General

  • Target

    6518b4d22d03d65c0498dcd55bd516d5174ce6d50f19f6d793c99c7e5b3c4b0e

  • Size

    1.3MB

  • Sample

    231111-gsqtbadc67

  • MD5

    562e741db6dea71097e78ec26df4dfe5

  • SHA1

    3665d7ad07da03231886bca3263019dff7cacf82

  • SHA256

    6518b4d22d03d65c0498dcd55bd516d5174ce6d50f19f6d793c99c7e5b3c4b0e

  • SHA512

    84ce04dcacb69d4b05e958f214c72ff74eec601bf41a1f24501a494877a35de52c36f911a2788b94dfac072a594866edf3e18064abad3d4531ca2106e3192153

  • SSDEEP

    24576:tym4F4yXUon3S0N+YaerIsRC2GS1PDkI3f7Uy1vgJbef/UliJtYfMsJg1JwmE:ImjyXUonTQBek2PGgJf7Uy1vgJb8/UlI

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      6518b4d22d03d65c0498dcd55bd516d5174ce6d50f19f6d793c99c7e5b3c4b0e

    • Size

      1.3MB

    • MD5

      562e741db6dea71097e78ec26df4dfe5

    • SHA1

      3665d7ad07da03231886bca3263019dff7cacf82

    • SHA256

      6518b4d22d03d65c0498dcd55bd516d5174ce6d50f19f6d793c99c7e5b3c4b0e

    • SHA512

      84ce04dcacb69d4b05e958f214c72ff74eec601bf41a1f24501a494877a35de52c36f911a2788b94dfac072a594866edf3e18064abad3d4531ca2106e3192153

    • SSDEEP

      24576:tym4F4yXUon3S0N+YaerIsRC2GS1PDkI3f7Uy1vgJbef/UliJtYfMsJg1JwmE:ImjyXUonTQBek2PGgJf7Uy1vgJb8/UlI

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks