General

  • Target

    NEAS.d4313baf6018d4f453524a8406ee31022f451cf1c05b6c7ad0dce7a5954217e2.exe

  • Size

    917KB

  • Sample

    231111-mnnq2sdf8v

  • MD5

    fa9bbec8337f2a15c9aa1599300370ad

  • SHA1

    aeb714ec3d0c6ffe8ceba5686b0346d86e17893b

  • SHA256

    d4313baf6018d4f453524a8406ee31022f451cf1c05b6c7ad0dce7a5954217e2

  • SHA512

    b070e16f5917ac76ea4ff6e6f4fc900cb68095f4ba13b0cfbacc1e92eef850f6fa0cf77aded69c8f658c08e2e0b2cbf2fd93e2ce3e2ce43e3c2536ddceef9bf7

  • SSDEEP

    24576:lyRp4a5waeuIsyC/GXLYDXt0/sYSuvLm8pYs:ARpNJet9EG8K0YVqF

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.d4313baf6018d4f453524a8406ee31022f451cf1c05b6c7ad0dce7a5954217e2.exe

    • Size

      917KB

    • MD5

      fa9bbec8337f2a15c9aa1599300370ad

    • SHA1

      aeb714ec3d0c6ffe8ceba5686b0346d86e17893b

    • SHA256

      d4313baf6018d4f453524a8406ee31022f451cf1c05b6c7ad0dce7a5954217e2

    • SHA512

      b070e16f5917ac76ea4ff6e6f4fc900cb68095f4ba13b0cfbacc1e92eef850f6fa0cf77aded69c8f658c08e2e0b2cbf2fd93e2ce3e2ce43e3c2536ddceef9bf7

    • SSDEEP

      24576:lyRp4a5waeuIsyC/GXLYDXt0/sYSuvLm8pYs:ARpNJet9EG8K0YVqF

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks