General

  • Target

    183a73b56b868554d8d8d5909fdd7880f700e18405a97ce7af5b7977181f68aa

  • Size

    919KB

  • Sample

    231111-bx1anaec89

  • MD5

    15c60005a29ad3fa6826d76641b2d658

  • SHA1

    0830e65c7b0dc2b8b1053f1dd9de0369be24241f

  • SHA256

    183a73b56b868554d8d8d5909fdd7880f700e18405a97ce7af5b7977181f68aa

  • SHA512

    0c539cd945b7290c395a92af435835766fd5d990b426a733a249a1d5f43d9fda4b934dc6a0045d82341074f469e924a5dcca30d545746c45bf7f841214a3da23

  • SSDEEP

    24576:tyO6mZLznztaeuIsiC/GnLYD6y9JHlTK/0Xp3nWzI:IO6mZLzzoetLEGsmy9JFuU

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      183a73b56b868554d8d8d5909fdd7880f700e18405a97ce7af5b7977181f68aa

    • Size

      919KB

    • MD5

      15c60005a29ad3fa6826d76641b2d658

    • SHA1

      0830e65c7b0dc2b8b1053f1dd9de0369be24241f

    • SHA256

      183a73b56b868554d8d8d5909fdd7880f700e18405a97ce7af5b7977181f68aa

    • SHA512

      0c539cd945b7290c395a92af435835766fd5d990b426a733a249a1d5f43d9fda4b934dc6a0045d82341074f469e924a5dcca30d545746c45bf7f841214a3da23

    • SSDEEP

      24576:tyO6mZLznztaeuIsiC/GnLYD6y9JHlTK/0Xp3nWzI:IO6mZLzzoetLEGsmy9JFuU

    • Detect Mystic stealer payload

    • Detected google phishing page

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks