General

  • Target

    83f9ac8f5c2c168f911f7c15829ee95c60cf3124533493e7d4af8fccd21808c1

  • Size

    833KB

  • Sample

    240417-qwf8qabd5z

  • MD5

    64bbc061089c7a84132fa2854986efb8

  • SHA1

    49e26964dcb86b1a50f1e176161bdc12265d40be

  • SHA256

    83f9ac8f5c2c168f911f7c15829ee95c60cf3124533493e7d4af8fccd21808c1

  • SHA512

    0eacdffa23e41f697d82276d88076f875e53b0d6db16da00ad4aa522ec1ca6bc994773ea1e06ec1753dbbe04289404183234687dd4bcabe85796a7f962bd0612

  • SSDEEP

    24576:VCRQbTkDVD0grJRFmsAjwNxr8yr8pe/rMqeBH13:H/kDVog1RgD8xr8yope/rMjV

Malware Config

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Targets

    • Target

      3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe

    • Size

      876KB

    • MD5

      066bb534adef3007b59a440df554a6c6

    • SHA1

      2bd0c128ee738a1761ada12b9f097b8fa82a49ed

    • SHA256

      3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf

    • SHA512

      4174a8b175a1ba4aa8fd1d9b0bb51224cf6a9b6d6b00a0d08841716a203b540e02d3df6119d0ba6f99beb26a2704bbb7a61b04cefabe6a2d9efe618c2330a97c

    • SSDEEP

      24576:AykgzpSUtBf1kZd2NqLeHdcOBla4TyouFzZRf3gD:HkWpV1kWHj84eTZR/g

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Tasks