe	95
PID 2752 wrote to memory of 1504	2752	svchost.exe	95
PID 5108 wrote to memory of 1724	5108	Panel.exe	97
PID 5108 wrote to memory of 1724	5108	Panel.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RedLine Stealer.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4908

C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.Host.exe
"C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.Host.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Loader\Krumo.Loader.exe
"C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Loader\Krumo.Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\Rarqxqlarwy.exe
  "C:\Users\Admin\AppData\Local\Temp\Rarqxqlarwy.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4212
- C:\Users\Admin\AppData\Local\Temp\Eihb.exe
  "C:\Users\Admin\AppData\Local\Temp\Eihb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1760
    3⤵
    - Program crash
    PID:4640

C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe
"C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\Panel.exe
    "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1724
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4228 -ip 4228
1⤵
PID:1244

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\chromeBrowsers.txt
1⤵
PID:1900

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RedLine Stealer\Panel\FAQ.txt
1⤵
PID:3244

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\RedLine Stealer\Panel\FAQ (English).docx" /o ""
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:568

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Panel.exe.log

Filesize
306B

MD5
33f89887a1b3559f9c8fe974b797212a

SHA1
e33f9884f22fde8d27b30ec05885d8736a110220

SHA256
adc0a94f591acdf86ae9fc01bc4b83fcd4dfb57aadc85b9e0041e7e5a59ccbd4

SHA512
6eab2ddfb4429089e85186d6a1197dd231e515b9557b94fabd90ee47976efc817ce762420657da5a37f57ef6787f1c48fbfb314304265f44cec234facbea86fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B0E404CB-20EB-4EDA-B9E4-4AA80ECFD5CC}.tmp

Filesize
1024B

MD5
5d4d94ee7e06bbb0af9584119797b23a

SHA1
dbb111419c704f116efa8e72471dd83e86e49677

SHA256
4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1

SHA512
95f83ae84cafcced5eaf504546725c34d5f9710e5ca2d11761486970f2fbeccb25f9cf50bbfc272bd75e1a66a18b7783f09e1c1454afda519624bc2bb2f28ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eihb.exe

Filesize
118KB

MD5
677073949945ca09fe971682561c5f11

SHA1
cb33238550faa82cb5d3b5e4116a8c721a4fc96c

SHA256
571d22f4659932c89344baf33e0e53dcb790fa9cb196ad7a937ce17f567f5062

SHA512
006c596edb2c6cef589319917c70531e0672cd8831a4d6852c0641e9cc9a90d351f687884da67a02055706c334e94b68a17c8a0cf9f6041b633f8f85cd9185f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Panel.exe

Filesize
9.3MB

MD5
f4e19b67ef27af1434151a512860574e

SHA1
56304fc2729974124341e697f3b21c84a8dd242a

SHA256
c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a

SHA512
a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rarqxqlarwy.exe

Filesize
2.2MB

MD5
a3ec05d5872f45528bbd05aeecf0a4ba

SHA1
68486279c63457b0579d86cd44dd65279f22d36f

SHA256
d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e

SHA512
b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD642D.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
80KB

MD5
84bec3b8c6db81ad3f26c2796b02a2b5

SHA1
7b3e8f34510e196754eb6a21812d96976a24c351

SHA256
263251f3218d9e250a8a741ecfa1c5182030d75b75dac3314bdde8c050b2e301

SHA512
5690eb7c9dde782ef635edbcf1beab61166bcc651f00334ae1b3554af56b5455c5486c5dc0a70cb7e5bb72bc9742ec77be450ff0f4d5fcdd984e52f9db87aed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
420B

MD5
e2787a856cc5c793d0ce6ceed689d17f

SHA1
ec5f918399d727b9add6e1ababa9b3403fe9e67f

SHA256
b05aba0335bb80150b25d39c1c74321505d4778f7309e23c3475048610b3e230

SHA512
5b89c48adb81f5e400b2e5ec0de6b85ab800c5f9283d81b0c76833cdd5cdf741a7e699d40f226318ab4b6fa3f684ffcf4a5a75c53a69e84216b602f5ed44b2d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
a8b1ea92c39e3bcf8064afcdd4c25c36

SHA1
04278c8b5d714b3b6553473d67481cb5197a49b5

SHA256
6899d2b3e9184b8c7141aad52469738a050a7220b90150b095af1169c083df44

SHA512
88160250362c32397d5b2f9ee994d7c3717d7eb6e85de80da010163ce889747b0a261d5684c63b7f05e45858dc2ae8dfa7dbddc82cc8cd745cfbf6198e08d703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
518a3daa1dafbed45cf788ed35f1a162

SHA1
a5c593ca07df8e8eff11c5b8157ffe7df946df6c

SHA256
74e4519a78abaf3850f26ad7b2ef5c705d7f765279734664a4c0cf502f8ce765

SHA512
47f53b798932ebe47e2152711bdcbfa7560bee6e3cdecdbeda60cc808dceef5c23ca0ef45b0d0621c2728827c18b72cbf4933d5070e301da0ec633953f7b4dfc

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.Host.exe

Filesize
119KB

MD5
4fde0f80c408af27a8d3ddeffea12251

SHA1
e834291127af150ce287443c5ea607a7ae337484

SHA256
1b644cdb1c7247c07d810c0ea10bec34dc5600f3645589690a219de08cf2dedb

SHA512
3693aeaa2cc276060b899f21f6f57f435b75fec5bcd7725b2dd79043b341c12ebc29bd43b287eb22a3e31fd2b50c4fa36bf020f9f3db5e2f75fe8cc747eca5f5

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.Host.exe.config

Filesize
189B

MD5
5a7f52d69e6fca128023469ae760c6d5

SHA1
9d7f75734a533615042f510934402c035ac492f7

SHA256
498c7f8e872f9cef0cf04f7d290cf3804c82a007202c9b484128c94d03040fd0

SHA512
4dc8ae80ae9e61d2801441b6928a85dcf9d6d73656d064ffbc0ce9ee3ad531bfb140e9f802e39da2a83af6de606b115e5ccd3da35d9078b413b1d1846cbd1b4f

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Host\Kurome.WCF.dll

Filesize
123KB

MD5
e3d39e30e0cdb76a939905da91fe72c8

SHA1
433fc7dc929380625c8a6077d3a697e22db8ed14

SHA256
4bfa493b75361920e6403c3d85d91a454c16ddda89a97c425257e92b352edd74

SHA512
9bb3477023193496ad20b7d11357e510ba3d02b036d6f35f57d061b1fc4d0f6cb3055ae040d78232c8a732d9241699ddcfac83cc377230109bf193736d9f92b8

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer\Kurome.Loader\Krumo.Loader.exe

Filesize
2.2MB

MD5
eac11bc16c0fda030e431a794119473f

SHA1
7ccff2bbb88f35e6cee7c58ec264abee962aa556

SHA256
8fb55b92f639950c9bbc3c3920a5780ca2d58100e03388d4568dfb48b006372e

SHA512
72ae606ca6267cd1ee9dc4f339367d969dd5ee419d91faa757023cb3d3104f0d2eb55ba83208a308bdc5cfcd6d75b7c3fc9966a87d2e77d2f3ab3f87bfb28d25

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer\Panel\FAQ (English).docx

Filesize
30KB

MD5
a973ea85439ddfe86379d47e19da4dca

SHA1
78f60711360ddd46849d128e7a5d1b68b1d43f9f

SHA256
c197833a3fd69e98fbf2b02e9da232ff2867e1e684d420fd3975188c0e0e202b

SHA512
4a3fad33cccb15ea2d98bc30141744ba6709afec52d429ac0916aa656f4b611fdeda4b37812f0a72b90de000fc5c0f95bb445e5df67fc4ba6f93de5ce55df510

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer\Panel\FAQ.txt

Filesize
19KB

MD5
53fc20e1e68a5619f7ff2df8e99d42c4

SHA1
7a8ddc81d16aaab533411810acfad1546c30dc2f

SHA256
fc7ceb47aa8796614f098406452ea67cb58929ded1d4c6bd944d4d34921bba0b

SHA512
c1ad4f2dfd50528d613e9fe3f55da0bbb5c8442b459d9c3c989b75014c827306f72f2eb6ecbcd92ff11546e12087c09685b12a7dc258c5ea85c15ba5cc002d8c

