General

  • Target

    f9565cf61bb3c7a2977310e44fdb6b08d407f3d56424e88086708737269f9f59

  • Size

    834KB

  • Sample

    240417-qj4hgsha79

  • MD5

    1c3a1ce2b11ed32ac7afdc4ec24b58c2

  • SHA1

    837c71427fec85f7bff4de9e1f4bce89af3316fb

  • SHA256

    f9565cf61bb3c7a2977310e44fdb6b08d407f3d56424e88086708737269f9f59

  • SHA512

    52c32b46e728ef06249a3a2a68c2b494ee3ee844ae1d3b0cfb4a21f8526cc697d2d34798b56f19c81cb20ebed1a21af693b9180bfee0bab74acddd30307696a2

  • SSDEEP

    24576:1sKms/kNI6e64OzjyoCbbtuTTEBlGsdJ62/Z:1sVs/cFzjXcsTo7tdJ6KZ

Malware Config

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Targets

    • Target

      c3451f17e68d7115f4d2304d7102363fd86a8fe137f2557445f9020dd081584e.exe

    • Size

      877KB

    • MD5

      f19b25a510f738c87d225ec095f62267

    • SHA1

      7c88a8cfc3a21a191f30a0a25a7beade95aacdbf

    • SHA256

      c3451f17e68d7115f4d2304d7102363fd86a8fe137f2557445f9020dd081584e

    • SHA512

      35a18109ada15f0425bccedf610d6a46f3d6e1490a63caa3ccdf3d0d6db0020a3f98f39747a762aaf310e4db3b3f2300649fb06281b5478ef4288f8c78a31548

    • SSDEEP

      12288:xMrNy90/jzTZ7vwCgfMHrwSTw/xQdvTccDJbrLK+8+4hIE6afosGF8fU7pTMRJv:4yEj+C3jw/xQpcQfLP8M5gQsuq

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks