Overview
overview
10Static
static
10REDLINE ST...er.exe
windows7-x64
3REDLINE ST...er.exe
windows10-2004-x64
3REDLINE ST...db.dll
windows7-x64
1REDLINE ST...db.dll
windows10-2004-x64
1REDLINE ST...db.dll
windows7-x64
1REDLINE ST...db.dll
windows10-2004-x64
1REDLINE ST...ks.dll
windows7-x64
1REDLINE ST...ks.dll
windows10-2004-x64
1REDLINE ST...il.dll
windows7-x64
1REDLINE ST...il.dll
windows10-2004-x64
1REDLINE ST...ub.exe
windows7-x64
10REDLINE ST...ub.exe
windows10-2004-x64
10REDLINE ST...st.exe
windows7-x64
3REDLINE ST...st.exe
windows10-2004-x64
3REDLINE ST...CF.dll
windows7-x64
1REDLINE ST...CF.dll
windows10-2004-x64
1REDLINE ST...er.exe
windows7-x64
4REDLINE ST...er.exe
windows10-2004-x64
4REDLINE ST...el.exe
windows7-x64
10REDLINE ST...el.exe
windows10-2004-x64
10REDLINE ST...me.exe
windows7-x64
6REDLINE ST...me.exe
windows10-2004-x64
6REDLINE ST...48.exe
windows7-x64
7REDLINE ST...48.exe
windows10-2004-x64
7REDLINE ST...ar.exe
windows7-x64
1REDLINE ST...ar.exe
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 20:04
Behavioral task
behavioral1
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Builder/Kurome.Builder.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Builder/Kurome.Builder.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Builder/Mono.Cecil.Mdb.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral4
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Builder/Mono.Cecil.Mdb.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Builder/Mono.Cecil.Pdb.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Builder/Mono.Cecil.Pdb.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Builder/Mono.Cecil.Rocks.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Builder/Mono.Cecil.Rocks.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Builder/Mono.Cecil.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Builder/Mono.Cecil.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Builder/stub.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral12
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Builder/stub.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Host/Kurome.Host.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Host/Kurome.Host.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Host/Kurome.WCF.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral16
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Host/Kurome.WCF.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Loader/Kurome.Loader.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
REDLINE STEALER V20.2 - Edition 2022/Kurome.Loader/Kurome.Loader.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
REDLINE STEALER V20.2 - Edition 2022/Panel/RedLine_20_2/Panel/Panel.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
REDLINE STEALER V20.2 - Edition 2022/Panel/RedLine_20_2/Panel/Panel.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
REDLINE STEALER V20.2 - Edition 2022/Panel/RedLine_20_2/Tools/Chrome.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral22
Sample
REDLINE STEALER V20.2 - Edition 2022/Panel/RedLine_20_2/Tools/Chrome.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
REDLINE STEALER V20.2 - Edition 2022/Panel/RedLine_20_2/Tools/NetFramework48.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
REDLINE STEALER V20.2 - Edition 2022/Panel/RedLine_20_2/Tools/NetFramework48.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
REDLINE STEALER V20.2 - Edition 2022/Panel/RedLine_20_2/Tools/WinRar.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral26
Sample
REDLINE STEALER V20.2 - Edition 2022/Panel/RedLine_20_2/Tools/WinRar.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
REDLINE STEALER V20.2 - Edition 2022/Kurome.Builder/Kurome.Builder.exe
-
Size
137KB
-
MD5
cf38a4bde3fe5456dcaf2b28d3bfb709
-
SHA1
711518af5fa13f921f3273935510627280730543
-
SHA256
c47b78e566425fc4165a83b2661313e41ee8d66241f7bea7723304a6a751595e
-
SHA512
3302b270ee028868ff877fa291c51e6c8b12478e7d873ddb9009bb68b55bd3a08a2756619b4415a76a5b4167abd7c7c3b9cc9f44c32a29225ff0fc2f94a1a4cc
-
SSDEEP
3072:abrwd8T7vH96NLS+ld4qRdxtiZQRWkmVnt749m3DIo9O:aH3TLH96NLS+n46dxICRcVntX
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kurome.Builder.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2728 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2896 Kurome.Builder.exe Token: SeDebugPrivilege 2728 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2896 Kurome.Builder.exe 2896 Kurome.Builder.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe 2728 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REDLINE STEALER V20.2 - Edition 2022\Kurome.Builder\Kurome.Builder.exe"C:\Users\Admin\AppData\Local\Temp\REDLINE STEALER V20.2 - Edition 2022\Kurome.Builder\Kurome.Builder.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2896
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2728