General

  • Target

    f0a92db4f389b06272beb78bf985f78ff8aa9a2c02ed369412e8724bd5dcec33

  • Size

    1.3MB

  • Sample

    231111-kbdzzacf5w

  • MD5

    f4d124ebee071611ec5007053aeee108

  • SHA1

    fe149955c23500231ced1e74ae1c9b22be1863b0

  • SHA256

    f0a92db4f389b06272beb78bf985f78ff8aa9a2c02ed369412e8724bd5dcec33

  • SHA512

    da13a3b1565d38b8d3561777fc85c68bcd2428512597f17fcf694a0c57245ee0e38630d71abe044a4f9a724de999c44c7a95cdbc49905ca7c963d1f908ff1f35

  • SSDEEP

    24576:cyFOKPuPPil+aeZIsYCwGUjoDqLHl4uOnOxWWW5upXO9aF1Rwu0X:LiPaHeCNrGvezGu8OXZ0YF1Rw

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      f0a92db4f389b06272beb78bf985f78ff8aa9a2c02ed369412e8724bd5dcec33

    • Size

      1.3MB

    • MD5

      f4d124ebee071611ec5007053aeee108

    • SHA1

      fe149955c23500231ced1e74ae1c9b22be1863b0

    • SHA256

      f0a92db4f389b06272beb78bf985f78ff8aa9a2c02ed369412e8724bd5dcec33

    • SHA512

      da13a3b1565d38b8d3561777fc85c68bcd2428512597f17fcf694a0c57245ee0e38630d71abe044a4f9a724de999c44c7a95cdbc49905ca7c963d1f908ff1f35

    • SSDEEP

      24576:cyFOKPuPPil+aeZIsYCwGUjoDqLHl4uOnOxWWW5upXO9aF1Rwu0X:LiPaHeCNrGvezGu8OXZ0YF1Rw

    • Detect Mystic stealer payload

    • Detected google phishing page

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks