General

  • Target

    NEAS.2f1d19f90db1a28d3c016371b2827e80.exe

  • Size

    399KB

  • Sample

    231031-ksx46sbf4s

  • MD5

    2f1d19f90db1a28d3c016371b2827e80

  • SHA1

    978c6313505dcd7ec1a86dbbb3ca8f40a0d9db13

  • SHA256

    9bd64380f9fc0adef717f8f104d2ee9917a798a9d4ac1034fa716ac47ff08dce

  • SHA512

    3b7a8cbe80109dc9b97e5c54e5bb1288017bfe41d765c4d865a88584815ee1ffdf44b092672f78bcf16fae6cc96fe14370051e29cc70495e80a01dc4161331ee

  • SSDEEP

    6144:Kpy+bnr+Z1p0yN90QEHOoHZHQUEn7epJEGb8r2gxhWoqnrRa2uADXwJIExqrlRvi:nMrDy90RhK7g9b0FHOnNXgy/pt1M

Malware Config

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Targets

    • Target

      NEAS.2f1d19f90db1a28d3c016371b2827e80.exe

    • Size

      399KB

    • MD5

      2f1d19f90db1a28d3c016371b2827e80

    • SHA1

      978c6313505dcd7ec1a86dbbb3ca8f40a0d9db13

    • SHA256

      9bd64380f9fc0adef717f8f104d2ee9917a798a9d4ac1034fa716ac47ff08dce

    • SHA512

      3b7a8cbe80109dc9b97e5c54e5bb1288017bfe41d765c4d865a88584815ee1ffdf44b092672f78bcf16fae6cc96fe14370051e29cc70495e80a01dc4161331ee

    • SSDEEP

      6144:Kpy+bnr+Z1p0yN90QEHOoHZHQUEn7epJEGb8r2gxhWoqnrRa2uADXwJIExqrlRvi:nMrDy90RhK7g9b0FHOnNXgy/pt1M

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Tasks