General

  • Target

    NEAS.f1f268a6ddc0a730e96d4055e36efcb910fa5f44969b67b5036f73e841279d2f_JC.exe

  • Size

    1.2MB

  • Sample

    231007-rfhbhsfc86

  • MD5

    573db188ba6b57a4be609b04b41c1eff

  • SHA1

    df6b3ac971f5ec5bd90e2e3618b21f1f1891b468

  • SHA256

    f1f268a6ddc0a730e96d4055e36efcb910fa5f44969b67b5036f73e841279d2f

  • SHA512

    653ec2dda30dcd07bbfdba22de9bb657fc89f93b54e2a076f4f94a8b11cf6b0757085ee26ed5e020fd1ed457fdbf5a92489522ed28b06f661800975be1414d46

  • SSDEEP

    24576:wycEYEc/xZil8422xZ+LkLdofzAE7CRj9N4E:3IEc/zib22HFRIEE7Ct4

Malware Config

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Targets

    • Target

      NEAS.f1f268a6ddc0a730e96d4055e36efcb910fa5f44969b67b5036f73e841279d2f_JC.exe

    • Size

      1.2MB

    • MD5

      573db188ba6b57a4be609b04b41c1eff

    • SHA1

      df6b3ac971f5ec5bd90e2e3618b21f1f1891b468

    • SHA256

      f1f268a6ddc0a730e96d4055e36efcb910fa5f44969b67b5036f73e841279d2f

    • SHA512

      653ec2dda30dcd07bbfdba22de9bb657fc89f93b54e2a076f4f94a8b11cf6b0757085ee26ed5e020fd1ed457fdbf5a92489522ed28b06f661800975be1414d46

    • SSDEEP

      24576:wycEYEc/xZil8422xZ+LkLdofzAE7CRj9N4E:3IEc/zib22HFRIEE7Ct4

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Tasks