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe

Filesize
9.4MB

MD5
31fa09a4239fb382ab8be3c30fb35f2f

SHA1
c31a3400a47a9c47e051b5f7d2f8f9e6346a121b

SHA256
ebf94a98b7f5016ddfb9c7b13a689f0c71e8b6b65c495fbd093cc874e3bb86e4

SHA512
36fd6ea03ff46b490d901bcca543d85c74fe3a02145f65b07eb2a1c4c491c48aa80e90ba98f5a5ee0a0f3c9933f27c72d42d7f71f2095b2ef74dc9e9c7ed8fe5

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\Panel.exe.config

Filesize
26KB

MD5
494890d393a5a8c54771186a87b0265e

SHA1
162fa5909c1c3f84d34bda5d3370a957fe58c9c8

SHA256
f2a5a06359713226aeacfe239eeb8ae8606f4588d8e58a19947c3a190efbdfc7

SHA512
40fbd033f288fee074fc36e899796efb30d3c582784b834fc583706f19a0b8d5a134c6d1405afe563d2676072e4eefc4e169b2087867cab77a3fa1aa1a7c9395

Download Submit
C:\Users\Admin\Desktop\RedLine Stealer\Panel\Panel\chromeBrowsers.txt

Filesize
2KB

MD5
5c06977f634c911382ca6f6107a8489a

SHA1
645062b6f09924255cd1c2c98265bacfee3f2371

SHA256
92308e2b67aa3c6989d5d744ac51faafb40886e6863adb933a3cf2e9beba0737

SHA512
19c9e324314725038a39b0e596e537b5937954f7358c56cddc25c51fdd9ef10346d77ce5c7a0703db854c9aa232dcef1bdcd16411937d526a080dd87a3793e28

Download Submit
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
memory/1724-4026-0x0000000020990000-0x00000000209A2000-memory.dmp

Filesize
72KB

Download
memory/1724-4054-0x0000000020A30000-0x0000000020A6A000-memory.dmp

Filesize
232KB

Download
memory/1724-4368-0x0000000021480000-0x00000000214B0000-memory.dmp

Filesize
192KB

Download
memory/1724-4040-0x00000000209D0000-0x00000000209E2000-memory.dmp

Filesize
72KB

Download
memory/1724-4024-0x0000000020840000-0x0000000020940000-memory.dmp

Filesize
1024KB

Download
memory/1724-4025-0x0000000020950000-0x000000002098C000-memory.dmp

Filesize
240KB

Download
memory/1724-4023-0x0000000020220000-0x0000000020838000-memory.dmp

Filesize
6.1MB

Download
memory/1724-4069-0x0000000020B20000-0x0000000020BD0000-memory.dmp

Filesize
704KB

Download
memory/1724-4103-0x0000000020CC0000-0x0000000020D34000-memory.dmp

Filesize
464KB

Download
memory/1724-4366-0x0000000021DC0000-0x0000000021E0F000-memory.dmp

Filesize
316KB

Download
memory/1724-4117-0x0000000024960000-0x00000000249AA000-memory.dmp

Filesize
296KB

Download
memory/1724-4367-0x0000000024DB0000-0x0000000024EBA000-memory.dmp

Filesize
1.0MB

Download
memory/1724-4022-0x000000001F8C0000-0x000000001F8DA000-memory.dmp

Filesize
104KB

Download
memory/1724-4118-0x0000000024910000-0x0000000024960000-memory.dmp

Filesize
320KB

Download
memory/1848-80-0x0000000005220000-0x0000000005248000-memory.dmp

Filesize
160KB

Download
memory/1848-79-0x00000000054A0000-0x00000000055AA000-memory.dmp

Filesize
1.0MB

Download
memory/1848-65-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/1848-66-0x0000000000690000-0x00000000006B4000-memory.dmp

Filesize
144KB

Download
memory/1848-71-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/1848-70-0x0000000004FA0000-0x0000000004FC6000-memory.dmp

