General

  • Target

    7de2783e85f4cd2539dc17a357eff79e97d34a8a1e07e3ceea2c905d1bee9f6d

  • Size

    1.3MB

  • Sample

    231110-3vdgnaag2t

  • MD5

    0cb9522a1feba5a7aa5e9cf395717553

  • SHA1

    1ec6688a71621a04aeb427ea948fb7d5a22de28c

  • SHA256

    7de2783e85f4cd2539dc17a357eff79e97d34a8a1e07e3ceea2c905d1bee9f6d

  • SHA512

    5013cb6cd34ca440b4897eaf1dd7f2d864417c90b7c65cd528715f9775c2553900e71e38272e5ca72e56474a1723188154cd8632a7f6531ba727d92894f82553

  • SSDEEP

    24576:ry+BS01Br7aeMIsPCbGH6vDn1ng+xjqHNi1T/ShPyRen0wjFQPf:e+BND+e7w6G6RngmjENi1zS4ReOP

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      7de2783e85f4cd2539dc17a357eff79e97d34a8a1e07e3ceea2c905d1bee9f6d

    • Size

      1.3MB

    • MD5

      0cb9522a1feba5a7aa5e9cf395717553

    • SHA1

      1ec6688a71621a04aeb427ea948fb7d5a22de28c

    • SHA256

      7de2783e85f4cd2539dc17a357eff79e97d34a8a1e07e3ceea2c905d1bee9f6d

    • SHA512

      5013cb6cd34ca440b4897eaf1dd7f2d864417c90b7c65cd528715f9775c2553900e71e38272e5ca72e56474a1723188154cd8632a7f6531ba727d92894f82553

    • SSDEEP

      24576:ry+BS01Br7aeMIsPCbGH6vDn1ng+xjqHNi1T/ShPyRen0wjFQPf:e+BND+e7w6G6RngmjENi1zS4ReOP

    • Detect Mystic stealer payload

    • Detected google phishing page

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks