Extracted

• • Target

    41f0991208cc07eea00889cb551d4f34f6c640459920bdf3bd09346cb300f975.exe

  • Size

    882KB

  • MD5

    c2874e64dc4a713e5f1a394c132d9382

  • SHA1

    f8e8f6448660d3bde3affda3a4534e24d2bd6074

  • SHA256

    41f0991208cc07eea00889cb551d4f34f6c640459920bdf3bd09346cb300f975

  • SHA512

    95c339e5bab30ea79de68e97ab6ea06cc0520807610bcf9b25267b8150b718078b28243a5347e51ad89f09fc736bd35cb077222b576992e6361b64b7ec316b45

  • SSDEEP

    12288:tMr1y90Jd4rJMuNnRX3l8dI2YcKoPLByw4yNkz1sLw1m5pPT4zVyc8kvjRMbHaCE:oy44plHolDkz1AIeCzAc9yJIixO+8

  Score

  10^/10

  mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

  • Detect Mystic stealer payload

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1