General

  • Target

    4935c6480c5631dcdf82d0c4d977a003.bin

  • Size

    467KB

  • Sample

    231111-bvzw4sdb91

  • MD5

    11e58b5b5fd587d957225713e3cdc013

  • SHA1

    201ef89bf4f7ea68dc3f9d02a8c353e59afcdec0

  • SHA256

    957329c2f57ebcbc539fc7624c6e993e96c1ec1d2515c0fc54e6023824c9ec46

  • SHA512

    41a85c92f5a1e84d18fb0eb3b6a3536a140954ab1226e85051913c1488c2d1639e25fb7441efe7abe8fc106681c13c62203881913497003dca6318db1cc823ac

  • SSDEEP

    6144:Cn7QhgJOZOa6lLdL5YD3Pw2KySC0HgRu4bY9+I00xi2PUMSVEp2r6qZyg4EeuH41:4vdL5JyKHcJ0xIExql4VV/TySimzgyT

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      0b0aa624ef09f720ef3757abc35c0c1d0fbd24e9a77500132f5d89d99e9f1164.bin

    • Size

      511KB

    • MD5

      4935c6480c5631dcdf82d0c4d977a003

    • SHA1

      064bf5059b728572e0772be8babec625a98ac7e1

    • SHA256

      0b0aa624ef09f720ef3757abc35c0c1d0fbd24e9a77500132f5d89d99e9f1164

    • SHA512

      abb31a0317e99cce531c7d0852423f809263e59e7a48026f4805285a304b28c56b119175c865b81a4cbb916c848dcbd4dd9f109078e23d31c92287ee651e2b3d

    • SSDEEP

      12288:IMr8y90nvhHGe8Mb+EylwXSM8LbY8TUs2Yur+4+wSRIF2/+jjg+HE+:UyyGZMyOS1bYSz2YuCUS+cuU+k+

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks