General

  • Target

    fdbb6cbf71169ef6a8900ee146b910ffea87fc6cd2109917e151b0f4dc6fcec4

  • Size

    917KB

  • Sample

    231111-abprcsba7w

  • MD5

    e8bcaee44673beb5538965efab23e5b5

  • SHA1

    ec65599ab8bb6728a652581bd32dc0ac2d3b0b54

  • SHA256

    fdbb6cbf71169ef6a8900ee146b910ffea87fc6cd2109917e151b0f4dc6fcec4

  • SHA512

    3cbc38fab14d70f6c903eb4a3855db125c08875e51c04061891640e6617105eec9ff25c412f0014c0346e37bddbdda10fcbe2f1f8684da9b4396b4c081dfd2d3

  • SSDEEP

    24576:XyJUrHvKTzJYuaeuIsaC/G5LYDQdSeEHSok9O:iJUrPKC3et9EGScS6

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      fdbb6cbf71169ef6a8900ee146b910ffea87fc6cd2109917e151b0f4dc6fcec4

    • Size

      917KB

    • MD5

      e8bcaee44673beb5538965efab23e5b5

    • SHA1

      ec65599ab8bb6728a652581bd32dc0ac2d3b0b54

    • SHA256

      fdbb6cbf71169ef6a8900ee146b910ffea87fc6cd2109917e151b0f4dc6fcec4

    • SHA512

      3cbc38fab14d70f6c903eb4a3855db125c08875e51c04061891640e6617105eec9ff25c412f0014c0346e37bddbdda10fcbe2f1f8684da9b4396b4c081dfd2d3

    • SSDEEP

      24576:XyJUrHvKTzJYuaeuIsaC/G5LYDQdSeEHSok9O:iJUrPKC3et9EGScS6

    • Detect Mystic stealer payload

    • Detected google phishing page

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks