General

  • Target

    NEAS.7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7.exe

  • Size

    523KB

  • Sample

    231111-mlbnpsee63

  • MD5

    440cc71e1caabc300339cdede88a23ac

  • SHA1

    9301462e76521b09c185b6a23f453ff080c71937

  • SHA256

    7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7

  • SHA512

    159a418d3a9d53b440f15dc1cc168a66d3e8e004d0677e2c9acddeef07a4356e307c17783a7b08650b230a0466401a08bcdba08337295003aba7beef7681b575

  • SSDEEP

    12288:CMrsy90Ar0O+cNWU8I4vHtKZspqUWWvoUXxuw:2yNr/+c4UKTvzBP

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7.exe

    • Size

      523KB

    • MD5

      440cc71e1caabc300339cdede88a23ac

    • SHA1

      9301462e76521b09c185b6a23f453ff080c71937

    • SHA256

      7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7

    • SHA512

      159a418d3a9d53b440f15dc1cc168a66d3e8e004d0677e2c9acddeef07a4356e307c17783a7b08650b230a0466401a08bcdba08337295003aba7beef7681b575

    • SSDEEP

      12288:CMrsy90Ar0O+cNWU8I4vHtKZspqUWWvoUXxuw:2yNr/+c4UKTvzBP

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks