oski | hxxps://dosya[.]co/u0jtlrjg80h4/Petras_RedlineStealer[.]rar[.]html

Analysis

max time kernel
91s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dosya.co/u0jtlrjg80h4/Petras_RedlineStealer.rar.html

Score

10^/10

oski redline sectoprat cheat discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

127.0.0.1:1337

Extracted

Family

oski

Eddd.Ultihost.Net

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Oski family
oski
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c5f-150.dat	family_redline
behavioral1/files/0x0008000000023c7d-170.dat	family_redline
behavioral1/memory/5000-172-0x0000000000950000-0x000000000096E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c5f-150.dat	family_sectoprat
behavioral1/files/0x0008000000023c7d-170.dat	family_sectoprat
behavioral1/memory/5000-172-0x0000000000950000-0x000000000096E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Executes dropped EXE 9 IoCs

pid	Process
764	Kurome.Builder.exe
5000	build.exe
3004	build.exe
2452	Kurome.Host.exe
4348	Panel.exe
1124	Panel.exe
5060	Panel.exe
4896	Panel.exe
772	Panel.exe

Loads dropped DLL 4 IoCs

pid	Process
764	Kurome.Builder.exe
764	Kurome.Builder.exe
2452	Kurome.Host.exe
2452	Kurome.Host.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4348 set thread context of 1124	4348	Panel.exe	114
PID 5060 set thread context of 772	5060	Panel.exe	120

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2216	1124	WerFault.exe	114
1200	772	WerFault.exe	120

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Builder.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133821941653395010"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4872	chrome.exe
4872	chrome.exe
5060	Panel.exe
5060	Panel.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeRestorePrivilege	4672	7zG.exe
Token: 35	4672	7zG.exe
Token: SeSecurityPrivilege	4672	7zG.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeSecurityPrivilege	4672	7zG.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4672	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 2432	4872	chrome.exe	82
PID 4872 wrote to memory of 2432	4872	chrome.exe	82
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 2068	4872	chrome.exe	83
PID 4872 wrote to memory of 5100	4872	chrome.exe	84
PID 4872 wrote to memory of 5100	4872	chrome.exe	84
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85
PID 4872 wrote to memory of 2064	4872	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://dosya.co/u0jtlrjg80h4/Petras_RedlineStealer.rar.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8f3dfcc40,0x7ff8f3dfcc4c,0x7ff8f3dfcc58
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1980,i,1088991079004309406,486570952220910084,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1972 /prefetch:2
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,1088991079004309406,486570952220910084,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,1088991079004309406,486570952220910084,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,1088991079004309406,486570952220910084,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,1088991079004309406,486570952220910084,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4340,i,1088991079004309406,486570952220910084,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4608,i,1088991079004309406,486570952220910084,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5076,i,1088991079004309406,486570952220910084,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:3460

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:408

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4504

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Petras_RedlineStealer\" -ad -an -ai#7zMap21768:104:7zEvent16344
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4672

C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Kurome.Builder\Kurome.Builder.exe
"C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Kurome.Builder\Kurome.Builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:764

C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Kurome.Builder\build.exe
"C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Kurome.Builder\build.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5000

C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Kurome.Builder\build.exe
"C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Kurome.Builder\build.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004

C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Kurome.Host\Kurome.Host.exe
"C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Kurome.Host\Kurome.Host.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2452

C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Panel\RedLine_20_2\Panel\Panel.exe
"C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Panel\RedLine_20_2\Panel\Panel.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4348
- C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Panel\RedLine_20_2\Panel\Panel.exe
  "C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Panel\RedLine_20_2\Panel\Panel.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 1368
    3⤵
    - Program crash
    PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1124 -ip 1124
1⤵
PID:3664

C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Panel\RedLine_20_2\Panel\Panel.exe
"C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Panel\RedLine_20_2\Panel\Panel.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5060
- C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Panel\RedLine_20_2\Panel\Panel.exe
  "C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Panel\RedLine_20_2\Panel\Panel.exe"
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Panel\RedLine_20_2\Panel\Panel.exe
  "C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Panel\RedLine_20_2\Panel\Panel.exe"
  2⤵
  - Executes dropped EXE
  PID:772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 1348
    3⤵
    - Program crash
    PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 772 -ip 772
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d38d60040233076f253ca49fca8af20e

SHA1
74cb43019404302672e1430e21486d00c6052a6d

SHA256
75ef992c2d0ab96334d0fe2fa7aaeed4741488436a5ef0721f9ee7aae09aff97

SHA512
e1ae67349614c5cdaf227c78fadbf1f3dc679268ca492b323dabfbc33661a6f038f28f9ddd52409183cf0536626c4226dbb2b4b2077f14eb14769968bbe6b1bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
47c0ee4d4e2603768f06a9c6cd8c199f

SHA1
d01aefcc7cf90103ebf503fc528e7d30c5003256

SHA256
0334068d13087f91227453c0e4346abe3db4bc89b08e2bdccb103f8e5940bace

SHA512
4f0ca894ff176e987faa5fda685746e9396813836c91965a2cc41fd62d49968482bf3039923f8820ffd8537506f220bb993d7dc757f142cac70f1eb0127aaf38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\87355956-2053-4d94-9615-a7fd3cfe4653.tmp

Filesize
1KB

MD5
0056310621f47fc565f3a12fed1a65ab

SHA1
3b5e14327d21a5119c48a52b3a7b7bfd9b3c2fd9

SHA256
4d398cd211b1f7b9456b893f1860a6d4e66bf6e5f7fa8f1d6adbecbcdb88cc0c

SHA512
2ae516a3d7b1c05ccf213d74b3f2dc38112a6a305b883508f486ad525567b669008cb5382e909e3360626fba3af27d04bc95146a1db50cc670b47d7a40e3385a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
997d46730626e94548ce03209f66da25

SHA1
03295d8a7e48430d549da788ff775434d0512671

SHA256
a813da12a8af1f7cd104ebd49539344a99b5e71042d49a7416feac3ee999c533

SHA512
0b69bc73ffd98ce5b67565d7ed5d9745b5b646db306f31bede2db5a8c35747d1b4eac5e7fdb49ec64ca1807c937d6112256f167f6413bdac63b4ae486d355bfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
246b7bf2f5c1884687c2e1756d00679b

SHA1
f9ad2fb6d0a92fb3ad7fa364c84d4803b05c36ef

SHA256
67a6aa8f167ee6c0b4393df98427e54758590713b0e64445f2cdd0cc750e80ea

SHA512
ac162bc11702c1c2ec38f71a901e67e1d23afcca6a73701a98c2f473a55d2ea2575b963057cc90818c544db981f50314cf8f47fef0efa7eabdf1c4e9911f40d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
285b7488edab64de28f8114f05aff3db

SHA1
216c0ad86d25efa3f24c732a5184b080194d6187

SHA256
fe34b6f0775ea726c7cec5a1f1d9e85662e35c5364eba26218606e6c77d416c5

SHA512
2c15b3f0910bbea7eb2ffe33e0187869d80658fce64c7562d5e8ca4895965c9a5756f8b496f0740b1f0d1a20dd15f3310b7bedcba7c804fe9510b968c5a8a3e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d99eb2037aedf8a3e9d69eb65e0baf6c

SHA1
19f1f96bc5cdbdbf2be373546bed8dba81171327

SHA256
44422f4ec3ac2c0cf283999a6c0afcfbef8371b18f6b3ab6ae4831f51ab328d1

SHA512
6c8a1f519898edb0c6b4154427eb4960d70b6ca7fb4e04dcd85aa075d1c799efa4cb5fe8de638cf7947a81c2d71702d97d2493cc86e28a12ca0cd0241e1a0d6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4e2e6cdb717dbbd48f035cc03f7e3446

SHA1
15f4d6392ac63523fbbbfd91fcd4463d86faa128

SHA256
2f877ad957f40fc6a4983f7ce221e9930e55173befa47a8794df59f44755eed5

SHA512
57f976e1f7bec4ca8a9829eacd19b696392fb891e3594bda233c2041b07e96b5837cd023e61c94942c641a1a5a7c1c3fe2b2e7d4b2f2b2c74d9763ff81bb3efe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b2ce94c4fedf338fd12b7e38b498eca9

SHA1
2ec51988a9372778ef96208d75d9edf304b7d7ad

SHA256
c2d42a8ea69e608b342ac60cfd70161569a073dd202472a388a72ace9cfee8cc

SHA512
813b3fd8ef8fbbdaa43296378c4ba096abb0394ce14ce0ffbae3c2c5b0c5f2e6e2e04dda5eef49b52b9fbff809eff7de50d6be26b41f82b7eaffb97b1b5debf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
22546d73450ff8864ed87808e1761abe

SHA1
d9d749a74774b72e16536420fa382fc115bde844

SHA256
2533c5e0473baa0e380fcd66efee8f8356af45eaa6c4955fe8229a7bad832338

SHA512
c5d47f0cc2466510ef2d4a1b1fb0871dc3da8483c99f972090385c91eca81494d402b3158c7584ec5f8a2a71f27d373d3ba6e37ae3db3760f481583f8c217dea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
f941ea8fc2bbcea62d63854e6eeeddc6

SHA1
7b639cf567c372fe31006949d04ef2c629240375

SHA256
c46d3e40f52d528ba91dfbe941c00b0bdd87c37233b69d971285dfb6cc3e22dc

SHA512
3d2250f4f74c1d5281aa76955ee69542eb5f44f90e2ad76b4e091835469e352fda3ac88193f77d9ae8f6160187795b061215fda391c884677271ca9ac3fb5cd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
1b94bd6e9a5acfc0e880e7242358a2f7

SHA1
bb0bef20182cf8f813e76b7ceaf1f8cc3cf29164

SHA256
9fdd083ab408d6960902db45222b989a6fb18147c0e68830163d91ff004cd42d

SHA512
6eea1feda2b15eaf03e6088df411a50e27442d1656de67647dadfd403d41a2f699b5e985890cfcb29855d3dd2a71eed178e63f45b45bc194a6b6391d046f9b60

Download Submit
C:\Users\Admin\Downloads\Petras_RedlineStealer.rar.crdownload

Filesize
2.9MB

MD5
74747e032ebbf8784b1617f8538e42ab

SHA1
e81c9a23675801cc7c0e0f9f66df43eb466345aa

SHA256
b840ccc7266bad69ce90a7ac6ebb67b353ad6552d74e132f7254d948c9894735

SHA512
4cd85060295db7f1d922db6dbe3148b087e7e1192d0180fea37028b89786e4f6c854350ad80112e7a9bd175df7d0cba59b9e0443e65da91eff17264ace02acef

Download Submit
C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Kurome.Builder\Kurome.Builder.exe

Filesize
137KB

MD5
cf38a4bde3fe5456dcaf2b28d3bfb709

SHA1
711518af5fa13f921f3273935510627280730543

SHA256
c47b78e566425fc4165a83b2661313e41ee8d66241f7bea7723304a6a751595e

SHA512
3302b270ee028868ff877fa291c51e6c8b12478e7d873ddb9009bb68b55bd3a08a2756619b4415a76a5b4167abd7c7c3b9cc9f44c32a29225ff0fc2f94a1a4cc

Download Submit
C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Kurome.Builder\Kurome.Builder.exe.config

Filesize
189B

MD5
5a7f52d69e6fca128023469ae760c6d5

SHA1
9d7f75734a533615042f510934402c035ac492f7

SHA256
498c7f8e872f9cef0cf04f7d290cf3804c82a007202c9b484128c94d03040fd0

SHA512
4dc8ae80ae9e61d2801441b6928a85dcf9d6d73656d064ffbc0ce9ee3ad531bfb140e9f802e39da2a83af6de606b115e5ccd3da35d9078b413b1d1846cbd1b4f

Download Submit
C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Kurome.Builder\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Kurome.Builder\build.exe

Filesize
95KB

MD5
ca8b99c9d67aee4b846581461ec6bb2b

SHA1
7c0fd208b99bc69aaf003693aeafbe73cde4658f

SHA256
d53b5ccdc46e2575b7c917ae6414b93028b9fe4df2deda7107a7a470080a9f3a

SHA512
027f3e669560a0668706665101bfb7ca258943f80cc660085428516015fb7a106266b34334afabfd95bf43c348d53d2fe6f9cbf7a6a737314d19524e4bc36a83

Download Submit
C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Kurome.Builder\stub.dll

Filesize
96KB

MD5
625ed01fd1f2dc43b3c2492956fddc68

SHA1
48461ef33711d0080d7c520f79a0ec540bda6254

SHA256
6824c2c92eb7cee929f9c6b91e75c8c1fc3bfe80495eba4fa27118d40ad82b2b

SHA512
1889c7cee50092fe7a66469eb255b4013624615bac3a9579c4287bf870310bdc9018b0991f0ad7a9227c79c9bd08fd0c6fc7ebe97f21c16b7c06236f3755a665

Download Submit
C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Kurome.Host\Kurome.Host.exe

Filesize
119KB

MD5
4fde0f80c408af27a8d3ddeffea12251

SHA1
e834291127af150ce287443c5ea607a7ae337484

SHA256
1b644cdb1c7247c07d810c0ea10bec34dc5600f3645589690a219de08cf2dedb

SHA512
3693aeaa2cc276060b899f21f6f57f435b75fec5bcd7725b2dd79043b341c12ebc29bd43b287eb22a3e31fd2b50c4fa36bf020f9f3db5e2f75fe8cc747eca5f5

Download Submit
C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Kurome.Host\Kurome.WCF.dll

Filesize
123KB

MD5
e3d39e30e0cdb76a939905da91fe72c8

SHA1
433fc7dc929380625c8a6077d3a697e22db8ed14

SHA256
4bfa493b75361920e6403c3d85d91a454c16ddda89a97c425257e92b352edd74

SHA512
9bb3477023193496ad20b7d11357e510ba3d02b036d6f35f57d061b1fc4d0f6cb3055ae040d78232c8a732d9241699ddcfac83cc377230109bf193736d9f92b8

Download Submit
C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Panel\RedLine_20_2\Panel\Panel.exe

Filesize
326KB

MD5
844f229c9a05abe9b9e4e07aa26f1e34

SHA1
76a39924c6a50bcd910b1a7c7557777601152e83

SHA256
70261778a7d5c3f0dd1df2b029d5d8d7a3627e3de511abb68050e90e12b7b27b

SHA512
5e76b5d217fe9071abc8ca82cf200ac6ae14e5331e1c787f7c7a164023d754cdaff86710e9c93cf688b5f8deb084afd0f675f8ccb675e42314f3b715411ddc5b

Download Submit
C:\Users\Admin\Downloads\Petras_RedlineStealer\Redline_2021_stealer\Panel\RedLine_20_2\Panel\Panel.exe.config

Filesize
26KB

MD5
494890d393a5a8c54771186a87b0265e

SHA1
162fa5909c1c3f84d34bda5d3370a957fe58c9c8

SHA256
f2a5a06359713226aeacfe239eeb8ae8606f4588d8e58a19947c3a190efbdfc7

SHA512
40fbd033f288fee074fc36e899796efb30d3c582784b834fc583706f19a0b8d5a134c6d1405afe563d2676072e4eefc4e169b2087867cab77a3fa1aa1a7c9395

Download Submit
memory/764-143-0x0000000005A50000-0x0000000005FF4000-memory.dmp

Filesize
5.6MB

Download
memory/764-177-0x000000007506E000-0x000000007506F000-memory.dmp

Filesize
4KB

Download
memory/764-149-0x0000000006990000-0x00000000069EE000-memory.dmp

Filesize
376KB

Download
memory/764-144-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/764-142-0x0000000000910000-0x0000000000938000-memory.dmp

Filesize
160KB

Download
memory/764-145-0x0000000005350000-0x000000000535A000-memory.dmp

Filesize
40KB

Download
memory/764-141-0x000000007506E000-0x000000007506F000-memory.dmp

Filesize
4KB

Download
memory/772-232-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1124-223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1124-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2452-199-0x0000000004D10000-0x0000000004D60000-memory.dmp

Filesize
320KB

Download
memory/2452-198-0x0000000004BA0000-0x0000000004BC8000-memory.dmp

Filesize
160KB

Download
memory/2452-197-0x0000000004C40000-0x0000000004D0E000-memory.dmp

Filesize
824KB

Download
memory/2452-196-0x0000000004920000-0x0000000004946000-memory.dmp

Filesize
152KB

Download
memory/2452-192-0x00000000000D0000-0x00000000000F4000-memory.dmp

Filesize
144KB

Download
memory/4348-218-0x00000000002B0000-0x000000000030A000-memory.dmp

Filesize
360KB

Download
memory/4348-219-0x0000000002590000-0x00000000025A4000-memory.dmp

Filesize
80KB

Download
memory/4348-220-0x0000000004B40000-0x0000000004B48000-memory.dmp

Filesize
32KB

Download
memory/5000-176-0x0000000005270000-0x00000000052BC000-memory.dmp

Filesize
304KB

Download
memory/5000-178-0x00000000054E0000-0x00000000055EA000-memory.dmp

Filesize
1.0MB

Download
memory/5000-175-0x0000000005230000-0x000000000526C000-memory.dmp

Filesize
240KB

Download
memory/5000-174-0x00000000051D0000-0x00000000051E2000-memory.dmp

Filesize
72KB

Download
memory/5000-173-0x0000000005960000-0x0000000005F78000-memory.dmp

Filesize
6.1MB

Download
memory/5000-172-0x0000000000950000-0x000000000096E000-memory.dmp

Filesize
120KB

Download
memory/5060-228-0x0000000005770000-0x0000000005784000-memory.dmp

Filesize
80KB

Download