redline | 6e7e7fa41f88b845214a89e9466cf74b867859847d790991459134da8c178cd2 | Triage

Submit
Reports

Overview

overview

Static

static

7

Document.p...df.scr

windows7-x64

Document.p...df.scr

windows10-2004-x64

Sharing

General

Target

doc_iUuaaWfQCtzs.zip
Size

4.5MB
Sample

220929-kxvvlsbcdj
MD5

a17d2e91606858e2092bbd2e1d7118ce
SHA1

2a6789c5d416253731539c0ff92b1066362d13f9
SHA256

6e7e7fa41f88b845214a89e9466cf74b867859847d790991459134da8c178cd2
SHA512

ad2d307493e9826c00fd8d2d2482b3d59b94b7c6511bfee34a7a97b34494418041c00466c4e704ee3288a2b3d4e2b3264684ec10b0ab9b5efdc886dadc12b9bf
SSDEEP

98304:ns1WXnSCRc2gygrucXONearDwK4ZqKPmujl4zmYX4HLH:s12Jc2lUucXarDxMmDzza

Score

10^/10

redline web agilenet infostealer spyware

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Document.pdf/Document.pdf.scr

Resource

win7-20220812-en

redline web agilenet infostealer spyware

windows7-x64

9 signatures

300 seconds

Behavioral task

behavioral2

Sample

Document.pdf/Document.pdf.scr

Resource

win10v2004-20220812-en

redline web agilenet infostealer spyware

windows10-2004-x64

10 signatures

300 seconds

Malware Config

Extracted

Family

redline

Botnet

web

C2

62.204.41.139:25190

Attributes

auth_value
2b0495835b75f494572b5792f0b7a9e1

Targets

- Target
  
  Document.pdf/Document.pdf.scr
- Size
  
  700.0MB
- MD5
  
  42a123d2a8c6b9bf813d4ba30c6f7339
- SHA1
  
  020db224e295b652601f34b1b5284f3ad6bdf22f
- SHA256
  
  4e5b72658b3ee150f255b726931d387e897d1e5db4f40fbd6a3181e1908671af
- SHA512
  
  aec4d9c6c9255ad4764a737bb38f68e525d95d38d634e286100c896683fa1bc5f3b62cdc829b6f990fb2570455a6f1c3a7c81e117499065520c24325700cccaf
- SSDEEP
  
  98304:Xm27HCFxPcIIqb9tIKdgEezl6nW1WIxV2UBPB3VsYT:XmHbPcIIqb9u15zl6nW1WA2rYT
Score

10^/10

redline web agilenet infostealer spyware
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinewebagilenetinfostealerspyware

behavioral2

redlinewebagilenetinfostealerspyware

© 2018-2024

Terms | Privacy