General

  • Target

    72d74e0d2fde67e2d12ae2faa727d015f30250f861ebf9bb5c70496a8d58e174

  • Size

    917KB

  • Sample

    231111-kpfeysdf83

  • MD5

    a8fb75a3a9dbfe0112e8030d70cb6133

  • SHA1

    0b3f1c1312d7cd73739164416419b914df721c5b

  • SHA256

    72d74e0d2fde67e2d12ae2faa727d015f30250f861ebf9bb5c70496a8d58e174

  • SHA512

    a83ed10fef81c8e066227e8e7b5f62b6a03b05910d9249d5eed0a336ff8b0ce5ad985c63cc0f0cd14a5b598aaa338c1e98a450cced53fdaa3824486435a5ba34

  • SSDEEP

    12288:0MrAy90x3sGLNAZs1Oaex4IC5mpCPHGhtPLvTMXiYQRD2ZuUeVkEpcpCKHilSYaz:cyamTaeuIsyC/GfLYDbEQHhfTA36N

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      72d74e0d2fde67e2d12ae2faa727d015f30250f861ebf9bb5c70496a8d58e174

    • Size

      917KB

    • MD5

      a8fb75a3a9dbfe0112e8030d70cb6133

    • SHA1

      0b3f1c1312d7cd73739164416419b914df721c5b

    • SHA256

      72d74e0d2fde67e2d12ae2faa727d015f30250f861ebf9bb5c70496a8d58e174

    • SHA512

      a83ed10fef81c8e066227e8e7b5f62b6a03b05910d9249d5eed0a336ff8b0ce5ad985c63cc0f0cd14a5b598aaa338c1e98a450cced53fdaa3824486435a5ba34

    • SSDEEP

      12288:0MrAy90x3sGLNAZs1Oaex4IC5mpCPHGhtPLvTMXiYQRD2ZuUeVkEpcpCKHilSYaz:cyamTaeuIsyC/GfLYDbEQHhfTA36N

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks