General

  • Target

    210d78c17cc90a70f30586a02b0800aab423c75a716827872f13c3eb1778338f

  • Size

    917KB

  • Sample

    231110-266f5sae79

  • MD5

    1c26a062dc36574d47421f47878d257a

  • SHA1

    0de19ccfebf93a4d3afa949e1b548588ed077034

  • SHA256

    210d78c17cc90a70f30586a02b0800aab423c75a716827872f13c3eb1778338f

  • SHA512

    2cf57e7d4f9b2cc10c7fb51ecdab7d6c3bc04311dc1b42843c474d5af0f5cb09640af8dbfc9f411e4b8f78d2402f2f31942fab8166d6eaff26a5a909da7aaa86

  • SSDEEP

    24576:qyDhXQ2saeuIs2C/GZLYDUJZRhVETCFCo4g3:xDhX1etPEGyaHVEGFCo4

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      210d78c17cc90a70f30586a02b0800aab423c75a716827872f13c3eb1778338f

    • Size

      917KB

    • MD5

      1c26a062dc36574d47421f47878d257a

    • SHA1

      0de19ccfebf93a4d3afa949e1b548588ed077034

    • SHA256

      210d78c17cc90a70f30586a02b0800aab423c75a716827872f13c3eb1778338f

    • SHA512

      2cf57e7d4f9b2cc10c7fb51ecdab7d6c3bc04311dc1b42843c474d5af0f5cb09640af8dbfc9f411e4b8f78d2402f2f31942fab8166d6eaff26a5a909da7aaa86

    • SSDEEP

      24576:qyDhXQ2saeuIs2C/GZLYDUJZRhVETCFCo4g3:xDhX1etPEGyaHVEGFCo4

    • Detect Mystic stealer payload

    • Detected google phishing page

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks