General

  • Target

    NEAS.59a3dabd76a36a299ffd00f06ed1950801e21d55d9e3fd2be91af17b63d7c697.exe

  • Size

    511KB

  • Sample

    231111-mk9t4sdf31

  • MD5

    9239274114b0c18953b3dee86647b32b

  • SHA1

    38a1f39cdeb1aa5693ea3b22eea1cc21a048e55a

  • SHA256

    59a3dabd76a36a299ffd00f06ed1950801e21d55d9e3fd2be91af17b63d7c697

  • SHA512

    3db7f07478b8c9e31e0ec915b48be6e72e34164f2434ae9fe85c583e0e7c3fd9c756337be9e31a51468e21b11b18ef13e55186017daf1e19b9d6d73e12303eb7

  • SSDEEP

    12288:+Mrby90lQrN8oH6pxJwiQziqY8TUs2auB+4+wSRhFax6mgqPRqZ9KxKe:tyrlH6eYSz2auUUS3sx6mgqZqZ9/e

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.59a3dabd76a36a299ffd00f06ed1950801e21d55d9e3fd2be91af17b63d7c697.exe

    • Size

      511KB

    • MD5

      9239274114b0c18953b3dee86647b32b

    • SHA1

      38a1f39cdeb1aa5693ea3b22eea1cc21a048e55a

    • SHA256

      59a3dabd76a36a299ffd00f06ed1950801e21d55d9e3fd2be91af17b63d7c697

    • SHA512

      3db7f07478b8c9e31e0ec915b48be6e72e34164f2434ae9fe85c583e0e7c3fd9c756337be9e31a51468e21b11b18ef13e55186017daf1e19b9d6d73e12303eb7

    • SSDEEP

      12288:+Mrby90lQrN8oH6pxJwiQziqY8TUs2auB+4+wSRhFax6mgqPRqZ9KxKe:tyrlH6eYSz2auUUS3sx6mgqZqZ9/e

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks