General

  • Target

    r1.zip

  • Size

    15.4MB

  • Sample

    240522-xa6d2scd62

  • MD5

    dd88887c1c2f9e062d4668ab6eeb02e0

  • SHA1

    381952d4ee5f134df2d71e41f16257aea7202618

  • SHA256

    ac90002ec144a6c8c89c45137265a202aeef6b583cef01223b622e10b4c4b797

  • SHA512

    c754be33dd6702503c63cad0ffb63650d815ab32513333932845f6a884a02d5629c2719521932b9609bd321c7495b90a2358f8984abadcb76e7369520f0ea1fc

  • SSDEEP

    393216:pMPpU5E7G8xHZ7mGFzCEP5MZ27KHKzCbkbkFTs:gVKI57mEzCECvHKG4M4

Malware Config

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

@youngesstt

C2

94.142.138.4:80

Attributes
  • auth_value

    71ec3d0d54996f30b1d94c74838b6940

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Targets

    • Target

      06f3c929bab6bc6923c8d8bcc94bb40374b50fbcd1c5bb74105608664f303c53

    • Size

      705KB

    • MD5

      cefb48c11aee2707f103ac7a34b57e60

    • SHA1

      e632e41c8ae408773b48bf5d921dd0045a658fcb

    • SHA256

      06f3c929bab6bc6923c8d8bcc94bb40374b50fbcd1c5bb74105608664f303c53

    • SHA512

      dc5cc9534746091f3422525c9bc6cf621a357050b5819499592e1453dcd19e8805f32b2f781342e386a1444367971748cd216288785d015ac3f85aa5ab0fa245

    • SSDEEP

      12288:lMrny90g0NrIpWEoLi55BHZCOfbdoGYtd/JVdZNKnsAa78n9SIg556AQYsgfrCEG:iyerIWcXLHWbNKQc9KD6dYsqjEJ

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      122d65cff91cdb1f9a418aade39cb9c3809ca653f37aff626317f9d139f10a20

    • Size

      1.0MB

    • MD5

      5a1a022c71bc2351593c4966c2ccf734

    • SHA1

      288565784651e25d609b8eaaa58bc070c2592173

    • SHA256

      122d65cff91cdb1f9a418aade39cb9c3809ca653f37aff626317f9d139f10a20

    • SHA512

      a2ab1e5026bd2ce1378ca61b0411ac16b9a71d68847fa050880d2e3b3b7e13bcfc56a345d387cd0762f26572690edab699f25cd8c5a924e6b074fc89e85f6ad0

    • SSDEEP

      24576:2y7gwCfl/HQGn1VVZS0fb1Cgda4m820gPOd7Jk1nf:F7id/HQq1DZDj11d6uKu721n

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      1a0bfd97a460f55b1fc7e0dce89496b0041a7a6e39a4429ca0e9d48b03a50c9c

    • Size

      1.5MB

    • MD5

      a79cf239a470549a3b4bc72b4a7c5e85

    • SHA1

      45ba7c2f0a6410323b89d07de10f1fda4ead5ace

    • SHA256

      1a0bfd97a460f55b1fc7e0dce89496b0041a7a6e39a4429ca0e9d48b03a50c9c

    • SHA512

      759c0992285af843a9827e9a1f63c47b492cb8897adaeb1fdc835b2125803d000845e87e26b0e5117ccfbf09617aae388d2f683c7e72eded05a96e00dad4a28a

    • SSDEEP

      49152:AOhpTOU8O5vOPfgJX8qsi8SlvtjITFqLcYqA857:zTdj5GXgJOi8qRIp5f5

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

    • Target

      1a180e910531bba2f707949af207f2fdc8ce9073f7ac314168ae29b53eedd8fe

    • Size

      760KB

    • MD5

      41538167f8a6449df7670af2a204d623

    • SHA1

      1d5778a5969ccf1a30f7d00dcd332490fa780549

    • SHA256

      1a180e910531bba2f707949af207f2fdc8ce9073f7ac314168ae29b53eedd8fe

    • SHA512

      b3532f017d0065d5ea6446c729db36a45aa5204f1cb245b8fc179eace26e5161be7bd58e5fc1ecebe215f3a428f8315066276ca7aca3ebfc508eeb7c44381363

    • SSDEEP

      12288:jMrXy90rxDm5f/Nl9rfbFqmS0QIwJuJEu0pMwosb6y8IaD0EHQB:UyC+ff9rJqmSaaAcjos6yXEwB

    Score
    7/10
    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      1c5289e7e618b13af020062e6a741d58a9f93e862fe8f04fa08d33b6e2ace50b

    • Size

      581KB

    • MD5

      b98fb041742a723f29e0262d1ec575de

    • SHA1

      6b13f708843f071debb24b2a962320f9d3ea4cf7

    • SHA256

      1c5289e7e618b13af020062e6a741d58a9f93e862fe8f04fa08d33b6e2ace50b

    • SHA512

      79545fa8306722f9f0c1c5d8bddd696ef89762a824d65823271c295c1445db3fc97772be5f4c2ac1e27171dbfcb0bbae79d7492989f13c047b8b70af32ba4a55

    • SSDEEP

      12288:nMrdy90awEEk8jte7G1U61KRnEXMp7X17OV2Q:Gy0BkmtZCSKFEcF7OYQ

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      32ca200f348780ce8d89e1c2b2a59df856ec7ce7657e7807dc4330e092222baa

    • Size

      809KB

    • MD5

      619db51cd5af2a1ba3b1569e229fe08c

    • SHA1

      0c7569574d8c8f1458a6879f45da6e16072464c0

    • SHA256

      32ca200f348780ce8d89e1c2b2a59df856ec7ce7657e7807dc4330e092222baa

    • SHA512

      613883ec1e0403ffd76b3cfd8a9b4f57811efe1ab3deab46d2eaefc3afc40e68fc217983093555d4e6f538a81b844dfe0a920bdce8715fbe906f396b49d40624

    • SSDEEP

      12288:NMrgy90ShtBRW09O8nT4znzxRSsVdR0EjVXnY9qnoBR6s1xdVTl82HyHD0Apb8U:lyPW09OP/jdR02YqnoDLd782SzF5

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      3aa025ea78f4c4f22121974ca9750d5a185b237e08bdbb6226487f9b7182e85d

    • Size

      658KB

    • MD5

      b0c2c81fdcde86499d25384bcc5b5496

    • SHA1

      88e3a72292ded161a03f21a75f9867e2b37f2a1c

    • SHA256

      3aa025ea78f4c4f22121974ca9750d5a185b237e08bdbb6226487f9b7182e85d

    • SHA512

      e5bc6a333d930c280e690afe6d6ab0a9aea8faaa1c3ec3111a53b2f6c96eb92b6cdb07b2476ceadf69a9bf80a6dd3024a34560ec2e9dd5b09b647f3c5f6ceebd

    • SSDEEP

      12288:QMrWy90eldXuavK8MFqMsq40dEqPEF4FHe/O1wqFhyh1bN2Ar:WyPpdKVqMsgdEqA4FHe/0eF7r

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      3bcf19ad48db781a2c873e68aa933f623915c3a94ae76b3b8bb367d1d4b90e5c

    • Size

      600KB

    • MD5

      da68f85562207f14d16a39c4f21c7237

    • SHA1

      74c8ec9f74e515866ed9f9578e380579f34213f9

    • SHA256

      3bcf19ad48db781a2c873e68aa933f623915c3a94ae76b3b8bb367d1d4b90e5c

    • SHA512

      ae6171d0f41f314aeedfd2912d1870982371e10ef73be0775c08d69a063b102271600a0606b21dc025b40687b4a42c011420f80adb3703c538b3a78cc50fb9ff

    • SSDEEP

      12288:vMr0y90VYzzAeFcW2aCwjTo2WKz/e7KFSKRcEXwp7RUcOK7Y1T7t:Py3zEeGjwA2WYG7KkKWEYRUcBITp

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      6b10f19a8c69f2455a53b070f335d6251772e99efec94e5ada48b7464cae5a42

    • Size

      609KB

    • MD5

      dd6eac9ed5ab3f460808d6d22b301e88

    • SHA1

      1a3f497943b29838025e94f6043238ac42a85631

    • SHA256

      6b10f19a8c69f2455a53b070f335d6251772e99efec94e5ada48b7464cae5a42

    • SHA512

      f030c2a32bcdd646054184f34bacd209c0245d2f9ce0d2985dcf701ebb8f8158e337e11f312d3e5e0a56575fc954fa3a7a60c65c65a9aa9a5c4ad95aa7134fc2

    • SSDEEP

      12288:WMrOy90/tL8s0kktcn7AZCFj+a29sEIGXmDrL7nAtmn/J93GKTH:8yQtL8dtOOAj+fBO7nAtmB97D

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      8b1c0f6d0e624fbcd937c3ccc23b673ab7072ccc0339934effd7d6d64916b2f8

    • Size

      704KB

    • MD5

      b7141f47266f8fb53311b5a5eab29e92

    • SHA1

      c3f6fd7ea5e23c826639ee2657a4adc55645e60b

    • SHA256

      8b1c0f6d0e624fbcd937c3ccc23b673ab7072ccc0339934effd7d6d64916b2f8

    • SHA512

      053bd538bc0a33d42c9bcb76d6026f83a60c91a466feb7d2e6f945f3e86bdfe731bc462f2b18df9806d1ddc5b02d140ffdddf7e0b27c18c8b2056728b4cd38ed

    • SSDEEP

      12288:KMrOy90VPnlz2wBiDoLCPE5itsvhGIkO1ObIf/D5Sv5rjnnS+bgumM:cyw2wNW8zp7LlXirjnS+x

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      9270cb48ef49ae030430c2bd7e18a87fbd6d168cbe4d15f9e272f075b605d296

    • Size

      1.5MB

    • MD5

      fe3fd68024dd5be5908f425eda17b034

    • SHA1

      6856965d9651bd4970c3f4ca1be34913d43ae88f

    • SHA256

      9270cb48ef49ae030430c2bd7e18a87fbd6d168cbe4d15f9e272f075b605d296

    • SHA512

      fafe21586377d4181b4ffe6d2b31c0ed4f6de866ca375da28d49b75e4599924b410f74be907683e9b3ad2129f3bf0940a591af29fcb86521771ca9e896177366

    • SSDEEP

      24576:xyL7EvC4xauMWNWNmVq0FFiAIqHBHufJDwTqbaaJiWJ9KM0mhIUgRwg+plfbWUgj:kLI1ZMWNWNsixqHBHufJFaaJipDmhE+m

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b

    • Size

      649KB

    • MD5

      da1f8161d2da254847077be0639de3af

    • SHA1

      724b87665a36d7c8b83604a10500ace45e059d24

    • SHA256

      982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b

    • SHA512

      58e64891b8a04f2068b8ddcb33bb0b79cd16dd4307acbaefa845c8929ff16584e47677e2723203fca3fe17991fb32bdda0bc1ccf8b9a2c6448487fcbc8f8f057

    • SSDEEP

      12288:sMrty909bwU8gmneOQiPy6Lb11YxkrgqyMX3fwSZYV:BygbpQzLXYhqx4R

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b

    • Size

      786KB

    • MD5

      d97d90418a7726a700763296227eb7cc

    • SHA1

      430ecef62ce1eb2830d0e197a94c211d4f94ba8f

    • SHA256

      a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b

    • SHA512

      9d55808e50e6a79a5534d934bba7de7d337fab4cf4abbb6b5e96e324b9eedf8503e89b4045d43029fea43a417db599abe8335b82c9b94c97eca479174510e6c8

    • SSDEEP

      12288:fMrCy905rSmfpxFMSmWGsUKenqO5tD20+6mf1KRpsXZp79yOQxhLY2k0Uy7Z1:hyGdfFMOoDtmf1Krsj0h02k9y1

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      a96e6df3c0e345fa518723f36c81521d2f056b19754c4bbd84cdd3c90347eede

    • Size

      609KB

    • MD5

      61bd17a21335a48a02b95ab76ded1909

    • SHA1

      759a7145c9c489f1d48b7c349455af480ab1a176

    • SHA256

      a96e6df3c0e345fa518723f36c81521d2f056b19754c4bbd84cdd3c90347eede

    • SHA512

      d92813d7ad7ec1c6eba3d41c39c7e73474554fb9cda136dde1d4fe4fd7d878a78193e8bb7d6ab6da5d0cb00cc81afd35a48920ec4fd2d413c20e477cd7425c94

    • SSDEEP

      12288:3MrGy90NavpHis6vvFice4mMr2Lz/l/xMJD6:9ynRCsYFicjP2vy6

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      ba6bca4989ecb1792e703ed9fe411faf649a4dcb4d05d319ac2678201fd51871

    • Size

      769KB

    • MD5

      eeec40b56c7b6d71e6358b192d6014ea

    • SHA1

      e84410a95d5ee36604cefcb9c1f2131e6f2fdb30

    • SHA256

      ba6bca4989ecb1792e703ed9fe411faf649a4dcb4d05d319ac2678201fd51871

    • SHA512

      c4b4029b9a8d3897e4cde70b08848db822c22b3dd6cee1430c51775723fae43fa42c4f21ebb51c8a26a91cd303f09b7641c3e2c0710b9ef7a64d56f8d2f84466

    • SSDEEP

      12288:EMrqy90Q6rN3FQYzBc1j0wEP3FqbRG9RvhejcxWvDxh0cN3dbzap6Fk66pz7fbdt:OysHQ2Bc1jfM2DD1XbzMek6adt

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      bad97858db5dda89342aa20cee6db489fa0f6859c8723e24cac79ffb85811e8e

    • Size

      609KB

    • MD5

      991a01dc2f24d959e954facd3333af95

    • SHA1

      358d3fea9e3d609db40a663a1e1649b3ebe01aed

    • SHA256

      bad97858db5dda89342aa20cee6db489fa0f6859c8723e24cac79ffb85811e8e

    • SHA512

      254fb0615c4800690e65f69e1c8f6f1ca4072cb684d26928f95c1983e590e02a7fc935d973b8fdc2aeec31fc976cd163c49da923cee56de6c51b1532d1114e2d

    • SSDEEP

      12288:GMr+y9067bv7ep0xO1z7KUQLrVuhX12NZ7W3m1wR0Br0zyFxPNeZ4D8:sy3nvE0xFhuhX12y2iaBr0zyXPN/D8

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      bcce7883f84c054a7e0e31d30fae77ecd28c2dc7149f36958b01440bf0334ea7

    • Size

      1.1MB

    • MD5

      70cfabed1c042d1256b7a9d3c54366ca

    • SHA1

      e8fb44daf242175fba34d583533a1b60a4ccaf31

    • SHA256

      bcce7883f84c054a7e0e31d30fae77ecd28c2dc7149f36958b01440bf0334ea7

    • SHA512

      b5db1d0488fb60229f5cc9478c7187e81353336cdae3d0efc28d1582abf3982c62ef105bc8903bf2cb046946abe9aecc8c5bed49c32b7b925f14c8bd9f8957bb

    • SSDEEP

      12288:sLezkH3T4U+zNJUWcaQ57xBOgzm7E9vvlM0snyWzhYHVh95zRiwkH6fuDM8ef6GV:slX1+zNvcaQ57x9Gml5h9xRicCYt4MD

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • Target

      cfb7a03beaf7d7fc86e7d64b823645be27b3ae8e9fada6e93ba232a6916307b3

    • Size

      1.3MB

    • MD5

      d87222c75e0b7ee1154795ba46999ae0

    • SHA1

      fea22aae1a7637d583c6065d68b8120e52db1b39

    • SHA256

      cfb7a03beaf7d7fc86e7d64b823645be27b3ae8e9fada6e93ba232a6916307b3

    • SHA512

      557c7d266abaf8dcd13fcb15a3cb69c6defdb83a821a5b2556f6dd136723910c1ee7e87b558f8441a4f813f689be28923455e0c7418c5e1da7e1687035e54377

    • SSDEEP

      24576:qy8KbW9vlamXzWNS17TMbbR1a5l5pNAfRVybAJxTMVI9MtX:x8f8mh7TIRo5BCRQ4

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      f446c909f19842f14d9643227c64f29a129aefa05bfd1800cdf1d9231454083f

    • Size

      325KB

    • MD5

      94423a76c276ef0619854c22feb44640

    • SHA1

      ade1d5f65c42a03b7f2320c9d281b72f06002606

    • SHA256

      f446c909f19842f14d9643227c64f29a129aefa05bfd1800cdf1d9231454083f

    • SHA512

      0fa2fb4222120f91a8eafe37c558c9386a6fc8e7bf5dcdd951d20d099b1b5a758ed7c56897ab5fa377b34fb4829ca273c0dc4943182d4fa51d32ac3ed71160e5

    • SSDEEP

      6144:K4y+bnr+bp0yN90QEcwrqnDMxPzT2hn1RNfcb35572kM0P8:8Mr3y909qn4BTSzu1R20P8

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      f8f22cd34cb4e25f9de8ac7d851976b70c81c9f756ba7be65cd8408823b8e916

    • Size

      1.5MB

    • MD5

      61e04eb078ed0e96fc2a097335c3634e

    • SHA1

      b98a488dc86eb0314665ae372a71ad0b8d345b34

    • SHA256

      f8f22cd34cb4e25f9de8ac7d851976b70c81c9f756ba7be65cd8408823b8e916

    • SHA512

      1c6654ded80c7fd95c829259f0f08d35a0a4d4f6456454cc0f0989adfd342b92eac1b89e43e9c37658674c4f567373d154db925955779eb9fb5dbd0260af54db

    • SSDEEP

      24576:nUymkWGEDMu+H/8/BGOnfQiUUSj5AW83bOxRbx4Yk+lHyF+k7w:jDWnDMu+H/YBGyQinC563bOxRbxdBW+y

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

7
T1053

Scripting

1
T1064

Persistence

Create or Modify System Process

8
T1543

Windows Service

8
T1543.003

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Scheduled Task/Job

7
T1053

Privilege Escalation

Create or Modify System Process

8
T1543

Windows Service

8
T1543.003

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Scheduled Task/Job

7
T1053

Defense Evasion

Modify Registry

31
T1112

Impair Defenses

12
T1562

Disable or Modify Tools

12
T1562.001

Scripting

1
T1064

Discovery

Query Registry

12
T1012

System Information Discovery

19
T1082

Peripheral Device Discovery

4
T1120

Tasks

static1

Score
3/10

behavioral1

healerredlinemrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

mysticredlinesmokeloadergromebackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral3

amadeymysticredlinesmokeloader04d170gromebackdoorpaypalevasioninfostealerpersistencephishingstealertrojan
Score
10/10

behavioral4

persistence
Score
7/10

behavioral5

mysticredlinemrakinfostealerpersistencestealer
Score
10/10

behavioral6

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral8

amadeymysticredline59b440mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral9

mysticredlinemrakinfostealerpersistencestealer
Score
10/10

behavioral10

amadeyhealerredline59b440mrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral12

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral13

amadeymysticredline59b440mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral14

mysticredlinemrakinfostealerpersistencestealer
Score
10/10

behavioral15

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral16

mysticredlinemrakinfostealerpersistencestealer
Score
10/10

behavioral17

redline@youngessttinfostealer
Score
10/10

behavioral18

redline@youngessttinfostealer
Score
10/10

behavioral19

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral20

mysticevasionpersistencestealertrojan
Score
10/10

behavioral21

mysticredlinekinzainfostealerpersistencestealer
Score
10/10