General
-
Target
Document.pdf.scr
-
Size
700.0MB
-
Sample
220922-k32v4sahh9
-
MD5
42a123d2a8c6b9bf813d4ba30c6f7339
-
SHA1
020db224e295b652601f34b1b5284f3ad6bdf22f
-
SHA256
4e5b72658b3ee150f255b726931d387e897d1e5db4f40fbd6a3181e1908671af
-
SHA512
aec4d9c6c9255ad4764a737bb38f68e525d95d38d634e286100c896683fa1bc5f3b62cdc829b6f990fb2570455a6f1c3a7c81e117499065520c24325700cccaf
-
SSDEEP
98304:Xm27HCFxPcIIqb9tIKdgEezl6nW1WIxV2UBPB3VsYT:XmHbPcIIqb9u15zl6nW1WA2rYT
Behavioral task
behavioral1
Sample
Document.pdf.scr
Resource
win10v2004-20220812-de
Malware Config
Extracted
redline
web
62.204.41.139:25190
-
auth_value
2b0495835b75f494572b5792f0b7a9e1
Targets
-
-
Target
Document.pdf.scr
-
Size
700.0MB
-
MD5
42a123d2a8c6b9bf813d4ba30c6f7339
-
SHA1
020db224e295b652601f34b1b5284f3ad6bdf22f
-
SHA256
4e5b72658b3ee150f255b726931d387e897d1e5db4f40fbd6a3181e1908671af
-
SHA512
aec4d9c6c9255ad4764a737bb38f68e525d95d38d634e286100c896683fa1bc5f3b62cdc829b6f990fb2570455a6f1c3a7c81e117499065520c24325700cccaf
-
SSDEEP
98304:Xm27HCFxPcIIqb9tIKdgEezl6nW1WIxV2UBPB3VsYT:XmHbPcIIqb9u15zl6nW1WA2rYT
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-