Filesize
152KB

Download
memory/1848-114-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/1848-113-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/1848-73-0x0000000005810000-0x0000000005E28000-memory.dmp

Filesize
6.1MB

Download
memory/1848-72-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/1848-74-0x0000000005070000-0x0000000005082000-memory.dmp

Filesize
72KB

Download
memory/1848-81-0x0000000005390000-0x00000000053E0000-memory.dmp

Filesize
320KB

Download
memory/1848-75-0x0000000005170000-0x00000000051AC000-memory.dmp

Filesize
240KB

Download
memory/1848-76-0x0000000005090000-0x00000000050DC000-memory.dmp

Filesize
304KB

Download
memory/1848-78-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/1848-77-0x00000000052C0000-0x000000000538E000-memory.dmp

Filesize
824KB

Download
memory/2148-84-0x0000000000380000-0x00000000005C0000-memory.dmp

Filesize
2.2MB

Download
memory/2592-123-0x000000001C510000-0x000000001C68C000-memory.dmp

Filesize
1.5MB

Download
memory/2592-119-0x00000000009C0000-0x0000000001336000-memory.dmp

Filesize
9.5MB

Download
memory/2592-121-0x000000001C1A0000-0x000000001C502000-memory.dmp

Filesize
3.4MB

Download
memory/2592-122-0x000000001BED0000-0x000000001BF6C000-memory.dmp

Filesize
624KB

Download
memory/2752-2080-0x000000001D200000-0x000000001D266000-memory.dmp

Filesize
408KB

Download
memory/2752-2084-0x000000001D570000-0x000000001D7F6000-memory.dmp

Filesize
2.5MB

Download
memory/2752-2082-0x000000001D270000-0x000000001D2D6000-memory.dmp

Filesize
408KB

Download
memory/2752-147-0x00000000004F0000-0x000000000050A000-memory.dmp

Filesize
104KB

Download
memory/4212-110-0x0000000000D00000-0x0000000000F36000-memory.dmp

Filesize
2.2MB

Download
memory/4212-111-0x0000000007E60000-0x0000000008470000-memory.dmp

Filesize
6.1MB

Download
memory/4228-108-0x0000000000460000-0x0000000000484000-memory.dmp

Filesize
144KB

Download
memory/4228-109-0x00000000054C0000-0x0000000005A66000-memory.dmp

Filesize
5.6MB

Download
memory/5108-177-0x000000001DAA0000-0x000000001DBE2000-memory.dmp

Filesize
1.3MB

Download
memory/5108-199-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/5108-173-0x000000001DAA0000-0x000000001DBE2000-memory.dmp

Filesize
1.3MB

Download
memory/5108-200-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/5108-202-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/5108-204-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/5108-213-0x00007FF9FFA50000-0x00007FF9FFB9F000-memory.dmp

Filesize
1.3MB

Download
memory/5108-212-0x000000001DBE0000-0x000000001DBEA000-memory.dmp

Filesize
40KB

Download
memory/5108-161-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/5108-240-0x000000001F400000-0x000000001F41C000-memory.dmp

Filesize
112KB

Download
memory/5108-219-0x000000001F160000-0x000000001F1F2000-memory.dmp

Filesize
584KB

Download
memory/5108-218-0x000000001E9B0000-0x000000001EF56000-memory.dmp

Filesize
5.6MB

Download
memory/5108-172-0x000000001DAA0000-0x000000001DBE2000-memory.dmp

Filesize
1.3MB

Download
memory/5108-162-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/5108-164-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/5108-166-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/5108-168-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/5108-148-0x00007FF9F22F0000-0x00007FF9F2DB2000-memory.dmp

Filesize
10.8MB

Download
memory/5108-150-0x000000001AC10000-0x000000001ADB0000-memory.dmp

Filesize
1.6MB

Download
memory/5108-151-0x000000001AC10000-0x000000001ADB0000-memory.dmp

Filesize
1.6MB

Download
memory/5108-152-0x000000001AC10000-0x000000001ADB0000-memory.dmp

Filesize
1.6MB

Download
memory/5108-185-0x000000001DE70000-0x000000001DFB2000-memory.dmp

Filesize
1.3MB

Download