General

  • Target

    NEAS.5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893.exe

  • Size

    522KB

  • Sample

    231111-ml4pgsdf51

  • MD5

    2450d284205c1df44fbae3a51c547384

  • SHA1

    f4c552fd2804a3ca229f489de619e735a6b32f87

  • SHA256

    5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893

  • SHA512

    04cfde71b150dc0a06351c0f8f1a9ca73a5833511a5af28f0dd5c65842dc06e51d27e74b5408ffb415705ac5f612dd074d628840b570db46905854ea17afa05c

  • SSDEEP

    12288:aMrPy90tP4tMMq1YOSQH5+wSp17XASvot3gzaH3w7:1yQkk+OSQJ3gzWw7

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893.exe

    • Size

      522KB

    • MD5

      2450d284205c1df44fbae3a51c547384

    • SHA1

      f4c552fd2804a3ca229f489de619e735a6b32f87

    • SHA256

      5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893

    • SHA512

      04cfde71b150dc0a06351c0f8f1a9ca73a5833511a5af28f0dd5c65842dc06e51d27e74b5408ffb415705ac5f612dd074d628840b570db46905854ea17afa05c

    • SSDEEP

      12288:aMrPy90tP4tMMq1YOSQH5+wSp17XASvot3gzaH3w7:1yQkk+OSQJ3gzWw7

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks