General

  • Target

    19eed6c3ac5c6c5a57fb956221ce894abd813a1ffd571b2bbbf57dcb2d3eb8e2

  • Size

    920KB

  • Sample

    231111-gr4nsadc48

  • MD5

    dbc9ce44e2abc61c8a64e8dc24d6c29f

  • SHA1

    86cfc11ba32867435dd8f4698cc51224aba6ce02

  • SHA256

    19eed6c3ac5c6c5a57fb956221ce894abd813a1ffd571b2bbbf57dcb2d3eb8e2

  • SHA512

    f193c4104a3ad2b4d4013a1b135fef3cd3742cc046022ab3ee99c026aa46b5c626f1e2ec891c2d30089a29f9d930417128bce676035d94abcd75ce359911d241

  • SSDEEP

    24576:6yVxsHjbC5caeuIseC/GRLYDEjhIFf81ZM:B7JletJEGKYWU

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      19eed6c3ac5c6c5a57fb956221ce894abd813a1ffd571b2bbbf57dcb2d3eb8e2

    • Size

      920KB

    • MD5

      dbc9ce44e2abc61c8a64e8dc24d6c29f

    • SHA1

      86cfc11ba32867435dd8f4698cc51224aba6ce02

    • SHA256

      19eed6c3ac5c6c5a57fb956221ce894abd813a1ffd571b2bbbf57dcb2d3eb8e2

    • SHA512

      f193c4104a3ad2b4d4013a1b135fef3cd3742cc046022ab3ee99c026aa46b5c626f1e2ec891c2d30089a29f9d930417128bce676035d94abcd75ce359911d241

    • SSDEEP

      24576:6yVxsHjbC5caeuIseC/GRLYDEjhIFf81ZM:B7JletJEGKYWU

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks