General

  • Target

    NEAS.1fa01f47d23194c0335d37488faa8a412c743f6a15805939f55529af813b577a.exe

  • Size

    511KB

  • Sample

    231111-meqjaadd7w

  • MD5

    50870235cdee5126c889005064c9d887

  • SHA1

    20d4654901783d3810d4bcfc06f7c9a8ccf40417

  • SHA256

    1fa01f47d23194c0335d37488faa8a412c743f6a15805939f55529af813b577a

  • SHA512

    230cc0cbb4c8c9eb6a917df2c728aebb8f3ac5eeaa33f3f2bcfda43f118539f9adf3b2a363a96a79c9e0ee6b67a951952b6ebee6ceafe345ff3ed9674ffd1fe0

  • SSDEEP

    12288:sMr5y90eRWSJ+dBMqjY8TUs22uh+4+wSRbFgv4ly:9y78SJ+dBRYSz22u0US9Gn

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.1fa01f47d23194c0335d37488faa8a412c743f6a15805939f55529af813b577a.exe

    • Size

      511KB

    • MD5

      50870235cdee5126c889005064c9d887

    • SHA1

      20d4654901783d3810d4bcfc06f7c9a8ccf40417

    • SHA256

      1fa01f47d23194c0335d37488faa8a412c743f6a15805939f55529af813b577a

    • SHA512

      230cc0cbb4c8c9eb6a917df2c728aebb8f3ac5eeaa33f3f2bcfda43f118539f9adf3b2a363a96a79c9e0ee6b67a951952b6ebee6ceafe345ff3ed9674ffd1fe0

    • SSDEEP

      12288:sMr5y90eRWSJ+dBMqjY8TUs22uh+4+wSRbFgv4ly:9y78SJ+dBRYSz22u0US9Gn

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks