General

  • Target

    NEAS.fca3e61a2dd4aa0b31816068ca9ed14436491d3ad62ee7169ccd94cd3a76d3b8.exe

  • Size

    511KB

  • Sample

    231111-mfkpesdd9s

  • MD5

    57006303f19855a3084de1bed4a9992c

  • SHA1

    a3784357afe06f24cb27aac53e763fda4cac1b39

  • SHA256

    fca3e61a2dd4aa0b31816068ca9ed14436491d3ad62ee7169ccd94cd3a76d3b8

  • SHA512

    9d79aa95a20743aa67d1a0c524ada3e428368045a5c5b97420caeeb380acfe98c822361d3631ba249b11a6ca6034e0b9e0be2dd6837d418635172d0e8c2860a9

  • SSDEEP

    12288:AMrLy90fMm8dCcPiGDku3+wcWMiGaY8TUs2EuX+4+wSR2FTpAvfQ1+0kB2h:byuMmuPtALWx/YSz2EuuUSUEGCBk

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.fca3e61a2dd4aa0b31816068ca9ed14436491d3ad62ee7169ccd94cd3a76d3b8.exe

    • Size

      511KB

    • MD5

      57006303f19855a3084de1bed4a9992c

    • SHA1

      a3784357afe06f24cb27aac53e763fda4cac1b39

    • SHA256

      fca3e61a2dd4aa0b31816068ca9ed14436491d3ad62ee7169ccd94cd3a76d3b8

    • SHA512

      9d79aa95a20743aa67d1a0c524ada3e428368045a5c5b97420caeeb380acfe98c822361d3631ba249b11a6ca6034e0b9e0be2dd6837d418635172d0e8c2860a9

    • SSDEEP

      12288:AMrLy90fMm8dCcPiGDku3+wcWMiGaY8TUs2EuX+4+wSR2FTpAvfQ1+0kB2h:byuMmuPtALWx/YSz2EuuUSUEGCBk

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks