Fichier Kimligi
| SHA256 | ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885 |
|---|---|
| MD5 | c82a837475376cd2dad0afb7520a5aa4 |
| SHA1 | d636cd516174fbabf403d21c5ca55597f124caa6 |
| Taille | 570880 byte |
| Tur | /opt/ksentinel/samples/ab82c433b4a5e763_SAMPLECATALOGSANDDRAWI: PE32 executable |
| Derleme | Inconnu |
| Packer | UPX |
C2 / Dropper Domainleri
| Adres | Tip | Durum |
|---|---|---|
github.com | Domain | Unknown |
IOC Listesi
| Valeur | Tip |
|---|---|
github.com | Domain |
Yetenekler
- TCP Socket C2
Gelistirici Ipuclari
PDB Yolu: bash: -c: line 1: syntax error near unexpected token `|'
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\Users\\[^\\]{2,30}\\[^
Telegram: @cN2AW @js7zg @pJKD @sEBvQ @Soz7
PE Analizi
Guvenlik Taramasi
file entropy: 7.665814 (probably packed) fpu anti-disassembly: no imagebase: normal entrypoint: normal DOS stub:
Import Tablosu
Imported functions
Library
Name: mscoree.dll
Functions
Function
Hint: 0
Name: _CorExeMainBinwalk / Packer
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Microsoft executable, portable (PE) 30863
Famille Tespiti
String kaniti bulunamadi (sifrelenmis/obfuskeli).
RedLine — Profil du malware
RedLine Stealer. QUOTATION lure. PCRE regex library. Form-grabbing. Credential theft.
Détails techniques
.NET, gRPC C2 protokolu, browser credential theft (tum Chromium/Firefox tabanlılar), cryptocurrency wallet stealer, VPN credential stealer, Discord/Steam token stealer
Attribution / Acteur de la menace
Rusca konusulan gelistirici/operatorler; MaaS modeli ile cok sayida musteriye hizmet. 2024 Operasyon Magnus'ta birden fazla sunucu operatoru gozaltina alinmistir.
Capacités et comportement
Liste IOC (6 indicateurs)
#
d636cd516174fbabf403d21c5ca55597f124caa6
# SHA256
ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885
# MD5
c82a837475376cd2dad0afb7520a5aa4
# DOMAIN
github.com
# FILEPATH
bash: -c: line 1: syntax error near unexpected token `|'
# FILEPATH
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'
| Type | Valeur | Note |
|---|---|---|
| d636cd516174fbabf403d21c5ca55597f124caa6 | ||
| sha256 | ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885 | |
| md5 | c82a837475376cd2dad0afb7520a5aa4 | |
| domain | github.com | |
| filepath | bash: -c: line 1: syntax error near unexpected token `|' | |
| filepath | bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10' |
Serveurs C2 (8 serveurs enregistrés pour cette famille)
| Adresse | Type | Port | Protocole | Statut | Pays |
|---|---|---|---|---|---|
| github.com | domain | — | HTTP | active | — |
| 185.220.101.47 | ip | 80 | HTTP | active | DE |
| 103.224.241.163 | ip | 443 | HTTPS | inactive | SG |
| 45.142.212.100 | ip | 11821 | TCP | inactive | — |
| 193.56.255.42 | ip | 15000 | TCP | inactive | — |
| 5.188.87.39 | ip | 30000 | TCP | inactive | — |
| 46.205.202.219 | ip | 1912 | TCP | inactive | — |
| 217.65.2.14 | ip | 1912 | TCP | inactive | — |
Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.