General

  • Target

    1c9ff9394f050e641023445185ab7f78.exe

  • Size

    522KB

  • Sample

    231111-jjncyade55

  • MD5

    1c9ff9394f050e641023445185ab7f78

  • SHA1

    28ded8853ffbe30202c59e3c365ed4cbd6924260

  • SHA256

    8fbb18ef24e9c8f05209909a7723fe076b478dde5b9385a1d23f0ad46a8751aa

  • SHA512

    e7dd569295ac63cf60a832f1beae0a7333e59187f61fcf959be7112a6a7ba4033308d2a4908921c942ad2e44620e45be9d6c59d30ea8378d54c1779b2c94372e

  • SSDEEP

    12288:PMrRy906PlgSocnKVV93NED9J1Oip7mfsqg:ayHl73Kj9OpJ1Oip6sF

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      1c9ff9394f050e641023445185ab7f78.exe

    • Size

      522KB

    • MD5

      1c9ff9394f050e641023445185ab7f78

    • SHA1

      28ded8853ffbe30202c59e3c365ed4cbd6924260

    • SHA256

      8fbb18ef24e9c8f05209909a7723fe076b478dde5b9385a1d23f0ad46a8751aa

    • SHA512

      e7dd569295ac63cf60a832f1beae0a7333e59187f61fcf959be7112a6a7ba4033308d2a4908921c942ad2e44620e45be9d6c59d30ea8378d54c1779b2c94372e

    • SSDEEP

      12288:PMrRy906PlgSocnKVV93NED9J1Oip7mfsqg:ayHl73Kj9OpJ1Oip6sF

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks