General

  • Target

    NEAS.025d5b38468a58fa6ebfbfb6079cf4a47fa58f800677d60963fc9cfa96234289.exe

  • Size

    511KB

  • Sample

    231111-me74bsdd8v

  • MD5

    330c2d229d79afd0c4100c125a37841e

  • SHA1

    8a03d14ffa4d597db55cc98fd44d402232cdc8bc

  • SHA256

    025d5b38468a58fa6ebfbfb6079cf4a47fa58f800677d60963fc9cfa96234289

  • SHA512

    059fc460d18830db92219ef8b8bd4d58c6135e0b3331ae229db4f34f319019c270b23eb7d68560f4b19cedc42bd6fdaad508ea167c0c56966e92cfc32f6b7745

  • SSDEEP

    12288:9Mrky90/wXl0fsueSYwY8TUs2AuX+4+wSRtFfJkoqPRqC2:Zy/0fsvOYSz2AuuUSzfkoqZqC2

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.025d5b38468a58fa6ebfbfb6079cf4a47fa58f800677d60963fc9cfa96234289.exe

    • Size

      511KB

    • MD5

      330c2d229d79afd0c4100c125a37841e

    • SHA1

      8a03d14ffa4d597db55cc98fd44d402232cdc8bc

    • SHA256

      025d5b38468a58fa6ebfbfb6079cf4a47fa58f800677d60963fc9cfa96234289

    • SHA512

      059fc460d18830db92219ef8b8bd4d58c6135e0b3331ae229db4f34f319019c270b23eb7d68560f4b19cedc42bd6fdaad508ea167c0c56966e92cfc32f6b7745

    • SSDEEP

      12288:9Mrky90/wXl0fsueSYwY8TUs2AuX+4+wSRtFfJkoqPRqC2:Zy/0fsvOYSz2AuuUSzfkoqZqC2

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks