General

  • Target

    NEAS.52fccafa3329ad996f0ee65dfbb1b9c3cab6fe03c50a6c984aa1168696bcd7fd.exe

  • Size

    511KB

  • Sample

    231111-mevs1aed38

  • MD5

    07a124ac94dd5499d304e5357f9d5d43

  • SHA1

    7ef4a91d56563d4f9d10b940f57b4ea43842fcbb

  • SHA256

    52fccafa3329ad996f0ee65dfbb1b9c3cab6fe03c50a6c984aa1168696bcd7fd

  • SHA512

    138d849e3e8d520e799346c87e239c09e8585c3d0ab73d22ea1b674ca6d9fc64a1ae6eef8f95bec3e34acb0dff2e8aa605cdf330e5d850823aad1fbf4daca7d8

  • SSDEEP

    12288:XMr1y9033Qnw1gRY8TUs2eu1+4+wSRuFCUAkroAas:ayI3BKYSz2euoUSQUUAkroA7

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.52fccafa3329ad996f0ee65dfbb1b9c3cab6fe03c50a6c984aa1168696bcd7fd.exe

    • Size

      511KB

    • MD5

      07a124ac94dd5499d304e5357f9d5d43

    • SHA1

      7ef4a91d56563d4f9d10b940f57b4ea43842fcbb

    • SHA256

      52fccafa3329ad996f0ee65dfbb1b9c3cab6fe03c50a6c984aa1168696bcd7fd

    • SHA512

      138d849e3e8d520e799346c87e239c09e8585c3d0ab73d22ea1b674ca6d9fc64a1ae6eef8f95bec3e34acb0dff2e8aa605cdf330e5d850823aad1fbf4daca7d8

    • SSDEEP

      12288:XMr1y9033Qnw1gRY8TUs2eu1+4+wSRuFCUAkroAas:ayI3BKYSz2euoUSQUUAkroA7

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks