General

  • Target

    Document.pdf.scr

  • Size

    700.0MB

  • Sample

    220727-1cv8msdea2

  • MD5

    66313350525d00444319e42f88c9a320

  • SHA1

    5e54b8d600254f67fc03cad68a00a7f2a9d89b77

  • SHA256

    00770e297ae5fdcaa0f235de9bee97309553bc89c955c47141e21f6fabdd55c7

  • SHA512

    a16611adba248ea831a4c25b6d0d46e20793f2f3500a13f29129414756c24ad209118b93e3b435e229e41ab92b01d52bfe31add86c0ed8b6e7469aafff594e2b

Malware Config

Extracted

Family

redline

Botnet

2

C2

62.204.41.139:25190

Attributes
  • auth_value

    f3af3290196bb8fa91c4ccc1d3fcb28f

Targets

    • Target

      Document.pdf.scr

    • Size

      700.0MB

    • MD5

      66313350525d00444319e42f88c9a320

    • SHA1

      5e54b8d600254f67fc03cad68a00a7f2a9d89b77

    • SHA256

      00770e297ae5fdcaa0f235de9bee97309553bc89c955c47141e21f6fabdd55c7

    • SHA512

      a16611adba248ea831a4c25b6d0d46e20793f2f3500a13f29129414756c24ad209118b93e3b435e229e41ab92b01d52bfe31add86c0ed8b6e7469aafff594e2b

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks