Dosya Kimligi
| SHA256 | ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885 |
|---|---|
| MD5 | c82a837475376cd2dad0afb7520a5aa4 |
| SHA1 | d636cd516174fbabf403d21c5ca55597f124caa6 |
| Boyut | 570880 byte |
| Tur | /opt/ksentinel/samples/ab82c433b4a5e763_SAMPLECATALOGSANDDRAWI: PE32 executable |
| Derleme | Bilinmiyor |
| Packer | UPX |
C2 / Dropper Domainleri
| Adres | Tip | Durum |
|---|---|---|
github.com | Domain | Unknown |
IOC Listesi
| Deger | Tip |
|---|---|
github.com | Domain |
Yetenekler
- TCP Socket C2
Gelistirici Ipuclari
PDB Yolu: bash: -c: line 1: syntax error near unexpected token `|'
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\Users\\[^\\]{2,30}\\[^
Telegram: @cN2AW @js7zg @pJKD @sEBvQ @Soz7
PE Analizi
Guvenlik Taramasi
file entropy: 7.665814 (probably packed) fpu anti-disassembly: no imagebase: normal entrypoint: normal DOS stub:
Import Tablosu
Imported functions
Library
Name: mscoree.dll
Functions
Function
Hint: 0
Name: _CorExeMainBinwalk / Packer
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Microsoft executable, portable (PE) 30863
Aile Tespiti
String kaniti bulunamadi (sifrelenmis/obfuskeli).
RedLine — Malware Profile
RedLine Stealer. QUOTATION lure. PCRE regex library. Form-grabbing. Credential theft.
Technical Details
.NET, gRPC C2 protokolu, browser credential theft (tum Chromium/Firefox tabanlılar), cryptocurrency wallet stealer, VPN credential stealer, Discord/Steam token stealer
Attribution / Threat Actor
Rusca konusulan gelistirici/operatorler; MaaS modeli ile cok sayida musteriye hizmet. 2024 Operasyon Magnus'ta birden fazla sunucu operatoru gozaltina alinmistir.
Capabilities & Behavior
IOC List (6 indicators)
#
d636cd516174fbabf403d21c5ca55597f124caa6
# SHA256
ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885
# MD5
c82a837475376cd2dad0afb7520a5aa4
# DOMAIN
github.com
# FILEPATH
bash: -c: line 1: syntax error near unexpected token `|'
# FILEPATH
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'
| Type | Value | Note |
|---|---|---|
| d636cd516174fbabf403d21c5ca55597f124caa6 | ||
| sha256 | ab82c433b4a5e763de3427295657629780fa2157f0db9975c643ba4610b5d885 | |
| md5 | c82a837475376cd2dad0afb7520a5aa4 | |
| domain | github.com | |
| filepath | bash: -c: line 1: syntax error near unexpected token `|' | |
| filepath | bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10' |
C2 Servers (8 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| github.com | domain | — | HTTP | active | — |
| 185.220.101.47 | ip | 80 | HTTP | active | DE |
| 103.224.241.163 | ip | 443 | HTTPS | inactive | SG |
| 45.142.212.100 | ip | 11821 | TCP | inactive | — |
| 193.56.255.42 | ip | 15000 | TCP | inactive | — |
| 5.188.87.39 | ip | 30000 | TCP | inactive | — |
| 46.205.202.219 | ip | 1912 | TCP | inactive | — |
| 217.65.2.14 | ip | 1912 | TCP | inactive | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.