General

  • Target

    NEAS.db1ca000ab9c6c34c355316ae707d790c1d9c6117d99b1d0ca0c8c178240c8ea_JC.exe

  • Size

    1.2MB

  • Sample

    231007-q34btscg9s

  • MD5

    475bde55882d471dffce2077b6067cb2

  • SHA1

    7a54de2341ec642deb689677cc9119c89f67639e

  • SHA256

    db1ca000ab9c6c34c355316ae707d790c1d9c6117d99b1d0ca0c8c178240c8ea

  • SHA512

    86dd01b77055d37752673f13b54f7d4e84f562946f53fd5e161c22d7e98c6c1ffc5d0980c6e84985ba249994b382e9e6e90c645ab3448c830d0fdb67a6068bb7

  • SSDEEP

    24576:Yy4dVc+wuEiIMa9pxnHDqv6F9rulsrq1pb1eNfj:f41sNMa9pZDtF9rbrWb1wf

Malware Config

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Targets

    • Target

      NEAS.db1ca000ab9c6c34c355316ae707d790c1d9c6117d99b1d0ca0c8c178240c8ea_JC.exe

    • Size

      1.2MB

    • MD5

      475bde55882d471dffce2077b6067cb2

    • SHA1

      7a54de2341ec642deb689677cc9119c89f67639e

    • SHA256

      db1ca000ab9c6c34c355316ae707d790c1d9c6117d99b1d0ca0c8c178240c8ea

    • SHA512

      86dd01b77055d37752673f13b54f7d4e84f562946f53fd5e161c22d7e98c6c1ffc5d0980c6e84985ba249994b382e9e6e90c645ab3448c830d0fdb67a6068bb7

    • SSDEEP

      24576:Yy4dVc+wuEiIMa9pxnHDqv6F9rulsrq1pb1eNfj:f41sNMa9pZDtF9rbrWb1wf

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Tasks