General

  • Target

    7d99eb634d001b9dc8667d34cf8f0ae1a067e69dbd366e63af156a592017d254

  • Size

    943KB

  • Sample

    231011-pwngcsgb8v

  • MD5

    5228a8bbf28b3d0b59d1f63846066256

  • SHA1

    1fff8f5cb0502ac4cdfdc52daafe8b26f2fd0137

  • SHA256

    7d99eb634d001b9dc8667d34cf8f0ae1a067e69dbd366e63af156a592017d254

  • SHA512

    0dd1d3c00fc682d329f0d07ff62758cfa6dd3f8e4015cfc7d14b3464374001df380cce47c078a13e60b15557c81006ddebc326c147cacd25629e5a80933c0633

  • SSDEEP

    24576:3y6sKOjkU35UmAbs98lWhgN8FPomRL+WOLKHh6:CvKOHpPAY98Z2gmZYa

Malware Config

Extracted

Family

redline

Botnet

leron

C2

77.91.124.55:19071

Attributes
  • auth_value

    1526055fa49b4ee6ca758d6d9d5395c9

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Extracted

Family

mystic

C2

http://5.42.92.211/loghub/master

Targets

    • Target

      7d99eb634d001b9dc8667d34cf8f0ae1a067e69dbd366e63af156a592017d254

    • Size

      943KB

    • MD5

      5228a8bbf28b3d0b59d1f63846066256

    • SHA1

      1fff8f5cb0502ac4cdfdc52daafe8b26f2fd0137

    • SHA256

      7d99eb634d001b9dc8667d34cf8f0ae1a067e69dbd366e63af156a592017d254

    • SHA512

      0dd1d3c00fc682d329f0d07ff62758cfa6dd3f8e4015cfc7d14b3464374001df380cce47c078a13e60b15557c81006ddebc326c147cacd25629e5a80933c0633

    • SSDEEP

      24576:3y6sKOjkU35UmAbs98lWhgN8FPomRL+WOLKHh6:CvKOHpPAY98Z2gmZYa

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Tasks