Overview

overview

10

Static

static

10

Redline-cr...er.exe

windows10-2004-x64

3

Redline-cr...db.dll

windows10-2004-x64

1

Redline-cr...db.dll

windows10-2004-x64

1

Redline-cr...ks.dll

windows10-2004-x64

1

Redline-cr...il.dll

windows10-2004-x64

1

Redline-cr...ub.exe

windows10-2004-x64

10

Redline-cr...st.exe

windows10-2004-x64

3

Redline-cr...CF.dll

windows10-2004-x64

1

Redline-cr...er.exe

windows10-2004-x64

4

Redline-cr...).docx

windows10-2004-x64

1

Redline-cr...).docx

windows10-2004-x64

1

Redline-cr...el.exe

windows10-2004-x64

10

Redline-cr...me.exe

windows10-2004-x64

6

Redline-cr...48.exe

windows10-2004-x64

7

Redline-cr...ar.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    33s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Redline-crack-by-rzt/Panel/RedLine_20_2/Panel/panel.exe

  • Size

    16.4MB

  • MD5

    1246b7d115005ce9fcc96848c5595d72

  • SHA1

    fa3777c7fe670cea2a4e8267945c3137091c64b5

  • SHA256

    f01393937f06be201400703d1dbfb35397c4a5162f16278ba9d9bb63ddcbcc78

  • SHA512

    5bf90904cf74a8c3775498578d856dd9f4837077928cd7ce24e4a6ccec00827bcfb28c2079498ba682a4f53204d7ad2bb8de2489005c429dc968e75e26d29101

  • SSDEEP

    393216:gyOsihmjY/uAKJkDk4x/aQsY3K/jRsBp:FOLhmjY/utek4x/aQsyKLuBp

Score
10/10
dcratredlinediscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
    "C:\Users\Admin\AppData\Local\Temp\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
      "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xIaoJlt1Yz.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:740
        • C:\Windows\SysWOW64\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2432
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            5⤵
              PID:4736
          • C:\Program Files\Crashpad\attachments\dllhost.exe
            "C:\Program Files\Crashpad\attachments\dllhost.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2192
      • C:\Users\Admin\AppData\Local\Temp\Panel.exe
        "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4952
        • C:\Users\Admin\AppData\Local\Temp\Panel.exe
          "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
          3⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3312
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Oracle\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3580
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1816
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Oracle\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3040
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4848
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:816
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2328
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\attachments\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3928
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\attachments\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4716
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1060
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1124
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3992
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2268

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Panel.exe
      Filesize

      9.3MB

      MD5

      f4e19b67ef27af1434151a512860574e

      SHA1

      56304fc2729974124341e697f3b21c84a8dd242a

      SHA256

      c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a

      SHA512

      a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
      Filesize

      1.5MB

      MD5

      fcbf03d90d4e9ce80f575452266e71d1

      SHA1

      1b067d0e057db189c71b2f7ac4ee2483ebaf0fa7

      SHA256

      2ec28f57e64fee2b2f1a40c78c079672f0dddb84da2a84fe3291bd68a4771a73

      SHA512

      9ce9962f645ab542f135d8560a7095259fe6628afcf598a58dfcf8e96b0d1dfa73e59ce13af3ff97e6c03046634dbd46a278c6535f99f99b3a6051b7bbfcf380

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\xIaoJlt1Yz.bat
      Filesize

      214B

      MD5

      7fe0e910c82acff881ff5d3da2665ebd

      SHA1

      c498d5ec53cbec625039cecfc35b1a8c0256a913

      SHA256

      202b3f300a1cf78c23753e1f1b7e56b207963fc0b44eaa46c311be0a42eeb090

      SHA512

      6c1fa6e0888d173d72262eb6cebc80a4f82136460ca5a7481a482e711f4690b5f98ebe4cab6bae64daaa3a2413ce061ed8cd9927f6148b408a2e43afc8e19464

      Download Submit

    • memory/2192-2098-0x0000000000470000-0x00000000008AC000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2192-4064-0x0000000000470000-0x00000000008AC000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2192-2088-0x0000000000470000-0x00000000008AC000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/3312-3995-0x000000001F280000-0x000000001F2BA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/3312-3967-0x000000001ECD0000-0x000000001ECEA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3312-4058-0x00000000233D0000-0x000000002341A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/3312-4059-0x00000000202F0000-0x0000000020340000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3312-4010-0x000000001F370000-0x000000001F420000-memory.dmp

      Filesize

      704KB

      Download

    • memory/3312-3981-0x000000001F020000-0x000000001F032000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3312-4044-0x000000001F510000-0x000000001F584000-memory.dmp

      Filesize

      464KB

      Download

    • memory/4788-90-0x0000000006980000-0x00000000069E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4788-87-0x0000000006C00000-0x00000000071A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4788-158-0x0000000000890000-0x0000000000CCC000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/4788-86-0x0000000000890000-0x0000000000CCC000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/4788-85-0x0000000000890000-0x0000000000CCC000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/4788-61-0x0000000000890000-0x0000000000CCC000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/4896-0-0x0000000000400000-0x0000000001470000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/4952-74-0x000000001AD60000-0x000000001AF00000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4952-155-0x000000001DB70000-0x000000001DB7A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4952-147-0x000000001DB60000-0x000000001DB6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4952-115-0x000000001DA40000-0x000000001DB82000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4952-145-0x000000001DB60000-0x000000001DB6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4952-143-0x000000001DB60000-0x000000001DB6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4952-142-0x000000001DB60000-0x000000001DB6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4952-119-0x000000001DA40000-0x000000001DB82000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4952-184-0x000000001E8F0000-0x000000001E90C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4952-114-0x000000001DA40000-0x000000001DB82000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4952-127-0x000000001DE10000-0x000000001DF52000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4952-102-0x0000000180000000-0x0000000180005000-memory.dmp

      Filesize

      20KB

      Download

    • memory/4952-103-0x0000000180000000-0x0000000180005000-memory.dmp

      Filesize

      20KB

      Download

    • memory/4952-105-0x0000000180000000-0x0000000180005000-memory.dmp

      Filesize

      20KB

      Download

    • memory/4952-107-0x0000000180000000-0x0000000180005000-memory.dmp

      Filesize

      20KB

      Download

    • memory/4952-109-0x0000000180000000-0x0000000180005000-memory.dmp

      Filesize

      20KB

      Download

    • memory/4952-75-0x000000001AD60000-0x000000001AF00000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4952-76-0x000000001AD60000-0x000000001AF00000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4952-73-0x00007FFB806E0000-0x00007FFB811A1000-memory.dmp

      Filesize

      10.8MB

      Download