Overview

overview

10

Static

static

3

744fdc798d...53.exe

windows7-x64

10

744fdc798d...53.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    744fdc798d950d8d4b890617c67c27a48b2fe5cb7cd61b8d09a683c53577f453

  • Size

    1.2MB

  • Sample

    231011-rk974aed54

  • MD5

    e5c54cbf46d841806a873bb5e83ae512

  • SHA1

    f501bfe9ca0d2e01af55a776ddde5ac11cdd328f

  • SHA256

    1c5496dd020af54c0a009c0610f754e22cd9aa67b5d31e4451176a3d5bc972d9

  • SHA512

    fc12921dc98cf269381eac173f2fdc28addc5d3bcf300e73e8b8cee1090513e74dba524312744c0660e79ec5884ba4d06e5399a67cbf50c12870fe1585996279

  • SSDEEP

    24576:pQAykGKtIib7mKud0CD3AnBA98u0Md3T/rF9RS+UheTK9RUJzAmb5/ucZE+5b:pQHkGKqiPlg3w4Z0UHFzfUZvK5/ucZnF

Score
10/10
healermysticredlinedartskendodropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

darts

C2

77.91.124.82:19071

Attributes
  • auth_value

    3c8818da7045365845f15ec0946ebf11

Extracted

Family

redline

Botnet

kendo

C2

77.91.124.82:19071

Attributes
  • auth_value

    5a22a881561d49941415902859b51f14

Extracted

Family

mystic

C2

http://5.42.92.211/loghub/master

Targets

    • Target

      744fdc798d950d8d4b890617c67c27a48b2fe5cb7cd61b8d09a683c53577f453

    • Size

      1.3MB

    • MD5

      923dfe57fbdd399a2dca8efd588b4804

    • SHA1

      1dc2d17f48573d28904324fc221e1c82c6ae13d2

    • SHA256

      744fdc798d950d8d4b890617c67c27a48b2fe5cb7cd61b8d09a683c53577f453

    • SHA512

      9c4201d68c6676ddca5d375eea13fa337c82eb9c229a4cc46499ba170a3b23fa8f9c75661ec316576325d7f8efe21879357dfc94cb75f2e07aa13dd744c4ddf2

    • SSDEEP

      24576:aykCKpllsq0QZ7mcuF0C93MnBC9qu0Md3tjr99RpHU5edKtXUDFDu5LQkZa++P:hkCK/lsqDdFC3UKj0UJ9zFUTeDu5LQkz

    Score
    10/10
    healerdropperevasionpersistencetrojanmysticredlinedartskendoinfostealerstealer

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks