General

  • Target

    NEAS.df082341e3dfa9b4203cbcc9ce56d2d44ffdddb16d6fa744eb00cb67d3f6255a_JC.exe

  • Size

    1.2MB

  • Sample

    231007-q5qthsch2v

  • MD5

    7a37d9200f1b26ef38d83fc8bab95593

  • SHA1

    805048f58107db04ecb7fb403a31132adb8d72bf

  • SHA256

    df082341e3dfa9b4203cbcc9ce56d2d44ffdddb16d6fa744eb00cb67d3f6255a

  • SHA512

    170043c934432aa19938f312f3ab83a13561794c9514e19f6610122aa6ac07a80baaf0496eaaa497e92d1006be3c31f4e2a7d8b3a6eacafc3b862d4dd0e6b8bb

  • SSDEEP

    24576:xyu7A5IXxBE1i1pHeD+6ryVXA8u7+SAoZl+2tf9J4VD:kuA5IBWo1pH+YZuq1W+F

Malware Config

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Targets

    • Target

      NEAS.df082341e3dfa9b4203cbcc9ce56d2d44ffdddb16d6fa744eb00cb67d3f6255a_JC.exe

    • Size

      1.2MB

    • MD5

      7a37d9200f1b26ef38d83fc8bab95593

    • SHA1

      805048f58107db04ecb7fb403a31132adb8d72bf

    • SHA256

      df082341e3dfa9b4203cbcc9ce56d2d44ffdddb16d6fa744eb00cb67d3f6255a

    • SHA512

      170043c934432aa19938f312f3ab83a13561794c9514e19f6610122aa6ac07a80baaf0496eaaa497e92d1006be3c31f4e2a7d8b3a6eacafc3b862d4dd0e6b8bb

    • SSDEEP

      24576:xyu7A5IXxBE1i1pHeD+6ryVXA8u7+SAoZl+2tf9J4VD:kuA5IBWo1pH+YZuq1W+F

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Tasks