General

  • Target

    c741e309cca1439b9dde1d6c5ad9678582165daf6370aaf4c13c05cf36441cd2

  • Size

    838KB

  • Sample

    240417-qkewhsha93

  • MD5

    6f76be38bc20e99c7ff4a5a143809be8

  • SHA1

    a7f70b183e9f6a1078e16b157d479b74ce59df6a

  • SHA256

    c741e309cca1439b9dde1d6c5ad9678582165daf6370aaf4c13c05cf36441cd2

  • SHA512

    6ba1741a37d99eaef2aa6632daecf96b475d36250fa7784f999b05e67580aad82f1eb43643aa78cef0291bee404eb486d90d59c3c1c73e47abb88aa3ad3c836d

  • SSDEEP

    24576:0ANlFgrmgEncyTXvqRnfhUNq6+erZRkYvvatrreyJ0FcW:armdzqRfhAhroQytr6yscW

Malware Config

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Targets

    • Target

      41f0991208cc07eea00889cb551d4f34f6c640459920bdf3bd09346cb300f975.exe

    • Size

      882KB

    • MD5

      c2874e64dc4a713e5f1a394c132d9382

    • SHA1

      f8e8f6448660d3bde3affda3a4534e24d2bd6074

    • SHA256

      41f0991208cc07eea00889cb551d4f34f6c640459920bdf3bd09346cb300f975

    • SHA512

      95c339e5bab30ea79de68e97ab6ea06cc0520807610bcf9b25267b8150b718078b28243a5347e51ad89f09fc736bd35cb077222b576992e6361b64b7ec316b45

    • SSDEEP

      12288:tMr1y90Jd4rJMuNnRX3l8dI2YcKoPLByw4yNkz1sLw1m5pPT4zVyc8kvjRMbHaCE:oy44plHolDkz1AIeCzAc9yJIixO+8

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks