Overview

overview

10

Static

static

3

c5f12486eb...b0.exe

windows7-x64

10

c5f12486eb...b0.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    c5f12486ebaa299ed804fe39daaf5eb90a0029d1b6ee98d9426b42978aa2d3b0

  • Size

    1.2MB

  • Sample

    231011-ywapyaac7z

  • MD5

    d39abdaaca8428711f4a6900509ea1a4

  • SHA1

    d05ac2ce9780adba4300b1cad69799db443a6a70

  • SHA256

    c5f12486ebaa299ed804fe39daaf5eb90a0029d1b6ee98d9426b42978aa2d3b0

  • SHA512

    70b19749419ca07fe09d931bfc15b54f7e517ba42da3fd03411a7df34456f25943bb0b18566f18a6c48d272ae0a848828716b3e07ee9eb2d2c3f2d89f1b114ad

  • SSDEEP

    24576:VyuvuF0ZJ5EgdXEYOhYeuymbx+HTr+xo3K+JdQrspj9QgKF9Ff:wNFUEY+IXbu6xo3pJursl2nF

Score
10/10
healermysticredlinedartskendodropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

darts

C2

77.91.124.82:19071

Attributes
  • auth_value

    3c8818da7045365845f15ec0946ebf11

Extracted

Family

redline

Botnet

kendo

C2

77.91.124.82:19071

Attributes
  • auth_value

    5a22a881561d49941415902859b51f14

Extracted

Family

mystic

C2

http://5.42.92.211/loghub/master

Targets

    • Target

      c5f12486ebaa299ed804fe39daaf5eb90a0029d1b6ee98d9426b42978aa2d3b0

    • Size

      1.2MB

    • MD5

      d39abdaaca8428711f4a6900509ea1a4

    • SHA1

      d05ac2ce9780adba4300b1cad69799db443a6a70

    • SHA256

      c5f12486ebaa299ed804fe39daaf5eb90a0029d1b6ee98d9426b42978aa2d3b0

    • SHA512

      70b19749419ca07fe09d931bfc15b54f7e517ba42da3fd03411a7df34456f25943bb0b18566f18a6c48d272ae0a848828716b3e07ee9eb2d2c3f2d89f1b114ad

    • SSDEEP

      24576:VyuvuF0ZJ5EgdXEYOhYeuymbx+HTr+xo3K+JdQrspj9QgKF9Ff:wNFUEY+IXbu6xo3pJursl2nF

    Score
    10/10
    healerdropperevasionpersistencetrojanmysticredlinedartskendoinfostealerstealer

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks