General

  • Target

    NEAS.51812cda1209a79a33ba0bfa0f854ecbe46bad19cf627e2c567eb210adf45b60.exe

  • Size

    511KB

  • Sample

    231111-mjyqfsde9x

  • MD5

    3c42a073a89bcf52bd8449c41bdd0d2f

  • SHA1

    41e2f2cefe3c602738d8867bde7ee3632f2f6407

  • SHA256

    51812cda1209a79a33ba0bfa0f854ecbe46bad19cf627e2c567eb210adf45b60

  • SHA512

    bfa838346c8fd79b7c793b49c194da3bb7245808d740aa7d6d1ec54330397a71388eeccb3733190a570630b24b491927d995c32b95d78af281ffccc5f4558ae4

  • SSDEEP

    12288:gMrZy90zBJG2IplFehD9iOY8TUs2Aub+4+wSRYFZIk54o0F:pywlI3FehDMOYSz2AuyUSC4kCo0F

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.51812cda1209a79a33ba0bfa0f854ecbe46bad19cf627e2c567eb210adf45b60.exe

    • Size

      511KB

    • MD5

      3c42a073a89bcf52bd8449c41bdd0d2f

    • SHA1

      41e2f2cefe3c602738d8867bde7ee3632f2f6407

    • SHA256

      51812cda1209a79a33ba0bfa0f854ecbe46bad19cf627e2c567eb210adf45b60

    • SHA512

      bfa838346c8fd79b7c793b49c194da3bb7245808d740aa7d6d1ec54330397a71388eeccb3733190a570630b24b491927d995c32b95d78af281ffccc5f4558ae4

    • SSDEEP

      12288:gMrZy90zBJG2IplFehD9iOY8TUs2Aub+4+wSRYFZIk54o0F:pywlI3FehDMOYSz2AuyUSC4kCo0F

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks