General

  • Target

    1d2ee107e4a2a6b2a23a6bf34d494d5d087517d46e01ca043172c144ae779930

  • Size

    1.3MB

  • Sample

    231111-gzjnkscd2t

  • MD5

    c0c44e6a8c60c826d07ab9d2f6caa251

  • SHA1

    f48f042bfc5af3ea0c6f3e79f6eeb03ae405c4aa

  • SHA256

    1d2ee107e4a2a6b2a23a6bf34d494d5d087517d46e01ca043172c144ae779930

  • SHA512

    91e33f397b06d09492cade75b4b1ebd040e05b87dd8841036c573f90c31606146727f4d56f02cc709381f7369b446b07439bbb933c4d8d4d1c9b984ab4241a17

  • SSDEEP

    24576:+y2iwXPtYrcNaaeYIsGCiGAK6DobukS6275Eg4CZRqopuJBBqZGoFAnUD:NGtPNzev5LGOqukSTzqUDjFAU

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      1d2ee107e4a2a6b2a23a6bf34d494d5d087517d46e01ca043172c144ae779930

    • Size

      1.3MB

    • MD5

      c0c44e6a8c60c826d07ab9d2f6caa251

    • SHA1

      f48f042bfc5af3ea0c6f3e79f6eeb03ae405c4aa

    • SHA256

      1d2ee107e4a2a6b2a23a6bf34d494d5d087517d46e01ca043172c144ae779930

    • SHA512

      91e33f397b06d09492cade75b4b1ebd040e05b87dd8841036c573f90c31606146727f4d56f02cc709381f7369b446b07439bbb933c4d8d4d1c9b984ab4241a17

    • SSDEEP

      24576:+y2iwXPtYrcNaaeYIsGCiGAK6DobukS6275Eg4CZRqopuJBBqZGoFAnUD:NGtPNzev5LGOqukSTzqUDjFAU

    • Detect Mystic stealer payload

    • Detected google phishing page

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks