General

  • Target

    23c4e6133c176b0f71e340b10b7906233c4548836830ee9a2225523048719094

  • Size

    1.3MB

  • Sample

    231111-jrrekace9t

  • MD5

    d5539250a8f1c75cd0e8b1eec19a6de8

  • SHA1

    030dcbda609543bb2d7c6ee38b2b8f1d96653b78

  • SHA256

    23c4e6133c176b0f71e340b10b7906233c4548836830ee9a2225523048719094

  • SHA512

    f832dfab34bb1d863e8608424d747bb9ecf542008a57100a6b5936e47a8e08ea511262b981d521f75a624d9860aa2d85ce1871dd0134bd01ccf1694f3242cfb3

  • SSDEEP

    24576:LymopeoddaeBIs+CbG5MZDIW8eVbHMcML5KD8puhGblXAUrYuJKMpmVqy:+mopYe6j2GyJLVHML59bxsuc

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      23c4e6133c176b0f71e340b10b7906233c4548836830ee9a2225523048719094

    • Size

      1.3MB

    • MD5

      d5539250a8f1c75cd0e8b1eec19a6de8

    • SHA1

      030dcbda609543bb2d7c6ee38b2b8f1d96653b78

    • SHA256

      23c4e6133c176b0f71e340b10b7906233c4548836830ee9a2225523048719094

    • SHA512

      f832dfab34bb1d863e8608424d747bb9ecf542008a57100a6b5936e47a8e08ea511262b981d521f75a624d9860aa2d85ce1871dd0134bd01ccf1694f3242cfb3

    • SSDEEP

      24576:LymopeoddaeBIs+CbG5MZDIW8eVbHMcML5KD8puhGblXAUrYuJKMpmVqy:+mopYe6j2GyJLVHML59bxsuc

    • Detect Mystic stealer payload

    • Detected google phishing page

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks