General

  • Target

    NEAS.35c5f8c647bf0780c340fa71c1a6548120cd52d9ca882b284c48c1a7004954f4.exe

  • Size

    511KB

  • Sample

    231111-mez3qaed42

  • MD5

    327fee1d198d5a33e4af119b7ac7dad0

  • SHA1

    e0945f82242cb4c62ea88659ddff2dd333c095f3

  • SHA256

    35c5f8c647bf0780c340fa71c1a6548120cd52d9ca882b284c48c1a7004954f4

  • SHA512

    fa44633099377421d4afd5fee3def2cf1e587a1bf1468786f554662bd22dc5912d23900f82819592663396079113d5359434d6f23333dadd3946e584d65ee5b0

  • SSDEEP

    12288:cMrky90C6M57vdSzwieHqwCQC8kY8TUs2kuT+4+wSR4FCYNlThAfB:4y5D57vd/ieEYSz2ku6USGUQhCB

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.35c5f8c647bf0780c340fa71c1a6548120cd52d9ca882b284c48c1a7004954f4.exe

    • Size

      511KB

    • MD5

      327fee1d198d5a33e4af119b7ac7dad0

    • SHA1

      e0945f82242cb4c62ea88659ddff2dd333c095f3

    • SHA256

      35c5f8c647bf0780c340fa71c1a6548120cd52d9ca882b284c48c1a7004954f4

    • SHA512

      fa44633099377421d4afd5fee3def2cf1e587a1bf1468786f554662bd22dc5912d23900f82819592663396079113d5359434d6f23333dadd3946e584d65ee5b0

    • SSDEEP

      12288:cMrky90C6M57vdSzwieHqwCQC8kY8TUs2kuT+4+wSR4FCYNlThAfB:4y5D57vd/ieEYSz2ku6USGUQhCB

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks