Overview

overview

10

Static

static

3

9f5b21ce9a...2f.exe

windows7-x64

10

9f5b21ce9a...2f.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    9f5b21ce9a0b727da4f89ed2530e54a3ebbd3f1fe040b2066764f715c697272f

  • Size

    1.2MB

  • Sample

    231011-vzddfsbg5v

  • MD5

    212ec02ed9fd8f2ed8b8ff1b702c10ef

  • SHA1

    d4501b4e1bd14fc2e58e2d5ad599817d4ed78601

  • SHA256

    9f5b21ce9a0b727da4f89ed2530e54a3ebbd3f1fe040b2066764f715c697272f

  • SHA512

    034a868dbadb697bdb1f221b3883e431a22daa267ae2f2b86d230a75f273e6f0caead377588a2b07546fb0234dfb3dff7bc718d6d7af6726276898269cc6f69a

  • SSDEEP

    24576:YyE/Wd2pDlNi2wO3+zeXuA8J3/vi0p6exqCrgsu+ab9iWTcktB+v:fSW+RNi2NqeX78V/q0qB0w/

Score
10/10
healermysticredlinedartskendodropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

darts

C2

77.91.124.82:19071

Attributes
  • auth_value

    3c8818da7045365845f15ec0946ebf11

Extracted

Family

redline

Botnet

kendo

C2

77.91.124.82:19071

Attributes
  • auth_value

    5a22a881561d49941415902859b51f14

Extracted

Family

mystic

C2

http://5.42.92.211/loghub/master

Targets

    • Target

      9f5b21ce9a0b727da4f89ed2530e54a3ebbd3f1fe040b2066764f715c697272f

    • Size

      1.2MB

    • MD5

      212ec02ed9fd8f2ed8b8ff1b702c10ef

    • SHA1

      d4501b4e1bd14fc2e58e2d5ad599817d4ed78601

    • SHA256

      9f5b21ce9a0b727da4f89ed2530e54a3ebbd3f1fe040b2066764f715c697272f

    • SHA512

      034a868dbadb697bdb1f221b3883e431a22daa267ae2f2b86d230a75f273e6f0caead377588a2b07546fb0234dfb3dff7bc718d6d7af6726276898269cc6f69a

    • SSDEEP

      24576:YyE/Wd2pDlNi2wO3+zeXuA8J3/vi0p6exqCrgsu+ab9iWTcktB+v:fSW+RNi2NqeX78V/q0qB0w/

    Score
    10/10
    healerdropperevasionpersistencetrojanmysticredlinedartskendoinfostealerstealer

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks