General

  • Target

    NEAS.58a14f9b353f2c87857a57262951b83d479a20e4ed8c90a2d4152f78a9144648.exe

  • Size

    522KB

  • Sample

    231111-mcwmhsdd5v

  • MD5

    27dffe6a01bee3e0ee0949a3df239bf0

  • SHA1

    20d9d845df3959952ed5246547ffe75656579963

  • SHA256

    58a14f9b353f2c87857a57262951b83d479a20e4ed8c90a2d4152f78a9144648

  • SHA512

    9e10d2ae5b2786fbd2a4755f9b45f1e05cf01a24a7e3beeb3e7ae86574e3338bd08e5711dfdbee8cba25870ce1faf9945a90302413d022c4150575e7c96829a0

  • SSDEEP

    12288:lMrty90GxYxVLfDOjFr/LxL2RrHlUEwAUkSFL:IyLxIVLfMx/lLKpOkSt

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.58a14f9b353f2c87857a57262951b83d479a20e4ed8c90a2d4152f78a9144648.exe

    • Size

      522KB

    • MD5

      27dffe6a01bee3e0ee0949a3df239bf0

    • SHA1

      20d9d845df3959952ed5246547ffe75656579963

    • SHA256

      58a14f9b353f2c87857a57262951b83d479a20e4ed8c90a2d4152f78a9144648

    • SHA512

      9e10d2ae5b2786fbd2a4755f9b45f1e05cf01a24a7e3beeb3e7ae86574e3338bd08e5711dfdbee8cba25870ce1faf9945a90302413d022c4150575e7c96829a0

    • SSDEEP

      12288:lMrty90GxYxVLfDOjFr/LxL2RrHlUEwAUkSFL:IyLxIVLfMx/lLKpOkSt

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks