General

  • Target

    NEAS.913728936f5ac2d55ab9e59642a198e7f1d0b585b6fc5153c757823c8dc11aba.exe

  • Size

    511KB

  • Sample

    231111-mlny2aee76

  • MD5

    67973a4dbb80488e677a7ef6b9b43891

  • SHA1

    22fa72eea56b96651ced1c1bb3b0afb7e39977ce

  • SHA256

    913728936f5ac2d55ab9e59642a198e7f1d0b585b6fc5153c757823c8dc11aba

  • SHA512

    8f9abad6bd739ae176853e28105e2d01fc2e4169f53fd5843436eba1fb4cb70ddc464679051cf5ec511d98dcc0fdfe604ccb1fdf678cd0413bdec0fc3e41eb9c

  • SSDEEP

    12288:5MrZy90AZmaqv7TVY8TUs2eu1+4+wSRiFpUA9pHi:gyBNwYSz2euoUS8zUAq

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.913728936f5ac2d55ab9e59642a198e7f1d0b585b6fc5153c757823c8dc11aba.exe

    • Size

      511KB

    • MD5

      67973a4dbb80488e677a7ef6b9b43891

    • SHA1

      22fa72eea56b96651ced1c1bb3b0afb7e39977ce

    • SHA256

      913728936f5ac2d55ab9e59642a198e7f1d0b585b6fc5153c757823c8dc11aba

    • SHA512

      8f9abad6bd739ae176853e28105e2d01fc2e4169f53fd5843436eba1fb4cb70ddc464679051cf5ec511d98dcc0fdfe604ccb1fdf678cd0413bdec0fc3e41eb9c

    • SSDEEP

      12288:5MrZy90AZmaqv7TVY8TUs2eu1+4+wSRiFpUA9pHi:gyBNwYSz2euoUS8zUAq

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks