General

  • Target

    a5a37dbf68a7dc0698d89bd890957bad.bin

  • Size

    466KB

  • Sample

    231111-cfl75sfb76

  • MD5

    664c74835f471d54cfdf8ce797afc426

  • SHA1

    28dc9f1d4081c6f5381cbdeeed2dc60ea2abf982

  • SHA256

    095a1ab827af4c4e9db294d6173dea53dcf65445262de4f247a2f24fc19f6b29

  • SHA512

    1b36b14c125573d96a7e645d70bc9915433aa75a4bb8d49f792c691bec99dd27e0cd9d23b14d5dae09b20d420350985e1ca7eb7db19ccd8b9a5236c50e201912

  • SSDEEP

    6144:JsBi1XZFQzolP15LcjQofgPrfk6palD+hvjOUWkUqXO3vFt3wR05URtrbEgqvgGn:aYPvlCXm2+hUPF1AR5bfOgApGk1zEb0

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      28632e6e159d1429a42d13b41801762d0e402bd2534a37ea547d6a12054d6151.bin

    • Size

      511KB

    • MD5

      a5a37dbf68a7dc0698d89bd890957bad

    • SHA1

      fd87d30daadf2e5f46e4e86e1dba7a8067787d56

    • SHA256

      28632e6e159d1429a42d13b41801762d0e402bd2534a37ea547d6a12054d6151

    • SHA512

      2e28a757f64aa2ed701733868ce02ff7d685aae0827bd25d7524265f6a9037853d1f20fb602203ed8fa4f3a8c2cb0073b41a0b5550e6b1d7a896bee994ac4de4

    • SSDEEP

      12288:AMrby90v3fCeHaoe2bmTe/gs981kUd8syLn35kPmpZk6t0roU1d:LyQ3qe6WbEe/gs98VyrJTvR0z1d

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks