General

  • Target

    7dd204fcc12430937185c9453119c3f8.bin

  • Size

    467KB

  • Sample

    231111-b75m5aeg72

  • MD5

    bdee16d46d5f69d136bc937b7be89692

  • SHA1

    5a220bd4b3b9437b02a41ef015111d2a80048fd1

  • SHA256

    5b74ae6aba7867062c9b25377d8b0ac4b7abc33a28c0f3e12930ad74d90dc054

  • SHA512

    9ceb04d7aedcd0455abaaa3961f9c8197410c58cb44764e7ae92ce9794206d197eda77d07fce772394d68ad14183df20890772b82f47807b78f25ca1df175c08

  • SSDEEP

    12288:hPpvEivoEJWmx/VqOb1itT+NJiE94DP3lyq/vOlT9:VpvEoz/ritT+LKrlFYB

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      c4cbf7a8ca90df698d3ebc4580e1f0b73aca2ef45e3748c019af83e8d3057dfc.bin

    • Size

      511KB

    • MD5

      7dd204fcc12430937185c9453119c3f8

    • SHA1

      14faa6ad329ac195d9bd9b7bae5b8ed638f52732

    • SHA256

      c4cbf7a8ca90df698d3ebc4580e1f0b73aca2ef45e3748c019af83e8d3057dfc

    • SHA512

      478350d4cd519cdbd1a6cf1b7428fdc0aaa5f4e13f3fe34af2a0842e94df3a2cf012d1a8b69ccd1cd9dcd27992cf99b636fef1f47df3079990a1fbed66544eb4

    • SSDEEP

      12288:OMr/y90LVLzOinDPw3rM8LFY8TUs2auF+4+wSRvFcL5GqPRqDHg:5yc2iD2rRFYSz2au4USVmgqZqjg

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks