General

  • Target

    NEAS.bed9d12b5ad4bdb86c0fa2ab9df14008c33b67d56b0df31bd0b24dcb0f34d93f.exe

  • Size

    522KB

  • Sample

    231111-mk4m4aee55

  • MD5

    809c2494139568d024bbbc96804dff3b

  • SHA1

    24307ecce43105bf40d5be8b3265c42395ea9572

  • SHA256

    bed9d12b5ad4bdb86c0fa2ab9df14008c33b67d56b0df31bd0b24dcb0f34d93f

  • SHA512

    b249f98b335d2c470eb1d65863802066caca665fffc2e1552188ee4fa3e2fafb571fa4579def4d671ea0c90f5f4b671303a90f4df9dc1a5e14e2e7ef0f4aade0

  • SSDEEP

    12288:gMrvy90oUVLIQKakn+CftEMag3Ea1IAH5qt+:/yqkQK3Je4KAHAg

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.bed9d12b5ad4bdb86c0fa2ab9df14008c33b67d56b0df31bd0b24dcb0f34d93f.exe

    • Size

      522KB

    • MD5

      809c2494139568d024bbbc96804dff3b

    • SHA1

      24307ecce43105bf40d5be8b3265c42395ea9572

    • SHA256

      bed9d12b5ad4bdb86c0fa2ab9df14008c33b67d56b0df31bd0b24dcb0f34d93f

    • SHA512

      b249f98b335d2c470eb1d65863802066caca665fffc2e1552188ee4fa3e2fafb571fa4579def4d671ea0c90f5f4b671303a90f4df9dc1a5e14e2e7ef0f4aade0

    • SSDEEP

      12288:gMrvy90oUVLIQKakn+CftEMag3Ea1IAH5qt+:/yqkQK3Je4KAHAg

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks