General

  • Target

    dba71904859845e59e36c8ffa2af8a92b1148ce522d0a68f13d1f276aef80b2c

  • Size

    917KB

  • Sample

    231111-hvlg2scd7t

  • MD5

    6d19b59926c70b0e9071a49f4c73285d

  • SHA1

    28876d405942b8eeac0ebf2d6286245051998ed3

  • SHA256

    dba71904859845e59e36c8ffa2af8a92b1148ce522d0a68f13d1f276aef80b2c

  • SHA512

    33e63b0344263ab2b4a5e7a04c7bab989500899b17ad5286e40591fd4c9d8d92646334c3bb8d73f6224da4379128bc8e529e9bb2e878ce1b2946daa0c1d42d23

  • SSDEEP

    24576:7y/q9XRsaeuIseC/GZLYDg7Yx5JZtrHVc8lgbDbm5S:uSdnetHEGyU7cJZRVc8lgfK

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      dba71904859845e59e36c8ffa2af8a92b1148ce522d0a68f13d1f276aef80b2c

    • Size

      917KB

    • MD5

      6d19b59926c70b0e9071a49f4c73285d

    • SHA1

      28876d405942b8eeac0ebf2d6286245051998ed3

    • SHA256

      dba71904859845e59e36c8ffa2af8a92b1148ce522d0a68f13d1f276aef80b2c

    • SHA512

      33e63b0344263ab2b4a5e7a04c7bab989500899b17ad5286e40591fd4c9d8d92646334c3bb8d73f6224da4379128bc8e529e9bb2e878ce1b2946daa0c1d42d23

    • SSDEEP

      24576:7y/q9XRsaeuIseC/GZLYDg7Yx5JZtrHVc8lgbDbm5S:uSdnetHEGyU7cJZRVc8lgfK

    • Detect Mystic stealer payload

    • Detected google phishing page

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks