Overview

overview

10

Static

static

3

NEAS.2f1d1...80.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEAS.2f1d19f90db1a28d3c016371b2827e80.exe

  • Size

    399KB

  • Sample

    231031-ksx46sbf4s

  • MD5

    2f1d19f90db1a28d3c016371b2827e80

  • SHA1

    978c6313505dcd7ec1a86dbbb3ca8f40a0d9db13

  • SHA256

    9bd64380f9fc0adef717f8f104d2ee9917a798a9d4ac1034fa716ac47ff08dce

  • SHA512

    3b7a8cbe80109dc9b97e5c54e5bb1288017bfe41d765c4d865a88584815ee1ffdf44b092672f78bcf16fae6cc96fe14370051e29cc70495e80a01dc4161331ee

  • SSDEEP

    6144:Kpy+bnr+Z1p0yN90QEHOoHZHQUEn7epJEGb8r2gxhWoqnrRa2uADXwJIExqrlRvi:nMrDy90RhK7g9b0FHOnNXgy/pt1M

Score
10/10
mysticredlinegruhainfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Targets

    • Target

      NEAS.2f1d19f90db1a28d3c016371b2827e80.exe

    • Size

      399KB

    • MD5

      2f1d19f90db1a28d3c016371b2827e80

    • SHA1

      978c6313505dcd7ec1a86dbbb3ca8f40a0d9db13

    • SHA256

      9bd64380f9fc0adef717f8f104d2ee9917a798a9d4ac1034fa716ac47ff08dce

    • SHA512

      3b7a8cbe80109dc9b97e5c54e5bb1288017bfe41d765c4d865a88584815ee1ffdf44b092672f78bcf16fae6cc96fe14370051e29cc70495e80a01dc4161331ee

    • SSDEEP

      6144:Kpy+bnr+Z1p0yN90QEHOoHZHQUEn7epJEGb8r2gxhWoqnrRa2uADXwJIExqrlRvi:nMrDy90RhK7g9b0FHOnNXgy/pt1M

    Score
    10/10
    mysticredlinegruhainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks