redline | 77b9f0c79ae8a64eb8d2f6ad82089b44ceda4144a96840d47371548ead61a763 | Triage

Submit
Reports

Overview

overview

Static

static

Redline_20...er.exe

windows7-x64

1

Redline_20...er.exe

windows10-2004-x64

1

Redline_20...ub.exe

windows7-x64

Redline_20...ub.exe

windows10-2004-x64

Redline_20...st.exe

windows7-x64

1

Redline_20...st.exe

windows10-2004-x64

1

Redline_20...er.exe

windows7-x64

4

Redline_20...er.exe

windows10-2004-x64

4

Redline_20...el.exe

windows7-x64

9

Redline_20...el.exe

windows10-2004-x64

Sharing

General

Target

Redline_20_2.zip
Size

24.7MB
Sample

240702-kdedhsxhnp
MD5

97a51d9c58994f6d77181fe62b807556
SHA1

11d64d7fe28064dc06f32b37cd6d89b4c5eb214b
SHA256

77b9f0c79ae8a64eb8d2f6ad82089b44ceda4144a96840d47371548ead61a763
SHA512

2a0c182a4740db61fce9df95332e72f8a044deba18587a7f206ec7bbcd17f4d0392202c5ad052ec35de569ab4207e5122c07889059de82a33d728e9227b7ce96
SSDEEP

393216:g6vsKw921Cqkcc0kqRY78G0CYXRpDmbdTTia/7USGo+3rjmKr4YYH+EUWpgXH:g6MLqkcbkVoGJMflhZ3rjB4cW63

Score

10^/10

redline sectoprat agilenet evasion infostealer rat themida trojan

Static task

static1

agilenet sectoprat redline

6 signatures

Behavioral task

behavioral1

Sample

Redline_20_2/Redline_20_2_stealer-main/Kurome.Builder/Kurome.Builder.exe

Resource

win7-20240221-en

windows7-x64

1 signatures

150 seconds

Behavioral task

behavioral2

Sample

Redline_20_2/Redline_20_2_stealer-main/Kurome.Builder/Kurome.Builder.exe

Resource

win10v2004-20240226-en

windows10-2004-x64

1 signatures

150 seconds

Behavioral task

behavioral3

Sample

Redline_20_2/Redline_20_2_stealer-main/Kurome.Builder/stub.exe

Resource

win7-20231129-en

redline sectoprat infostealer rat trojan

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral4

Sample

Redline_20_2/Redline_20_2_stealer-main/Kurome.Builder/stub.exe

Resource

win10v2004-20240508-en

redline sectoprat infostealer rat trojan

windows10-2004-x64

5 signatures

150 seconds

Behavioral task

behavioral5

Sample

Redline_20_2/Redline_20_2_stealer-main/Kurome.Host/Kurome.Host.exe

Resource

win7-20240611-en

windows7-x64

1 signatures

150 seconds

Behavioral task

behavioral6

Sample

Redline_20_2/Redline_20_2_stealer-main/Kurome.Host/Kurome.Host.exe

Resource

win10v2004-20240508-en

windows10-2004-x64

1 signatures

150 seconds

Behavioral task

behavioral7

Sample

Redline_20_2/Redline_20_2_stealer-main/Kurome.Loader/Kurome.Loader.exe

Resource

win7-20240221-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral8

Sample

Redline_20_2/Redline_20_2_stealer-main/Kurome.Loader/Kurome.Loader.exe

Resource

win10v2004-20240508-en

windows10-2004-x64

2 signatures

150 seconds

Behavioral task

behavioral9

Sample

Redline_20_2/Redline_20_2_stealer-main/Panel/RedLine_20_2/Panel/Panel.exe

Resource

win7-20240508-en

agilenet evasion themida trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral10

Sample

Redline_20_2/Redline_20_2_stealer-main/Panel/RedLine_20_2/Panel/Panel.exe

Resource

win10v2004-20240611-en

agilenet evasion themida trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  Redline_20_2/Redline_20_2_stealer-main/Kurome.Builder/Kurome.Builder.exe
- Size
  
  137KB
- MD5
  
  cf38a4bde3fe5456dcaf2b28d3bfb709
- SHA1
  
  711518af5fa13f921f3273935510627280730543
- SHA256
  
  c47b78e566425fc4165a83b2661313e41ee8d66241f7bea7723304a6a751595e
- SHA512
  
  3302b270ee028868ff877fa291c51e6c8b12478e7d873ddb9009bb68b55bd3a08a2756619b4415a76a5b4167abd7c7c3b9cc9f44c32a29225ff0fc2f94a1a4cc
- SSDEEP
  
  3072:abrwd8T7vH96NLS+ld4qRdxtiZQRWkmVnt749m3DIo9O:aH3TLH96NLS+n46dxICRcVntX
Score

1^/10
behavioral1 behavioral2
- Target
  
  Redline_20_2/Redline_20_2_stealer-main/Kurome.Builder/stub.dll
- Size
  
  96KB
- MD5
  
  625ed01fd1f2dc43b3c2492956fddc68
- SHA1
  
  48461ef33711d0080d7c520f79a0ec540bda6254
- SHA256
  
  6824c2c92eb7cee929f9c6b91e75c8c1fc3bfe80495eba4fa27118d40ad82b2b
- SHA512
  
  1889c7cee50092fe7a66469eb255b4013624615bac3a9579c4287bf870310bdc9018b0991f0ad7a9227c79c9bd08fd0c6fc7ebe97f21c16b7c06236f3755a665
- SSDEEP
  
  1536:9G6ijoigzKqO1RUTBHQsu/0igR4vYVVlmbfaxv0ujXyyedOn4iwEEl:BSElHQ/ORUYos0ujyzdZl
Score

10^/10

redline sectoprat infostealer rat trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
behavioral3 behavioral4
- Target
  
  Redline_20_2/Redline_20_2_stealer-main/Kurome.Host/Kurome.Host.exe
- Size
  
  119KB
- MD5
  
  4fde0f80c408af27a8d3ddeffea12251
- SHA1
  
  e834291127af150ce287443c5ea607a7ae337484
- SHA256
  
  1b644cdb1c7247c07d810c0ea10bec34dc5600f3645589690a219de08cf2dedb
- SHA512
  
  3693aeaa2cc276060b899f21f6f57f435b75fec5bcd7725b2dd79043b341c12ebc29bd43b287eb22a3e31fd2b50c4fa36bf020f9f3db5e2f75fe8cc747eca5f5
- SSDEEP
  
  3072:KEdjrOO8+K46SgVE+mxzqT67iLRi/Gj81GUpYb:KjQjgPmxzq27iLRiuAPp
Score

1^/10
behavioral5 behavioral6
- Target
  
  Redline_20_2/Redline_20_2_stealer-main/Kurome.Loader/Kurome.Loader.exe
- Size
  
  2.2MB
- MD5
  
  a3ec05d5872f45528bbd05aeecf0a4ba
- SHA1
  
  68486279c63457b0579d86cd44dd65279f22d36f
- SHA256
  
  d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e
- SHA512
  
  b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e
- SSDEEP
  
  49152:KSmo0SdsEoRykUuulqasMwMcdZa9FHeXXGFr3sylP2/BQ7MWV:lm7UQRyksl9cXwFHeX2t8y21
Score

4^/10
behavioral7 behavioral8
- Target
  
  Redline_20_2/Redline_20_2_stealer-main/Panel/RedLine_20_2/Panel/Panel.exe
- Size
  
  21.2MB
- MD5
  
  70f64e55852f812c8ce30b7831accf70
- SHA1
  
  4ee00b44ce66d871bd69c2ff4d72547953baf488
- SHA256
  
  61e44f8baccf9d80daa45a5b618c3faaee7b8cdedad4656eb99f49ee80f318fb
- SHA512
  
  98056894cbea8221af6c7b35a020348e180aefc29b87eb420f215724e5f29bac3418b7dd88dc00dfe0c5adaaffac0bd9da68f2d5dae7a724cf542198e96999eb
- SSDEEP
  
  393216:acc0kqRY78G0CYXRpDmbdTTia/7USGo+3rjmKr4YYH+EUWpgX:acbkVoGJMflhZ3rjB4cW6
Score

9^/10

agilenet evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

agilenetsectopratredline

behavioral1

behavioral2

behavioral3

redlinesectopratinfostealerrattrojan

behavioral4

redlinesectopratinfostealerrattrojan

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

agilenetevasionthemidatrojan

behavioral10

agilenetevasionthemidatrojan

© 2018-2024

Terms | Privacy