Derin Statik Analiz — RedLine | Tehdit: critical

Fichier Kimligi

SHA256ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885
MD5c82a837475376cd2dad0afb7520a5aa4
SHA1d636cd516174fbabf403d21c5ca55597f124caa6
Taille570880 byte
Tur/opt/ksentinel/samples/ab82c433b4a5e763_SAMPLECATALOGSANDDRAWI: PE32 executable
DerlemeInconnu
PackerUPX

C2 / Dropper Domainleri

AdresTipDurum
github.comDomainUnknown

IOC Listesi

ValeurTip
github.comDomain

Yetenekler

  • TCP Socket C2

Gelistirici Ipuclari

PDB Yolu: bash: -c: line 1: syntax error near unexpected token `|' bash: -c: line 1: `grep -oiE '[A-Za-z]:\\Users\\[^\\]{2,30}\\[^

Telegram: @cN2AW @js7zg @pJKD @sEBvQ @Soz7

PE Analizi

Guvenlik Taramasi

file entropy:                    7.665814 (probably packed)
fpu anti-disassembly:            no
imagebase:                       normal
entrypoint:                      normal
DOS stub:               

Import Tablosu

Imported functions
    Library
        Name:                            mscoree.dll
        Functions
            Function
                Hint:                            0
                Name:                            _CorExeMain

Binwalk / Packer

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Microsoft executable, portable (PE)
30863      

Famille Tespiti

String kaniti bulunamadi (sifrelenmis/obfuskeli).

RedLine — Profil du malware

RedLine Stealer. QUOTATION lure. PCRE regex library. Form-grabbing. Credential theft.

Type de malware
Infostealer
Langage de programmation
.NET C#
Protocole C2
HTTPS
Systèmes ciblés
Windows
Aussi connu sous (AKA)
RedLine Stealer

Détails techniques

.NET, gRPC C2 protokolu, browser credential theft (tum Chromium/Firefox tabanlılar), cryptocurrency wallet stealer, VPN credential stealer, Discord/Steam token stealer

Attribution / Acteur de la menace

Rusca konusulan gelistirici/operatorler; MaaS modeli ile cok sayida musteriye hizmet. 2024 Operasyon Magnus'ta birden fazla sunucu operatoru gozaltina alinmistir.

Capacités et comportement

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

Liste IOC (6 indicateurs)

IOC — RedLine
# d636cd516174fbabf403d21c5ca55597f124caa6 # SHA256 ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885 # MD5 c82a837475376cd2dad0afb7520a5aa4 # DOMAIN github.com # FILEPATH bash: -c: line 1: syntax error near unexpected token `|' # FILEPATH bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'
TypeValeurNote
d636cd516174fbabf403d21c5ca55597f124caa6
sha256 ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885
md5 c82a837475376cd2dad0afb7520a5aa4
domain github.com
filepath bash: -c: line 1: syntax error near unexpected token `|'
filepath bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'

Serveurs C2 (8 serveurs enregistrés pour cette famille)

Adresse Type Port Protocole Statut Pays
github.com domain &mdash; HTTP active &mdash;
185.220.101.47 ip 80 HTTP active DE
103.224.241.163 ip 443 HTTPS inactive SG
45.142.212.100 ip 11821 TCP inactive &mdash;
193.56.255.42 ip 15000 TCP inactive &mdash;
5.188.87.39 ip 30000 TCP inactive &mdash;
46.205.202.219 ip 1912 TCP inactive &mdash;
217.65.2.14 ip 1912 TCP inactive &mdash;

Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.

Tags
redlinestatik-analizcriticalc2iocpe