General

  • Target

    f0f6a06cd841e1f48c30eb454d6e1cc5fdb550391f50e24332ad1ca8f77c00f4

  • Size

    1.3MB

  • Sample

    231111-w4621aag91

  • MD5

    464e1b3c51a9258b7c83eb5a3465dd49

  • SHA1

    b615decf1faf5ad75150877e9be51af2bb541a2c

  • SHA256

    f0f6a06cd841e1f48c30eb454d6e1cc5fdb550391f50e24332ad1ca8f77c00f4

  • SHA512

    09525e74b947fb53083708dc12963b5495968c184239d2f9d411ac2b6696cde6e4b8e15fa54f4bc0a0b38cde5a09c718b7392aeb5cfa5d8b58c4ab392d89bf0e

  • SSDEEP

    24576:xyr3yzAoTY8aeqIs0CeGj/iDAOqmKg+N8ixcnzf7VMlsTeJ0b4XpjS:kjyzBToexrfGOsTmT+NX4f7GceJTj

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      f0f6a06cd841e1f48c30eb454d6e1cc5fdb550391f50e24332ad1ca8f77c00f4

    • Size

      1.3MB

    • MD5

      464e1b3c51a9258b7c83eb5a3465dd49

    • SHA1

      b615decf1faf5ad75150877e9be51af2bb541a2c

    • SHA256

      f0f6a06cd841e1f48c30eb454d6e1cc5fdb550391f50e24332ad1ca8f77c00f4

    • SHA512

      09525e74b947fb53083708dc12963b5495968c184239d2f9d411ac2b6696cde6e4b8e15fa54f4bc0a0b38cde5a09c718b7392aeb5cfa5d8b58c4ab392d89bf0e

    • SSDEEP

      24576:xyr3yzAoTY8aeqIs0CeGj/iDAOqmKg+N8ixcnzf7VMlsTeJ0b4XpjS:kjyzBToexrfGOsTmT+NX4f7GceJTj

    • Detect Mystic stealer payload

    • Detected google phishing page

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks