General

  • Target

    NEAS.aed86670c850810895e663f1602d7d2b19b4f0b39062b313b7ecee68dfa385bb.exe

  • Size

    511KB

  • Sample

    231111-mbzb1sdd31

  • MD5

    8e0c9ab59a3841c5daa18c582162d1b8

  • SHA1

    94212e5b708f692affe6f48a61111446825a4d11

  • SHA256

    aed86670c850810895e663f1602d7d2b19b4f0b39062b313b7ecee68dfa385bb

  • SHA512

    84fca843760f3d2e8a7fb3f12f9ba2432e26c6763a1d40f21c1f35732a4210226170d57c23b02e04ad2fab17e7d4bb298ed648a886116f9068aa753e2fe18ac7

  • SSDEEP

    12288:BMrdy90S1OLEXUwFUSY8TUs2auB+4+wSRDFgCnqPRq6dEqE:YygEXbYSz2auUUS12IqZq6dEqE

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.aed86670c850810895e663f1602d7d2b19b4f0b39062b313b7ecee68dfa385bb.exe

    • Size

      511KB

    • MD5

      8e0c9ab59a3841c5daa18c582162d1b8

    • SHA1

      94212e5b708f692affe6f48a61111446825a4d11

    • SHA256

      aed86670c850810895e663f1602d7d2b19b4f0b39062b313b7ecee68dfa385bb

    • SHA512

      84fca843760f3d2e8a7fb3f12f9ba2432e26c6763a1d40f21c1f35732a4210226170d57c23b02e04ad2fab17e7d4bb298ed648a886116f9068aa753e2fe18ac7

    • SSDEEP

      12288:BMrdy90S1OLEXUwFUSY8TUs2auB+4+wSRDFgCnqPRq6dEqE:YygEXbYSz2auUUS12IqZq6dEqE

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks