redline

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_49b72743681e7a6aaf7750fe6389c416a22101624b6b5fd9dbe9788faf0dace5
Size

67.8MB
Sample

241230-2h5vpssjgk
MD5

0010ad9c257e03162e8319ca88c6c65b
SHA1

0d4ac42550ca4f34349a24dfe84bb3aa3d7d7e44
SHA256

49b72743681e7a6aaf7750fe6389c416a22101624b6b5fd9dbe9788faf0dace5
SHA512

76f3adf72dfbaed0392dccec0e206aa0034eae5350d61f49f38c2f866172ae736b299d0009ca16fb90744fddf158f654e92c6f82e53939d7a295c271e1f808ef
SSDEEP

1572864:hqe1UJUU5rG7A2X95pxTBplRI7s0gcoES20Nci8EgMr:qmi8A27/o7sbEmNci8E

Score

10^/10

Malware Config

Targets

- Target
  
  RedLine Stealer V20.2 CRACKED/RedLine_21_1_crack/Kurome.Builder/Kurome.Builder.exe
- Size
  
  473KB
- MD5
  
  a2dea5e5eae84e32bc4dc3c6789d7939
- SHA1
  
  d31ec0c15ca50e4663b39be351c8562269a065b2
- SHA256
  
  c747032f12707103c70dccd112c51eacb8151e4b401a54a2b6fed2a4aad800bd
- SHA512
  
  60dd889f5c3ed3a3fc1e42cd072590eeb344e34d6a2a693d45cac51914b75f1bda8931c7025b2366f4cdc4ecdad1fc6bf77eb0daf43e551e2f795e6b9f44ae1a
- SSDEEP
  
  12288:D5Hisa3jCsD6y0ch0C3wwILMeKSdlKHHV:DhijmWHphX3wyeK6Y1
Score

6^/10

discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  RedLine Stealer V20.2 CRACKED/RedLine_21_1_crack/Kurome.Builder/Mono.Cecil.Mdb.dll
- Size
  
  42KB
- MD5
  
  1c6aca0f1b1fa1661fc1e43c79334f7c
- SHA1
  
  ec0f591a6d12e1ea7dc8714ec7e5ad7a04ef455d
- SHA256
  
  411f8ed8c49738fa38a56ed8f991d556227d13602e83186e66ae1c4f821c940b
- SHA512
  
  1c59e939d108f15881d29fe4ced4e5fa4a4476394b58b6eb464da77192cb8fe9221b7cd780af4596914d4cce7c3fc53f1bb567f944c58829de8efbe1fd87be76
- SSDEEP
  
  768:Ar5EYZep98C87KHeBUZwrEzsEAnbF+em50KktmM4CRIcZwMRTIzMAtpw:Ar59g98C87KHeBUb5AnZG+zdwMRTzAtS
Score

1^/10
behavioral3 behavioral4
- Target
  
  RedLine Stealer V20.2 CRACKED/RedLine_21_1_crack/Kurome.Builder/Mono.Cecil.Pdb.dll
- Size
  
  87KB
- MD5
  
  6d5eb860c2be5dbeb470e7d3f3e7dda4
- SHA1
  
  80c76660b87c52127b1a7da48e27700f75362041
- SHA256
  
  447ede1984bb4acd73bd97c0ec57a11c079cee8301c91fb199ca98c1906d3cc4
- SHA512
  
  64cf4fe7de68a35720d2b9338ba9cf182e127d95d72d2ccf7ff5c73a368133663e70c988a460825fa87b2d03717a4447948d5262f56aceb7c3bf1cb3ab5a41a5
- SSDEEP
  
  1536:2OCAsdBo+am5OMwr5IlALYKXgAJGsZhTjrjvjCXeO:ZCjta0OMuIlArVJGqT/jveXeO
Score

1^/10
behavioral5 behavioral6
- Target
  
  RedLine Stealer V20.2 CRACKED/RedLine_21_1_crack/Kurome.Builder/Mono.Cecil.Rocks.dll
- Size
  
  27KB
- MD5
  
  6e7f0f4fff6c49e3f66127c23b7f1a53
- SHA1
  
  14a529f8c7ee9f002d1e93dcf8ff158ab74c7e1a
- SHA256
  
  2e2623319bdc362974a78ea4a43f4893011ec257884d24267f4594142fcd436e
- SHA512
  
  0c773da6717dd6919cd6241d3cee26ab00bb61ea2dbeff24844a067af4c87ff5cbdb2fe3ada5db4707cee921b3fb353bd12ee22b8490597d4f67ad39bace235e
- SSDEEP
  
  384:70ve8JOuJ5iC7n2NwxEXCni+VXcMeDz8PmR1ugLoaeuLMBG9UphJAprjE3uFLHa9:7+m4iCyrXOhG8uRssveum1pMFLHFBvd
Score

1^/10
behavioral7 behavioral8
- Target
  
  RedLine Stealer V20.2 CRACKED/RedLine_21_1_crack/Kurome.Builder/Mono.Cecil.dll
- Size
  
  350KB
- MD5
  
  de69bb29d6a9dfb615a90df3580d63b1
- SHA1
  
  74446b4dcc146ce61e5216bf7efac186adf7849b
- SHA256
  
  f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc
- SHA512
  
  6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015
- SSDEEP
  
  6144:jIevdbLPNYe8bikm98KXPHhOWY/fFREomhUFD3z:se1PNL+QRfBg/f/EWFD
Score

1^/10
behavioral10 behavioral9
- Target
  
  RedLine Stealer V20.2 CRACKED/RedLine_21_1_crack/Kurome.Builder/stub.dll
- Size
  
  96KB
- MD5
  
  625ed01fd1f2dc43b3c2492956fddc68
- SHA1
  
  48461ef33711d0080d7c520f79a0ec540bda6254
- SHA256
  
  6824c2c92eb7cee929f9c6b91e75c8c1fc3bfe80495eba4fa27118d40ad82b2b
- SHA512
  
  1889c7cee50092fe7a66469eb255b4013624615bac3a9579c4287bf870310bdc9018b0991f0ad7a9227c79c9bd08fd0c6fc7ebe97f21c16b7c06236f3755a665
- SSDEEP
  
  1536:9G6ijoigzKqO1RUTBHQsu/0igR4vYVVlmbfaxv0ujXyyedOn4iwEEl:BSElHQ/ORUYos0ujyzdZl
Score

10^/10

redline sectoprat discovery infostealer rat trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
behavioral11 behavioral12
- Target
  
  RedLine Stealer V20.2 CRACKED/RedLine_21_1_crack/Kurome.Host/Kurome.WCF.dll
- Size
  
  123KB
- MD5
  
  e3d39e30e0cdb76a939905da91fe72c8
- SHA1
  
  433fc7dc929380625c8a6077d3a697e22db8ed14
- SHA256
  
  4bfa493b75361920e6403c3d85d91a454c16ddda89a97c425257e92b352edd74
- SHA512
  
  9bb3477023193496ad20b7d11357e510ba3d02b036d6f35f57d061b1fc4d0f6cb3055ae040d78232c8a732d9241699ddcfac83cc377230109bf193736d9f92b8
- SSDEEP
  
  3072:9mWO8dR1mB5UzPU7vdTm8pLetBD0PQbP1:g2dL8ewbJnpBe
Score

1^/10
behavioral13 behavioral14
- Target
  
  RedLine Stealer V20.2 CRACKED/RedLine_21_1_crack/Kurome.Host/dr-farfar.com.exe
- Size
  
  119KB
- MD5
  
  4fde0f80c408af27a8d3ddeffea12251
- SHA1
  
  e834291127af150ce287443c5ea607a7ae337484
- SHA256
  
  1b644cdb1c7247c07d810c0ea10bec34dc5600f3645589690a219de08cf2dedb
- SHA512
  
  3693aeaa2cc276060b899f21f6f57f435b75fec5bcd7725b2dd79043b341c12ebc29bd43b287eb22a3e31fd2b50c4fa36bf020f9f3db5e2f75fe8cc747eca5f5
- SSDEEP
  
  3072:KEdjrOO8+K46SgVE+mxzqT67iLRi/Gj81GUpYb:KjQjgPmxzq27iLRiuAPp
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  RedLine Stealer V20.2 CRACKED/RedLine_21_1_crack/Kurome.Loader/Kurome.Loader.exe
- Size
  
  2.2MB
- MD5
  
  a3ec05d5872f45528bbd05aeecf0a4ba
- SHA1
  
  68486279c63457b0579d86cd44dd65279f22d36f
- SHA256
  
  d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e
- SHA512
  
  b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e
- SSDEEP
  
  49152:KSmo0SdsEoRykUuulqasMwMcdZa9FHeXXGFr3sylP2/BQ7MWV:lm7UQRyksl9cXwFHeX2t8y21
Score

4^/10

discovery
behavioral17 behavioral18
- Target
  
  RedLine Stealer V20.2 CRACKED/RedLine_21_1_crack/Panel/RedLine_20_2/FAQ (English).docx
- Size
  
  30KB
- MD5
  
  a973ea85439ddfe86379d47e19da4dca
- SHA1
  
  78f60711360ddd46849d128e7a5d1b68b1d43f9f
- SHA256
  
  c197833a3fd69e98fbf2b02e9da232ff2867e1e684d420fd3975188c0e0e202b
- SHA512
  
  4a3fad33cccb15ea2d98bc30141744ba6709afec52d429ac0916aa656f4b611fdeda4b37812f0a72b90de000fc5c0f95bb445e5df67fc4ba6f93de5ce55df510
- SSDEEP
  
  768:oi87zWNuZn3IZElFoL+goT2Ir9259IQ+409:oi8mQnXFoigoRr9aIvX9
Score

4^/10

discovery
behavioral19 behavioral20
- Target
  
  RedLine Stealer V20.2 CRACKED/RedLine_21_1_crack/Panel/RedLine_20_2/FAQ(RUS).docx
- Size
  
  51KB
- MD5
  
  aa9534a22d08fb17b6c50164ca226aba
- SHA1
  
  9d68e6e4b0ea3c41ad7f70733dc53628962765ce
- SHA256
  
  e3f9590d0a28e8f17d40f9a5a5489a963c6d5e722a324adf0d1d666ea424c89f
- SHA512
  
  a4290cf0f3ecbb25078a0d3f870ed6abcab83d831e107f59730cf5fbdbc0268ac831d8f31f18a08794e27e51ba302ecb5bdd4bac85f3887844ed881c363bb8b9
- SSDEEP
  
  1536:YmF2FkS3yM0Yj3ePetyogAcLrANZLI3dakgXeV:YNFkGem74Lr+k3v7V
Score

4^/10

discovery
behavioral21 behavioral22
- Target
  
  RedLine Stealer V20.2 CRACKED/RedLine_21_1_crack/Panel/RedLine_20_2/Panel/Panel.exe
- Size
  
  9.3MB
- MD5
  
  f4e19b67ef27af1434151a512860574e
- SHA1
  
  56304fc2729974124341e697f3b21c84a8dd242a
- SHA256
  
  c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a
- SHA512
  
  a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77
- SSDEEP
  
  196608:mJQaPHrQqXs140qMhu8369sV+HLz9SKUeNdDhHidVI1SM52n3iWuUZ/c1sxXoP3p:mJQaPHrQqXs140qMhu8369sV+HLz9SKI
Score

10^/10

redline infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral23 behavioral24
- Target
  
  RedLine Stealer V20.2 CRACKED/RedLine_21_1_crack/Panel/RedLine_20_2/Tools/Chrome.exe
- Size
  
  1.1MB
- MD5
  
  92cfeb7c07906eac0d4220b8a1ed65b1
- SHA1
  
  882b83e903b5b4c7c75f0b1dc31bb7aa8938d8fa
- SHA256
  
  38b827a431b89da0d9cdd444373364371f4f6e6bf299e7935f05b2351ca9186c
- SHA512
  
  e2ee932f5b81403935a977f9d3c8e2e4f6a4c9a1967b7e1cf61229a7746a24aae486ac6b779fb570f1dff02a3ff30107044f0427ce46474b91d788c78c8fcfbf
- SSDEEP
  
  24576:q6JGMnMpfVArKlhbP6GFibQC1QSvKZHHf1FqbI4Cn:47/MPGFibsSipHubPa
Score

6^/10

discovery persistence privilege_escalation spyware stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral25 behavioral26
- Target
  
  RedLine Stealer V20.2 CRACKED/RedLine_21_1_crack/Panel/RedLine_20_2/Tools/NetFramework48.exe
- Size
  
  1.4MB
- MD5
  
  86482f2f623a52b8344b00968adc7b43
- SHA1
  
  755349ecd6a478fe010e466b29911d2388f6ce94
- SHA256
  
  2c7530edbf06b08a0b9f4227c24ec37d95f3998ee7e6933ae22a9943d0adfa57
- SHA512
  
  64c168263fd48788d90919cbb9992855aed4ffe9a0f8052cb84f028ca239102c0571dfaf75815d72ad776009f5fc4469c957113fb66da7d4e9c83601e8287f3d
- SSDEEP
  
  24576:MGHL3siy9J0/SmtLvUDSRbm4Jah1rVxL+iTOhYdeM+GkdnddMF2ScVC3oKNVpNXo:RL3s7mKeTUDBzrVxxOhYdeMinddG2lCK
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral27 behavioral28
- Target
  
  RedLine Stealer V20.2 CRACKED/RedLine_21_1_crack/Panel/RedLine_20_2/Tools/WinRar.exe
- Size
  
  3.2MB
- MD5
  
  b66dec691784f00061bc43e62030c343
- SHA1
  
  779d947d41efafc2995878e56e213411de8fb4cf
- SHA256
  
  26b40c79356453c60498772423f99384a3d24dd2d0662d215506768cb9c58370
- SHA512
  
  6a89bd581baf372f07e76a3378e6f6eb29cac2e4981a7f0affb4101153407cadfce9f1b6b28d5a003f7d4039577029b2ec6ebcfd58e55288e056614fb03f8ba3
- SSDEEP
  
  98304:lJXOBfK92HbAw0CNB3kJElzNsy8vGUvfCo3ABH43:lJ192HbAXCvDlzNsy8vGUyo3AB8
Score

1^/10
behavioral29 behavioral30
- Target
  
  RedLine Stealer V20.2 CRACKED/Themida/Themida.exe
- Size
  
  26.5MB
- MD5
  
  1f98c492872020543e4c944bbc6c39d7
- SHA1
  
  9766f47c7f67fa04bb3439a877b705910e3e5ac5
- SHA256
  
  5e1b00d4486377d56afe7ff819dbec01d9aa2f2c27e9b9dc7ee48d22b58dc175
- SHA512
  
  e30b3d7bb95c14c57f00bbed6daa87d4c64167d980cd9f5e9e055ddfd98c0089521edb900acb67f05ec31ed6599fca8420c4697dbb3b6f58ac0750c783fa4253
- SSDEEP
  
  393216:uFFoqa6Fyb4NdjjzzYkFpWNkovt9QwPnoUuJLYtVFzvCtd8BIZrp/ta7zF0+y2Ch:u/9Nd3zckFAnVawPnMatVFzatdpR4Pbe
Score

9^/10

bootkit discovery evasion persistence trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral31 behavioral32