General

  • Target

    NEAS.1d9781c44840ba3eb6f1d6df22c644a835785c9ae068bf4afee7ba9f288d36b0.exe

  • Size

    511KB

  • Sample

    231111-medvgsdd7s

  • MD5

    84f9bca86f19e071b26343f494c128b5

  • SHA1

    3e0ee5f2a7b105f3f79e6d4a42d8abcb0c517dac

  • SHA256

    1d9781c44840ba3eb6f1d6df22c644a835785c9ae068bf4afee7ba9f288d36b0

  • SHA512

    1ae231a2545d56e80e404cdb92747f9635fba12f625d53d6fa3e1f6b501712f1207469e6ee1d07bcd18d47894be69888d687c32e7e74f9cbca3fa2d18f959ba6

  • SSDEEP

    12288:XMrIy90CJC9K/ZvIRVNew3rM+L8Y8TUs2euF+4+wSRSFfCiqPRqlp1tre:/y9NIRlrL8YSz2eu4USMdRqZqlpDre

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.1d9781c44840ba3eb6f1d6df22c644a835785c9ae068bf4afee7ba9f288d36b0.exe

    • Size

      511KB

    • MD5

      84f9bca86f19e071b26343f494c128b5

    • SHA1

      3e0ee5f2a7b105f3f79e6d4a42d8abcb0c517dac

    • SHA256

      1d9781c44840ba3eb6f1d6df22c644a835785c9ae068bf4afee7ba9f288d36b0

    • SHA512

      1ae231a2545d56e80e404cdb92747f9635fba12f625d53d6fa3e1f6b501712f1207469e6ee1d07bcd18d47894be69888d687c32e7e74f9cbca3fa2d18f959ba6

    • SSDEEP

      12288:XMrIy90CJC9K/ZvIRVNew3rM+L8Y8TUs2euF+4+wSRSFfCiqPRqlp1tre:/y9NIRlrL8YSz2eu4USMdRqZqlpDre

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks