General

  • Target

    4abf3ab6ad81c93990333c4aaaa3e649dbf64b613cab755a9d6a8c5638efd786

  • Size

    1.3MB

  • Sample

    231111-hwmfqscd7v

  • MD5

    c0ac08b8815b0340e23ca5b2c9a41867

  • SHA1

    bcbc724f3dbfe0dadbab838d212bd306b52771e5

  • SHA256

    4abf3ab6ad81c93990333c4aaaa3e649dbf64b613cab755a9d6a8c5638efd786

  • SHA512

    611f1e4fcf6a1876d85922cac6f4f4082309f6f947034b027b3a84d1755abd29dfeb92acca5c445f77e1a625be8d3f26b1310806c9b3ca8595b1b6c0e3067d02

  • SSDEEP

    24576:0ypRRsoVDBggCaeEIsdCBG83XDLDfpSyG/EGQZOdF0fGHdNmamXsL7wYku:DpRRHxLejc0GmPDfpSJ/ELOcfuOW

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      4abf3ab6ad81c93990333c4aaaa3e649dbf64b613cab755a9d6a8c5638efd786

    • Size

      1.3MB

    • MD5

      c0ac08b8815b0340e23ca5b2c9a41867

    • SHA1

      bcbc724f3dbfe0dadbab838d212bd306b52771e5

    • SHA256

      4abf3ab6ad81c93990333c4aaaa3e649dbf64b613cab755a9d6a8c5638efd786

    • SHA512

      611f1e4fcf6a1876d85922cac6f4f4082309f6f947034b027b3a84d1755abd29dfeb92acca5c445f77e1a625be8d3f26b1310806c9b3ca8595b1b6c0e3067d02

    • SSDEEP

      24576:0ypRRsoVDBggCaeEIsdCBG83XDLDfpSyG/EGQZOdF0fGHdNmamXsL7wYku:DpRRHxLejc0GmPDfpSJ/ELOcfuOW

    • Detect Mystic stealer payload

    • Detected google phishing page

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks