General

  • Target

    NEAS.7011baaee0cf94f06cf89fd2672f6d3e0a304abd72324532cc4e871326395391.exe

  • Size

    1.3MB

  • Sample

    231111-mnwfwsee97

  • MD5

    1479ee68750242f019956fd3443e761a

  • SHA1

    8253aebd1a754172c192e1e9ffd1d5e7a9af4ea7

  • SHA256

    7011baaee0cf94f06cf89fd2672f6d3e0a304abd72324532cc4e871326395391

  • SHA512

    164f9acc32622d68033454087ef21e3101e02d938f82c3b7c993ded4624d469604372c8b339539c852c85f7dde2fe05ba6298aec1fb699ef768e765562b0b03b

  • SSDEEP

    24576:3y3B0B/2xS0WWvaeoIs2CFG0pYDNQcrc/0a2ODjjIN3JvMeZKMGeWgfXr2:C3KQIfe/16GD9c8ODjc35MeZR

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      NEAS.7011baaee0cf94f06cf89fd2672f6d3e0a304abd72324532cc4e871326395391.exe

    • Size

      1.3MB

    • MD5

      1479ee68750242f019956fd3443e761a

    • SHA1

      8253aebd1a754172c192e1e9ffd1d5e7a9af4ea7

    • SHA256

      7011baaee0cf94f06cf89fd2672f6d3e0a304abd72324532cc4e871326395391

    • SHA512

      164f9acc32622d68033454087ef21e3101e02d938f82c3b7c993ded4624d469604372c8b339539c852c85f7dde2fe05ba6298aec1fb699ef768e765562b0b03b

    • SSDEEP

      24576:3y3B0B/2xS0WWvaeoIs2CFG0pYDNQcrc/0a2ODjjIN3JvMeZKMGeWgfXr2:C3KQIfe/16GD9c8ODjc35MeZR

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks