General

  • Target

    NEAS.0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7.exe

  • Size

    522KB

  • Sample

    231111-mnfqfadf7x

  • MD5

    8c1baa8bea7fd113ff351ead4d6b5291

  • SHA1

    43c9e99978d00c3959c36c30976296ffd9fdb70e

  • SHA256

    0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7

  • SHA512

    5359041ecab6b75773db47b3ff620da50bd1f42c241092d5261ffef135cd54d42f8ce7d9a9590d64b7d78ca97ec768ae4f8d24cac0f5a0ed522415ae823095b6

  • SSDEEP

    12288:0MrFy90XU5ZTbS4UFcZRS5I84Bh9M6bJF:5yd3S42ceT4ZXJF

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7.exe

    • Size

      522KB

    • MD5

      8c1baa8bea7fd113ff351ead4d6b5291

    • SHA1

      43c9e99978d00c3959c36c30976296ffd9fdb70e

    • SHA256

      0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7

    • SHA512

      5359041ecab6b75773db47b3ff620da50bd1f42c241092d5261ffef135cd54d42f8ce7d9a9590d64b7d78ca97ec768ae4f8d24cac0f5a0ed522415ae823095b6

    • SSDEEP

      12288:0MrFy90XU5ZTbS4UFcZRS5I84Bh9M6bJF:5yd3S42ceT4ZXJF

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks