General

  • Target

    NEAS.4f806a82b899b9438c737f09265a9655b0ccce02804613832f3bdd28c0cd50cf.exe

  • Size

    522KB

  • Sample

    231111-mdwc5sed33

  • MD5

    a2705e9feb1410276ae45e629b8b3531

  • SHA1

    9e1a878bc52bab18b71b4c89e3a3fe48a8f4ba23

  • SHA256

    4f806a82b899b9438c737f09265a9655b0ccce02804613832f3bdd28c0cd50cf

  • SHA512

    77eeca1aa676cec748867417a0095d1abc100ef0bb7ebf58893755eb49f9c35cb1eee1b6551fd501132ac4bbc0a8a9b1dd4063fbb68b9a07bf97fb0fded62608

  • SSDEEP

    12288:wMr1y90ZR4ayVTjmtB2vaDxCOItZN1ViuhgrJUBW:Vy0OaETyP2SVCvnN13gl6W

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.4f806a82b899b9438c737f09265a9655b0ccce02804613832f3bdd28c0cd50cf.exe

    • Size

      522KB

    • MD5

      a2705e9feb1410276ae45e629b8b3531

    • SHA1

      9e1a878bc52bab18b71b4c89e3a3fe48a8f4ba23

    • SHA256

      4f806a82b899b9438c737f09265a9655b0ccce02804613832f3bdd28c0cd50cf

    • SHA512

      77eeca1aa676cec748867417a0095d1abc100ef0bb7ebf58893755eb49f9c35cb1eee1b6551fd501132ac4bbc0a8a9b1dd4063fbb68b9a07bf97fb0fded62608

    • SSDEEP

      12288:wMr1y90ZR4ayVTjmtB2vaDxCOItZN1ViuhgrJUBW:Vy0OaETyP2SVCvnN13gl6W

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks