General

  • Target

    b55d17a7ba13c5b1024973b993dace7b7c87feaa43053e30f90a5afa4f11a756

  • Size

    916KB

  • Sample

    231111-b4k5baef32

  • MD5

    25ab23580ea651b45d65088a0abc2592

  • SHA1

    34c32dff006313bd8396f7cc8070e06754439315

  • SHA256

    b55d17a7ba13c5b1024973b993dace7b7c87feaa43053e30f90a5afa4f11a756

  • SHA512

    d1994913f8d978a75c1d998eaf3e6d198304cf9c191ab6aed74db3d391614e1813823262133a284fdcc60a88b6142170e43c725df217eda849e4623af1cd8cfc

  • SSDEEP

    12288:xMrOy90oK4Ic0NldHfcaex4IC5upCPHG6QPLvTMXiYQpDrsS7lBB+YsBwHG/TX8O:3y9IT50aeuIsKC/GxLYDkcPCWT

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      b55d17a7ba13c5b1024973b993dace7b7c87feaa43053e30f90a5afa4f11a756

    • Size

      916KB

    • MD5

      25ab23580ea651b45d65088a0abc2592

    • SHA1

      34c32dff006313bd8396f7cc8070e06754439315

    • SHA256

      b55d17a7ba13c5b1024973b993dace7b7c87feaa43053e30f90a5afa4f11a756

    • SHA512

      d1994913f8d978a75c1d998eaf3e6d198304cf9c191ab6aed74db3d391614e1813823262133a284fdcc60a88b6142170e43c725df217eda849e4623af1cd8cfc

    • SSDEEP

      12288:xMrOy90oK4Ic0NldHfcaex4IC5upCPHG6QPLvTMXiYQpDrsS7lBB+YsBwHG/TX8O:3y9IT50aeuIsKC/GxLYDkcPCWT

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks