General

  • Target

    NEAS.4263b0d330ce65e7861edfd863576c30_JC.exe

  • Size

    600KB

  • Sample

    231018-2ncq4scb7x

  • MD5

    4263b0d330ce65e7861edfd863576c30

  • SHA1

    6c6e14f010b7ad9d33aac1530909ce9dd2d9184b

  • SHA256

    3e2152014824a6561c2a48c29926c44d393465b43dc8f86a3e65c00b9252ee5f

  • SHA512

    5b28c2bfec61d8b013cc3531285242e68ebbb827cdb694bd49398b071d6f3b7247113a49860bb133cffd17cbba859802d3a57e1ad21a2fe5008959d7d6a2fbb6

  • SSDEEP

    12288:rMrey90cokvsank6p+oqH+hqpgmFxYXXNWsD0vl0MQC2rMx22E0:Zy/sJ+vmFxYnNr090MQCpxJE0

Malware Config

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Targets

    • Target

      NEAS.4263b0d330ce65e7861edfd863576c30_JC.exe

    • Size

      600KB

    • MD5

      4263b0d330ce65e7861edfd863576c30

    • SHA1

      6c6e14f010b7ad9d33aac1530909ce9dd2d9184b

    • SHA256

      3e2152014824a6561c2a48c29926c44d393465b43dc8f86a3e65c00b9252ee5f

    • SHA512

      5b28c2bfec61d8b013cc3531285242e68ebbb827cdb694bd49398b071d6f3b7247113a49860bb133cffd17cbba859802d3a57e1ad21a2fe5008959d7d6a2fbb6

    • SSDEEP

      12288:rMrey90cokvsank6p+oqH+hqpgmFxYXXNWsD0vl0MQC2rMx22E0:Zy/sJ+vmFxYnNr090MQCpxJE0

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Tasks