General

  • Target

    4d391e074f1507b415e7f6c5b0102ba70ec17897a12bddebb66f6536d0ef1e66

  • Size

    1.3MB

  • Sample

    231111-amqssscc92

  • MD5

    36083e6ad1739776e36baea76d61defa

  • SHA1

    0e6066143718973f41b4fa35c0720ba3e359b7f7

  • SHA256

    4d391e074f1507b415e7f6c5b0102ba70ec17897a12bddebb66f6536d0ef1e66

  • SHA512

    d72328ea4219cac233ab299cfbf9b4dd50621504c65f6f875b691073f70814c4fb4aa759868217d736fbd2afd61278d03f69c27005944e83399b89b892da235d

  • SSDEEP

    24576:Ny39dIuaz+IZlIaeiIsiCSGZz4Dr825mWnLTLaJ0BUpDlxdrquTeYUZT4vwvJbLq:o39Naz+Gxe5/DG2025mWnLPe0VMU54vu

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      4d391e074f1507b415e7f6c5b0102ba70ec17897a12bddebb66f6536d0ef1e66

    • Size

      1.3MB

    • MD5

      36083e6ad1739776e36baea76d61defa

    • SHA1

      0e6066143718973f41b4fa35c0720ba3e359b7f7

    • SHA256

      4d391e074f1507b415e7f6c5b0102ba70ec17897a12bddebb66f6536d0ef1e66

    • SHA512

      d72328ea4219cac233ab299cfbf9b4dd50621504c65f6f875b691073f70814c4fb4aa759868217d736fbd2afd61278d03f69c27005944e83399b89b892da235d

    • SSDEEP

      24576:Ny39dIuaz+IZlIaeiIsiCSGZz4Dr825mWnLTLaJ0BUpDlxdrquTeYUZT4vwvJbLq:o39Naz+Gxe5/DG2025mWnLPe0VMU54vu

    • Detect Mystic stealer payload

    • Detected google phishing page

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks