General

  • Target

    138c3d9bbc526d0595c0e67ce200e114e317ff2fc8d7d952af44b69d589cc9e8

  • Size

    1.3MB

  • Sample

    231111-h2svpsde26

  • MD5

    2a9827165abb0f70861e5593862e0670

  • SHA1

    25591c5fd680ce47ef9e27244ab1a6d4450bc974

  • SHA256

    138c3d9bbc526d0595c0e67ce200e114e317ff2fc8d7d952af44b69d589cc9e8

  • SHA512

    fb485e444c8d0b5c877846d25cf566601a9e424fde4137da675e39091dd2621050ed573c804c0499c84905386ca58e8b25d95f88b2625585c386a697612ca3df

  • SSDEEP

    24576:6yquMrkzQnmae6IspCfGJeHDMTjnsBvGEb97nlYJeWZPmjQ9i8EG:BqfAgeB4IGK4nOvGEbxnlYAWZaii8E

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      138c3d9bbc526d0595c0e67ce200e114e317ff2fc8d7d952af44b69d589cc9e8

    • Size

      1.3MB

    • MD5

      2a9827165abb0f70861e5593862e0670

    • SHA1

      25591c5fd680ce47ef9e27244ab1a6d4450bc974

    • SHA256

      138c3d9bbc526d0595c0e67ce200e114e317ff2fc8d7d952af44b69d589cc9e8

    • SHA512

      fb485e444c8d0b5c877846d25cf566601a9e424fde4137da675e39091dd2621050ed573c804c0499c84905386ca58e8b25d95f88b2625585c386a697612ca3df

    • SSDEEP

      24576:6yquMrkzQnmae6IspCfGJeHDMTjnsBvGEb97nlYJeWZPmjQ9i8EG:BqfAgeB4IGK4nOvGEbxnlYAWZaii8E

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks