redline | b5cd68d3b2d6e79a5d15fa737dfae474a39aa7910759f7ca28bc1d9804359a44

Analysis

max time kernel
203s
max time network
203s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-12-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skibidi.rar
Size

35.9MB
MD5

ea3f5a9a0a1656e048a2640ca4007481
SHA1

3169637282b23fa49c4e5c6f3645157ab24722c7
SHA256

b5cd68d3b2d6e79a5d15fa737dfae474a39aa7910759f7ca28bc1d9804359a44
SHA512

ddd96a0857d5ba3041960eb565ee79990fd6d28d7438865e3400fadbf4446c2034f79bc0dc0787dd3d675bc8b9c6607b468747bf161a06a752cf17f3a9f6cd79
SSDEEP

786432:pwssBHZtEPztNd1SzC4lqjAbYciGOARzXT/zA9kz:pzatEPJN/LkbTHj/7z

Score

10^/10

redline skibidi discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

skibidi

127.0.0.1:1912

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/files/0x001900000002abd5-114.dat	family_redline
behavioral1/memory/4008-116-0x00000000001C0000-0x0000000000214000-memory.dmp	family_redline
behavioral1/files/0x001900000002ac14-128.dat	family_redline
behavioral1/memory/6060-130-0x0000000000670000-0x00000000006C2000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
2888	Panel.exe
2156	Panel.exe
4008	RedlineBuilder.exe
5828	RedlineBuilder.exe
6060	build.exe

Loads dropped DLL 4 IoCs

pid	Process
4008	RedlineBuilder.exe
4008	RedlineBuilder.exe
5828	RedlineBuilder.exe
5828	RedlineBuilder.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RedlineBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RedlineBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 7e003100000000009e59fb9111004465736b746f7000680009000400efbe4759d35e9e59fb912e000000365702000000010000000000000000003e00000000004f38ab004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "9"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 50003100000000004759cd64100041646d696e003c0009000400efbe4759d35e9e59fa912e0000002c570200000001000000000000000000000000000000610ef100410064006d0069006e00000014000000	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\NodeSlot = "8"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = a4003100000000001659947d10005245444c494e7e312e3243520000880009000400efbe9e59fa919e59fb912e000000ceab020000001d000000000000000000000000000000fb7f00005200650064006c0069006e006500200053007400650061006c006500720020007600330030002e003200200043007200610063006b00650064002000420079002000400044007200630072007900700074003000720000001c000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 50003100000000009e592692100050616e656c003c0009000400efbe9e59fb919e5928922e000000d6ab0200000019000000000000000000000000000000dd50eb00500061006e0065006c00000014000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = ffffffff	Panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000761c76aeaf18db01b1b0abdce65adb01b1b0abdce65adb0114000000	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	Panel.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe
2888	Panel.exe
2156	Panel.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3500	7zFM.exe
2156	Panel.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	3500	7zFM.exe
Token: 35	3500	7zFM.exe
Token: SeSecurityPrivilege	3500	7zFM.exe
Token: SeDebugPrivilege	2888	Panel.exe
Token: SeDebugPrivilege	2156	Panel.exe
Token: SeDebugPrivilege	6060	build.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3500	7zFM.exe
3500	7zFM.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2156	Panel.exe
2156	Panel.exe
2156	Panel.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2156	2888	Panel.exe	84
PID 2888 wrote to memory of 2156	2888	Panel.exe	84
PID 4604 wrote to memory of 5828	4604	cmd.exe	90
PID 4604 wrote to memory of 5828	4604	cmd.exe	90
PID 4604 wrote to memory of 5828	4604	cmd.exe	90

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\skibidi.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4672

C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\Panel.exe
"C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\Panel.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\Panel.exe
  "C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\Panel.exe" "--monitor"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2156

C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\builder\RedlineBuilder.exe
"C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\builder\RedlineBuilder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\builder\builder.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\builder\RedlineBuilder.exe
  RedlineBuilder.exe -ip 127.0.0.1:1912 -id skibidi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5828

C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\builder\build.exe
"C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\builder\build.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RedlineBuilder.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
0f8e64367769b65de64d49cd3ef04d59

SHA1
ac42a08d8649b8f3e8dc5d52af3861e630765a79

SHA256
d977d37005b795ddcd6eb4ea2012e230fc9c003a2a31165603caf460998bb014

SHA512
074aed7e3668536e96ce38c966c392592ba62cb1141d1f921545d068edf864e3cbea510e91b0daf598268b01227544c963f1ceee452c3626f504bae104d7f86a

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\Data\1.dat

Filesize
2B

MD5
9dd94c5a4b02914af42e8e6372e0b709

SHA1
00b28ff06b788b9b67c6b259800f404f9f3761fd

SHA256
102b51b9765a56a3e899f7cf0ee38e5251f9c503b357b330a49183eb7b155604

SHA512
339b79f6d19cf61077170a07d99f38c69774a592079678525e2a86316ce6d1c11a18fa26ef4f52ca8e85764e8d7bf2cc4bfa176246e5c11eb69a819173ec1fc6

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\GuiLib.dll

Filesize
50KB

MD5
42d66964ee6b3aa7710f07803f2e9565

SHA1
1af7fdf8b45f0003810c3b0c13e982c5c865d557

SHA256
05e0e8394154edf4366d6af144934a7014a0ad06f571dfd1e132d7099c8118e9

SHA512
311cd9febd10db76e101a059410ddc4af35916ac88dda0719dd5e4f2473bcc8485161da576f9512f73716258e19f53b61515875ad0c590d1c8854ccfb525d8eb

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\IPLocator.dll

Filesize
34KB

MD5
c8b0ac355a4eccd2390775fd4f2f72bc

SHA1
a56a296cf3a9b82a02db244a4112954b2f79f59e

SHA256
0d1dc8a4030f457fd6323b3646f1ad8e062e2afb17845a6ffa29795dc618bb4d

SHA512
73e5dc0f863ce8f17bdc9166cdae0b35f115c1f4cc247be0c07d8dd2e8dba19c24827ce1989136247732cd28380b89eb843d736f67f93304bce7adf546558621

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\MetroSet UI.dll

Filesize
436KB

MD5
5aeea45913eb8475077a9547d7d3f2f3

SHA1
09931075a4fdffe7b051df6d3bc5b4a0bacdf019

SHA256
ef2a67849fbe0f1c99263bf0acfddf15a1b3668e49fd9d35868e147d8a4c8c73

SHA512
3f3ba1d117784aca8d6abfe84e9275da425fd23982aa1ce9af760a9e5d7cd5e9dc2e36a36cc6e190cb91e8b2c8888881cfd8feeb85c3249185d61273a1a1e0ff

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\Newtonsoft.Json.Schema.dll

Filesize
208KB

MD5
260a18bcc6d697d5c9f42299f2f34195

SHA1
de566fe1aa6d98310ddfa9d0773d1bdf47675c37

SHA256
b3cc57a64a89017c294927d93a24d10e5863287cdf32bd0f173386d3caebf5a8

SHA512
0451e2027ce21d1e7ed5267917b49c27f1e264ef58512d489da5d4359b62ceb7971ab2adec569a0626d9bcdeeae1f1f4744b5d0c8e1158a2af70c1e03d2cae29

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\Newtonsoft.Json.dll

Filesize
683KB

MD5
6815034209687816d8cf401877ec8133

SHA1
1248142eb45eed3beb0d9a2d3b8bed5fe2569b10

SHA256
7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814

SHA512
3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\Panel.exe

Filesize
12.1MB

MD5
85afedf22ca7d0561be4443e854459a7

SHA1
1fec08de68672a302f0df40ff30b22cee4d18057

SHA256
130a2379f8f07cec2cd9935bdf67bfcfbb977327f89f017dc16f19efc871d864

SHA512
e5229c4e67bc7d4ef8b53c94cfd017833797ecb52a93d71e9770ae50aaaa8e3e6c9b6433389f85255c2fe92bf94bdf1f6d1c49a01ac0809d7c8ccdb8c07dce03

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\Panel.exe.config

Filesize
26KB

MD5
14c52be5c2f2e05b34c971ab1c5a1f6e

SHA1
ca6af3aeef6b4f7d0b9d9199b985251d29aa65e2

SHA256
46de03cb4b125529c7aaf6024d3a287fb7c01bc5514664aae89d1a2f05af951a

SHA512
9266c85eb86115eef864e18bc46a5d2aae82e81ddbffc1589bad308ab1f7122d8a92bb5260e957a97350190bcaad27e93ad2bc1f7db1aaddc1c44a80dc728108

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\Pluralsight.Crypto.dll

Filesize
45KB

MD5
4ae6096005c37982c8b0c7b465d88da5

SHA1
93486afd78d1dba82722bee3ff7661e4740b9f05

SHA256
e3e598d322d72e6b717f6753d02d8f98a5436e884adbc0cc383e7a39a3c35b04

SHA512
86b52ab17120ec7c2941b7598c2b90ed8bce6f4c11a5c3e6e026c60f976ed58b042a8495c16f2a6a4dee8463da788a90ff6008069a133f566862afcc8ab65642

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\WindowsFirewallHelper.dll

Filesize
73KB

MD5
a37d8988990b3843182c51f1b9e5be4c

SHA1
d91b359403b3522cf718114174791b7b5c4de508

SHA256
2d8800d0ab20711af316fca20244cc06261a15021b2a78ac3ec6bd489f352594

SHA512
90776764006741cf54d1e29796de19f01845148bd1f9770ebc9205e02fd53987a0250f0c23409acd8bea573cfcbc48b6b7614e7726d484f1ab64682740f392a6

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\chromeBrowsers.txt

Filesize
3KB

MD5
ce263849ccf1bd916ca9411ff64a8046

SHA1
a57c69b2106e435e475cc4c521f0166e61689a14

SHA256
f951c11f45e96d43485b5a50b72a43c0c0ed410e403bde455f7903b6c5a1ff54

SHA512
9b23d1d55da607049da0ebb761924615d9dae00285c99e71dd41270a199d8249720c7aa2954632234f52f581c44993eec890a3a9e594886d5c6a52fd8bcd97e7

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\geckoBrowsers.txt

Filesize
893B

MD5
7acfc05fb47837933bca36a9fed6e7b3

SHA1
ee61de35b868bf6dec9180c249b32b032c6d2a85

SHA256
2d3619e8a8ddea523fff7c7dea9c0ade411b30ddccbe4d5874f5daf4e4b8b347

SHA512
8ad62e937b812f1cecf2548de0b13c557a30a54e5c3aeb49f12109a26d485918509a66cc47394fa9333639a8fd4b727f2a0aa5d4ff5f34bd0f8fb7033ea04e0f

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\panelSettings.json

Filesize
5KB

MD5
0f43a002a97d3a03b2658ba7000d1672

SHA1
1ba88b274096631c64a0dda4e4ae6b4b4591cb87

SHA256
577c144d5647b89f86d51e6e579af069d5516c2c1c9d7af5d36912713ec9cf03

SHA512
1f02d5321d00ba0e79e46b07cbdd1fb55193acdc25862aa5ab37c147732e379dc1c84554f6448281b4336c1612a5cf6ba10ba845ebae256b85746427368b27dc

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\panelSettings.json

Filesize
5KB

MD5
346419d2a3f9f87e978adf74e99b61f7

SHA1
8dce4be68e65729c10c152fc9106117b49da8554

SHA256
f98125103ff50480a43581c4151f7b860595aaf4e91e781c4526916964ea3ced

SHA512
3dca4d30ac090f55d29157ebd1cb9885a2e2786eaa14c26f69a5f758ad82fa29d40e2ff7ba6c3999c251ba83225435ebbdccc8019bfceef54769e99dd25a4c1c

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\protobuf-net.dll

Filesize
274KB

MD5
d16fffeb71891071c1c5d9096ba03971

SHA1
24c2c7a0d6c9918f037393c2a17e28a49d340df1

SHA256
141b235af8ebf25d5841edee29e2dcf6297b8292a869b3966c282da960cbd14d

SHA512
27fb5b77fcadbe7bd1af51f7f40d333cd12de65de12e67aaea4e5f6c0ac2a62ee65bdafb1dbc4e3c0a0b9a667b056c4c7d984b4eb1bf4b60d088848b2818d87a

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\serviceSettings.json

Filesize
73B

MD5
f9d5b6cb3abf194a7d4174fb5114fc24

SHA1
b62700cf1b734926f14d9b05382270c4f868b181

SHA256
ae0f138e5860dc597e29566588fc9e64df46fc4407591bb549fbd642eab0f6c7

SHA512
96464a563b524ecb32154b4180772e3b6af5935684818b5f0b9f38f63c458f71498bce775c78db3bc7c279ee7dcf86d013f51f61cd8df4b23e426bd907f08c7d

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\stats.json

Filesize
174B

MD5
0f91aea181cd167baad6ef0f2f07176d

SHA1
924f29e47a17e4933a4d8db2627344657acbca20

SHA256
60f69cf6704a36cfdb8ca2b1304db90b8dc60ff1364ff225c9c97c928b4577cf

SHA512
025ecaaeb9972978792c86a5c5f0d4aa53dfcaf30ea867808cd398ed7ab1acf53e179393aeab0424bd23115fc267723d4fcb70107347fbb8ad3f1ff8e9c3d3dd

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\telegramChatsSettings.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\Panel\walletParserConfig.json

Filesize
2KB

MD5
d42a185229f8b38eca9b0d1f143ed144

SHA1
06e25fa0e585c2706760a85bbcdad198c8c505c0

SHA256
1477eb8fb1c3bb4b8357a89ad7100bc7bfac8f9ce8cd67f7ffdbb83df3b8436d

SHA512
479796e3ac87d5cf26ce55233538edc4602fab18b20faf49f1583798ada7a27210a768ab8492ef27d008e570d89ce35e716b2f87ff9a672bf4fdeed3bfbeeefd

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\builder\RedlineBuilder.exe

Filesize
308KB

MD5
128cbb0f113189a8af347f14cb223357

SHA1
7472ff8bcf4b6ab90e30ec0352f0ecb44c655cf7

SHA256
a392dc6ad27dbc999aef5db8efaa63a65e570ca3bff7a79c5053ce7b7ba41a0e

SHA512
1bddf607e1e8ef32d39e16fcb9d9d87573f61ceee9a898c287ad236beaea818b223a28196395145a7b3eca5883e5da5b3a3dc0273fd66d64e103c24739868b35

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\builder\build.exe

Filesize
300KB

MD5
df9658b4eaf1d15c69832992aa6d0a91

SHA1
7bac45053c9ea7bf130a3cc4eaa7ac2e2a452031

SHA256
7f842d402bb053801dfbb7945ea4d886bdc24cc4b29e20569a5c1cd374a43647

SHA512
10845ead47cff5ce285d5090c2699b6e8dc5ec0195fe276b71252bb7c23c9ee8b23cde01de734815cd62e129261e6eb137ec5bab180db17523fac975dfc0996e

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\builder\builder.bat

Filesize
581B

MD5
5bffd9e309e1d362608a5188a0f0cdba

SHA1
d87cca8b89fc5cc4e77453a8aa03a058c8b5e85b

SHA256
6fa6de2709d0e38c8b651747cd37f73262118c005ae89e37b80cce0eaad1ff88

SHA512
8e9b6e0d479b7ea7a1cebd41deb59a13beccf36552388c41ddaf341021a0d62c972846a665cb30948e84981828ec5622570a46bcdb48a8cb6ae0a9991acd5989

Download Submit
C:\Users\Admin\Desktop\Redline Stealer v30.2 Cracked By @Drcrypt0r\builder\dnlib.dll

Filesize
1.1MB

MD5
3d913aab7b1c514502c6a232e37d470e

SHA1
28ac2d1519ec5ea58b81fe40777645acc043b349

SHA256
bdb84aa16678189510def7c589851f6ea15e60ff977ea4c7c8c156504e6ac0ff

SHA512
311e8f73c52dd65cbaf9f6e008b3231090ea99edf3471bac63cca4156a37a0d874ac590b19c01b15e05345bb6a5b636a11698bbd4e88c59c138dd3f358800027

Download Submit
memory/2156-107-0x000002F3324A0000-0x000002F3324DC000-memory.dmp

Filesize
240KB

Download
memory/2156-90-0x000002F321680000-0x000002F321738000-memory.dmp

Filesize
736KB

Download
memory/2156-89-0x000002F3201C0000-0x000002F3201E2000-memory.dmp

Filesize
136KB

Download
memory/2156-86-0x000002F320270000-0x000002F320320000-memory.dmp

Filesize
704KB

Download
memory/2156-88-0x000002F307610000-0x000002F30764A000-memory.dmp

Filesize
232KB

Download
memory/2156-98-0x000002F320EC0000-0x000002F320ED0000-memory.dmp

Filesize
64KB

Download
memory/2156-106-0x000002F3211F0000-0x000002F321202000-memory.dmp

Filesize
72KB

Download
memory/2156-84-0x000002F305CE0000-0x000002F305CF0000-memory.dmp

Filesize
64KB

Download
memory/2156-94-0x000002F323E40000-0x000002F323E58000-memory.dmp

Filesize
96KB

Download
memory/2156-82-0x000002F3075B0000-0x000002F3075C2000-memory.dmp

Filesize
72KB

Download
memory/2156-92-0x000002F323E90000-0x000002F323EDA000-memory.dmp

Filesize
296KB

Download
memory/2156-80-0x000002F320140000-0x000002F3201B4000-memory.dmp

Filesize
464KB

Download
memory/2888-78-0x00007FFC91570000-0x00007FFC92032000-memory.dmp

Filesize
10.8MB

Download
memory/2888-75-0x00007FFC91573000-0x00007FFC91575000-memory.dmp

Filesize
8KB

Download
memory/2888-76-0x000001A9531B0000-0x000001A953DC4000-memory.dmp

Filesize
12.1MB

Download
memory/2888-111-0x00007FFC91573000-0x00007FFC91575000-memory.dmp

Filesize
8KB

Download
memory/2888-112-0x00007FFC91570000-0x00007FFC92032000-memory.dmp

Filesize
10.8MB

Download
memory/4008-120-0x0000000004C90000-0x0000000004DB6000-memory.dmp

Filesize
1.1MB

Download
memory/4008-116-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/6060-138-0x0000000005380000-0x00000000053CC000-memory.dmp

Filesize
304KB

Download
memory/6060-137-0x0000000005330000-0x000000000536C000-memory.dmp

Filesize
240KB

Download
memory/6060-130-0x0000000000670000-0x00000000006C2000-memory.dmp

Filesize
328KB

Download
memory/6060-136-0x00000000052D0000-0x00000000052E2000-memory.dmp

Filesize
72KB

Download
memory/6060-135-0x00000000053E0000-0x00000000054EA000-memory.dmp

Filesize
1.0MB

Download
memory/6060-134-0x0000000006240000-0x0000000006858000-memory.dmp

Filesize
6.1MB

Download
memory/6060-143-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/6060-144-0x00000000069F0000-0x0000000006A40000-memory.dmp

Filesize
320KB

Download
memory/6060-145-0x0000000007A90000-0x0000000007C52000-memory.dmp

Filesize
1.8MB

Download
memory/6060-146-0x0000000008190000-0x00000000086BC000-memory.dmp

Filesize
5.2MB

Download
memory/6060-133-0x0000000005050000-0x000000000505A000-memory.dmp

Filesize
40KB

Download
memory/6060-132-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/6060-131-0x0000000005670000-0x0000000005C16000-memory.dmp

Filesize
5.6MB

Download