General

  • Target

    9d3c5e577e15080f95f9f94b534bc09cfdcee854c82232572c34b11d6e13ce63

  • Size

    1.3MB

  • Sample

    231111-jd756ace2w

  • MD5

    9b4d899280a44c4d60820edd5194b82e

  • SHA1

    7d24eb47d631091e5fc2cee4cd58aca58f6cc8d8

  • SHA256

    9d3c5e577e15080f95f9f94b534bc09cfdcee854c82232572c34b11d6e13ce63

  • SHA512

    5c1e0f8489e4c8b8d27a1660b32010f1bc3c953f6acf52262105a26f79a5a43c4db914066e5754d1a71d4717d49dad5f4970fec913cdfeccfce904b7cccb4dc4

  • SSDEEP

    24576:2yRKv5SpMTIaeBIsUCMGQzQDn6tVTNA3uko84E3QWR7:FRKvcCe6fLGpL6tVJA3ukgmQw

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      9d3c5e577e15080f95f9f94b534bc09cfdcee854c82232572c34b11d6e13ce63

    • Size

      1.3MB

    • MD5

      9b4d899280a44c4d60820edd5194b82e

    • SHA1

      7d24eb47d631091e5fc2cee4cd58aca58f6cc8d8

    • SHA256

      9d3c5e577e15080f95f9f94b534bc09cfdcee854c82232572c34b11d6e13ce63

    • SHA512

      5c1e0f8489e4c8b8d27a1660b32010f1bc3c953f6acf52262105a26f79a5a43c4db914066e5754d1a71d4717d49dad5f4970fec913cdfeccfce904b7cccb4dc4

    • SSDEEP

      24576:2yRKv5SpMTIaeBIsUCMGQzQDn6tVTNA3uko84E3QWR7:FRKvcCe6fLGpL6tVJA3ukgmQw

    • Detect Mystic stealer payload

    • Detected google phishing page

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks