General

  • Target

    2cc708f3d55601725c84f96a09757160.bin

  • Size

    470KB

  • Sample

    231111-bq4dqsea56

  • MD5

    e9e8db2980b906d79e94d70012495d7f

  • SHA1

    a247ee412de2ff7de2b23c2b6ba68feeacf6e8e1

  • SHA256

    41a9983709d78c2d85a184a2282a1ceb0c3296211459fd337dfab7c0bcc2e48a

  • SHA512

    989df06f41a3bfc9bb0abe10b4eb75d974d539183c5b4a7860725be23891e1a5962d0db798119add77ad204c19660f79a58b77092dfc41f477bc98fd69e79a71

  • SSDEEP

    12288:6Hux9pW8SB2+VX+4n1s8MchUasQwabaBcOwB5L/mbpJC:6Hulw2+1Ffndojhw7/mNJC

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      ef19502103975d722d4e7e31efa10e138b033507c9b3ffa65a60566220314f72.bin

    • Size

      514KB

    • MD5

      2cc708f3d55601725c84f96a09757160

    • SHA1

      7be5de8be61fcea3af1a75bcec06c6a4d40049c2

    • SHA256

      ef19502103975d722d4e7e31efa10e138b033507c9b3ffa65a60566220314f72

    • SHA512

      148091db02a03991501e0ed2e9d347a969ede8aaaa61161ed2d8af2469d57c9ab3fd85f91358f7aebce3a343459ded7c1991dcec2cb99144368ff2b5f3b3f956

    • SSDEEP

      12288:rMrJy90O2JydXHUDXcOCmymAR9xRcqZgZCmgDBSFeZJ:CyV0cOhymAR9zR0uDcFeZJ

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks