General

  • Target

    NEAS.85eec185cfeafdc1bf5c97a73f5d22728642ec85f6e01de72c1b555563c8d2b0.exe

  • Size

    511KB

  • Sample

    231111-mgtcysed68

  • MD5

    c5c152c7120070844b2a3c1e47d324fb

  • SHA1

    36c4e3fa3e4bc743a1c98a3e362f523d8ef275be

  • SHA256

    85eec185cfeafdc1bf5c97a73f5d22728642ec85f6e01de72c1b555563c8d2b0

  • SHA512

    d975954b0895345b423025d3ba856b7d9c25f94749caf267c3b13a9f812352e39550c11769751dd974c63b31f843c69ad82ba285b8c62be82eaeeaff67814116

  • SSDEEP

    12288:EMrJy90VJF0CDf8wuqwbgXUcY8TUs26uN+4+wSRfFEGuUA9kh3:9ycF0Of8rMYSz26uQUS1KRUAC3

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.85eec185cfeafdc1bf5c97a73f5d22728642ec85f6e01de72c1b555563c8d2b0.exe

    • Size

      511KB

    • MD5

      c5c152c7120070844b2a3c1e47d324fb

    • SHA1

      36c4e3fa3e4bc743a1c98a3e362f523d8ef275be

    • SHA256

      85eec185cfeafdc1bf5c97a73f5d22728642ec85f6e01de72c1b555563c8d2b0

    • SHA512

      d975954b0895345b423025d3ba856b7d9c25f94749caf267c3b13a9f812352e39550c11769751dd974c63b31f843c69ad82ba285b8c62be82eaeeaff67814116

    • SSDEEP

      12288:EMrJy90VJF0CDf8wuqwbgXUcY8TUs26uN+4+wSRfFEGuUA9kh3:9ycF0Of8rMYSz26uQUS1KRUAC3

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks