Overview

overview

10

Static

static

1

Payment_Ad...df.lnk

windows7-x64

8

Payment_Ad...df.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    29112024_1424_Payment_Advice_HSBC_Swift_Copy.pdf.lnk.zip

  • Size

    1KB

  • Sample

    241129-rq5vkazpdx

  • MD5

    84c6d39886017a912d3a45d02f73bcd4

  • SHA1

    69da3a478cdb3949995846078f78971480182882

  • SHA256

    22e5aacab6918829218df63091a135a253f7da19bd61277e2f0830ff40c3cb31

  • SHA512

    38368c60617aa696b6f8a639002f3ac02a3ad160e0d2dcf218353d6d2068acae1e956e4074e4607903478a59e7e3624051a9079a1f4ed798e152211b22b6cca4

Score
10/10
redlinecheatdiscoveryexecutioninfostealer

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

41.216.183.218:1912

Targets

    • Target

      Payment_Advice_HSBC_Swift_Copy.pdf.lnk

    • Size

      3KB

    • MD5

      b34d7dcf2fd1a08025934b2b3b60c4d3

    • SHA1

      2d892b1de088baed8ae4df89536b7e197ea7d83e

    • SHA256

      b488b9f29cb8897a1854ca1ec2e943c99ab6724a825bfedf5485f147be6a9387

    • SHA512

      03bcf8eb554b5fcab7f843f3841c20a2a008d3dbdc5904577935122ff2c1fd86c975d9aaec6faaf9ed36354af663deaba39901fe4da700c74e8c4cead605cacd

    Score
    10/10
    executionredlinecheatdiscoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks