General

  • Target

    02edbc4a7fd4388e91c08cc51e3bb70422cb0547c651577e126c41e04bb5386e

  • Size

    1.3MB

  • Sample

    231111-ge8f7sch44

  • MD5

    2d54fd6571f4b4d044ff3d0527d76b6d

  • SHA1

    4a0b5ce326dcfbcffa7cee7bd4e0044a87e0bd08

  • SHA256

    02edbc4a7fd4388e91c08cc51e3bb70422cb0547c651577e126c41e04bb5386e

  • SHA512

    ea36400ddfdbda9d39d83f790df70caf869ba98cc5d209a5c28500c10a010b64beac595f9fdc00fb787988d32b261499647f18456a9089361f6435459d9366c0

  • SSDEEP

    24576:gyn8CbOTUHtW+YaeUIs3CjGvMnDTfJJz+DqV/lqlYKRTDSp1XA3sy1AE6rcfQ:nJOTUHtWmezWiGyXlV/lqeeapUUcf

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      02edbc4a7fd4388e91c08cc51e3bb70422cb0547c651577e126c41e04bb5386e

    • Size

      1.3MB

    • MD5

      2d54fd6571f4b4d044ff3d0527d76b6d

    • SHA1

      4a0b5ce326dcfbcffa7cee7bd4e0044a87e0bd08

    • SHA256

      02edbc4a7fd4388e91c08cc51e3bb70422cb0547c651577e126c41e04bb5386e

    • SHA512

      ea36400ddfdbda9d39d83f790df70caf869ba98cc5d209a5c28500c10a010b64beac595f9fdc00fb787988d32b261499647f18456a9089361f6435459d9366c0

    • SSDEEP

      24576:gyn8CbOTUHtW+YaeUIs3CjGvMnDTfJJz+DqV/lqlYKRTDSp1XA3sy1AE6rcfQ:nJOTUHtWmezWiGyXlV/lqeeapUUcf

    • Detect Mystic stealer payload

    • Detected google phishing page

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks