redline | 22e5aacab6918829218df63091a135a253f7da19bd61277e2f0830ff40c3cb31 | Triage

Submit
Reports

Overview

overview

Static

static

1

Payment_Ad...df.lnk

windows7-x64

8

Payment_Ad...df.lnk

windows10-2004-x64

Sharing

General

Target

29112024_1424_Payment_Advice_HSBC_Swift_Copy.pdf.lnk.zip
Size

1KB
Sample

241129-rvtm4avmbp
MD5

84c6d39886017a912d3a45d02f73bcd4
SHA1

69da3a478cdb3949995846078f78971480182882
SHA256

22e5aacab6918829218df63091a135a253f7da19bd61277e2f0830ff40c3cb31
SHA512

38368c60617aa696b6f8a639002f3ac02a3ad160e0d2dcf218353d6d2068acae1e956e4074e4607903478a59e7e3624051a9079a1f4ed798e152211b22b6cca4

Score

10^/10

redline cheat discovery execution infostealer

Static task

static1

Behavioral task

behavioral1

Sample

Payment_Advice_HSBC_Swift_Copy.pdf.lnk

Resource

win7-20240903-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

Payment_Advice_HSBC_Swift_Copy.pdf.lnk

Resource

win10v2004-20241007-en

redline cheat discovery execution infostealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

41.216.183.218:1912

Targets

- Target
  
  Payment_Advice_HSBC_Swift_Copy.pdf.lnk
- Size
  
  3KB
- MD5
  
  b34d7dcf2fd1a08025934b2b3b60c4d3
- SHA1
  
  2d892b1de088baed8ae4df89536b7e197ea7d83e
- SHA256
  
  b488b9f29cb8897a1854ca1ec2e943c99ab6724a825bfedf5485f147be6a9387
- SHA512
  
  03bcf8eb554b5fcab7f843f3841c20a2a008d3dbdc5904577935122ff2c1fd86c975d9aaec6faaf9ed36354af663deaba39901fe4da700c74e8c4cead605cacd
Score

10^/10

execution redline cheat discovery infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

redlinecheatdiscoveryexecutioninfostealer

© 2018-2025

Terms | Privacy