General

  • Target

    NEAS.c66fb8fbea8c3b399d02bc164b98aad6210d6903045a17f37f8b2732653231f0.exe

  • Size

    511KB

  • Sample

    231111-mcwyaaec97

  • MD5

    98be1b9a3590de874f72cdc4d971e39c

  • SHA1

    284f405d235eb5f5a32cea90eb5232d2146a613d

  • SHA256

    c66fb8fbea8c3b399d02bc164b98aad6210d6903045a17f37f8b2732653231f0

  • SHA512

    4efbbdf6e7cff625c5892db8bc281695e171a6fd3bf6de63105a321f5ef3cb1c1b8ffccf6fd1e8590d1fa4e2f76c1ccceaeef0d508ae5a68875fce5f385aca6e

  • SSDEEP

    12288:sMr9y90ufjuDgvwTKxYe2wlXjLY8TUs24u/+4+wSRrFfDHNqPRqOg:5ytbmxUfYSz24umUSpZtqZqOg

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.c66fb8fbea8c3b399d02bc164b98aad6210d6903045a17f37f8b2732653231f0.exe

    • Size

      511KB

    • MD5

      98be1b9a3590de874f72cdc4d971e39c

    • SHA1

      284f405d235eb5f5a32cea90eb5232d2146a613d

    • SHA256

      c66fb8fbea8c3b399d02bc164b98aad6210d6903045a17f37f8b2732653231f0

    • SHA512

      4efbbdf6e7cff625c5892db8bc281695e171a6fd3bf6de63105a321f5ef3cb1c1b8ffccf6fd1e8590d1fa4e2f76c1ccceaeef0d508ae5a68875fce5f385aca6e

    • SSDEEP

      12288:sMr9y90ufjuDgvwTKxYe2wlXjLY8TUs24u/+4+wSRrFfDHNqPRqOg:5ytbmxUfYSz24umUSpZtqZqOg

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks