amadey

Sharing

General

Target

r.zip
Size

13.6MB
Sample

240522-xe6wdacf54
MD5

1cb3243679c7fcc6547d31e58c0da5c1
SHA1

97a2fbb77a46a63d238cc017c25c41a39c8dedc3
SHA256

692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1
SHA512

1915df86a46396b5d93cd42fe5c2af09b3c1cf79282b1b7f7a3d50cf4cf2b55b274d55b2b50512c3317a50a5157afef047b8114ba92fcf205dfa460a883522bc
SSDEEP

393216:/OMQBSD+4uxkFBZ7ahGZ/WHoFZdJlS07+oAVmbcm8bEXReHeq3U0+cS:/OMQBBgVahGQiJlJ8QMXRw

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Targets

- Target
  
  0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513
- Size
  
  1.5MB
- MD5
  
  99fbd30f8f297404375178545e9a5671
- SHA1
  
  eb2faa70c32320bdfd5bab75e879a2883bef1f59
- SHA256
  
  0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513
- SHA512
  
  e30e2053d363b1eedec5a5493e4304b18e1418944ce5cea2dd1336bdaaff621e86b29877189b383baaf64987099cce625f12785b690c63ae284179aacd880801
- SSDEEP
  
  24576:dy8BJhfdaB7d47P6cDYqgmrw5dR9rYT1gIZU6G2U/RbQ6LoEWklTHDv+oR9efG9:4ugB767ScD82w/R2Tj7uGZEWk9zHjc
Score

10^/10

mystic redline kinza infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  11eba512939d3d17bcd0d5543f3a05dac69c96858fbb7120b8802814391c413a
- Size
  
  609KB
- MD5
  
  703253f6264bc91569813f4a823cd21a
- SHA1
  
  6631769e1f66e381737de8b3c2fdd6ab066e9e57
- SHA256
  
  11eba512939d3d17bcd0d5543f3a05dac69c96858fbb7120b8802814391c413a
- SHA512
  
  b41b64fe7c5ff95253e8b1130b19fbc330a87559dd1dda8df1ee265dcb0c2fe5ec07d2e493db360c09c3ba67b0bd79e412dee1157f25a9ea6187e01364fb6645
- SSDEEP
  
  12288:EMruy90TI/OchkT+nMNtFyGjtCVfbyt5YyQc3kpU36vaMfxcwRKQP2:CyAoHh9nwyP+t2Q3QJPJV2
Score

10^/10

mystic redline mrak infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral2
- Target
  
  17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a
- Size
  
  604KB
- MD5
  
  4a49f25c21c373471295f4badcee8cd5
- SHA1
  
  dc1871d02c5f5af9ae2a0e24ff0c1cce6ef48b58
- SHA256
  
  17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a
- SHA512
  
  95261235a51c77f85d1751907cea517529a9bc6179af76ab2c494ff2f702cf265f8bee8fb60b74ab7bb8094432fa9572bed065078a133480ff3c93069347d69c
- SSDEEP
  
  12288:hMray90lso2v9t6ehpXEtFyGjjCYfHGp1Pu5UJK6PYwqbPa3Vr:vySX2v9t6lyGmm5UE6PYPbSB
Score

10^/10

mystic redline mrak infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral3
- Target
  
  346c46bc8283ae44fe76d91bebdf5c933515cb6b55b0e4f1dd25ca7a64a0a726
- Size
  
  812KB
- MD5
  
  79983cb4cd4ed44124acf90324aab153
- SHA1
  
  95cbc2ecd9756f962ec62f265dd70b37efc50fe0
- SHA256
  
  346c46bc8283ae44fe76d91bebdf5c933515cb6b55b0e4f1dd25ca7a64a0a726
- SHA512
  
  a2d737b6436c7550ed5d3f2c8d3cd06f21b019613ea71791f9b9f519eeb54e9c2ac0a0290577c86f2afe56f81161dfb981dc00a8e2483ad152b4e3784fc9ba63
- SSDEEP
  
  12288:0MrEy90SXhiDq45nmnagUKW2WjcYOTDXKznBc6RZkReqPNgUnnTwR:QyNq3ma+sLAuBc6RkeqPNgJR
Score

10^/10

amadey redline 59b440 mrak evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral4
- Target
  
  4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f
- Size
  
  582KB
- MD5
  
  d65b8e601b5fdb8b40ea6d22fd7e47eb
- SHA1
  
  e17ef0d987c09976de4825f1a21113b6924a580b
- SHA256
  
  4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f
- SHA512
  
  7978421c2c01dc1a1a4cea13772b526dbc69f6b46dd5c2b5e4ab4dd6768edde078f0b1a2816097bfa9e4bdbd5f94b2187cc322511001025364fad40cc034590a
- SSDEEP
  
  12288:FMrxy90Ydrzg5EyOuXQCRKR0EXVp7lM1aoxCTKx:EyFdvCEyuCRKaE3l7oGo
Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral5
- Target
  
  5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a
- Size
  
  912KB
- MD5
  
  5f4de66cb9b1568753b8a44fad14b23e
- SHA1
  
  e2c294ab014a574e4b8ea8d65f2ae46af5f3713e
- SHA256
  
  5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a
- SHA512
  
  acd31c122a20e8a77ab2f170f783679a2924d1dc958b32f384474590a0ea90c525976ce1c7ccd5be82098d2cee90bbfc9293ebae89a86fe3919ee929cd2265e0
- SSDEEP
  
  12288:hMrMy9025kLy2eMdZp7L5QvRc/3aVqtmikIDH3qh5LAYUKEnIqHF+x7SB/h5vs6:FyT5tAf5Qk3CqtwUa/LAHn1HF+1SB1
Score

10^/10

mystic redline luate infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral6
- Target
  
  64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1
- Size
  
  563KB
- MD5
  
  b1cad70cea703c95c6bf90d74c4bfd89
- SHA1
  
  1a08e9ad7c417a5011915ccda1a1ec130cd7d3ac
- SHA256
  
  64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1
- SHA512
  
  4f7c7367da4b3009f5f1691832f88de0a7df9103ba16ff43c92fb3d0eec813005a6f6f31e0b3853b2ce07e2d5c9d0be331f1e60bed9bf8f3b3ebcbcab9a4b2de
- SSDEEP
  
  12288:KMrxy90uoiqvTegFhHXzNOI+74h82WRiHJ1CVVVV:nyKEgXHDNn+487Ry4VV
Score

10^/10

mystic redline kendo infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral7
- Target
  
  7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761
- Size
  
  319KB
- MD5
  
  6d8e57ec9fb40242960e48d22f43a496
- SHA1
  
  bae3e231233d07ab1aa2262999e1934666a1a79a
- SHA256
  
  7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761
- SHA512
  
  7f411509e2a98d9fbd24805093b3cdecfaa0c2d16b7dc579b1fa1ec5b32786a796c1ccec4cd04078592954680dc9ce6638eccb2b51decf5ce46b6277f87458b6
- SSDEEP
  
  6144:KLy+bnr+vp0yN90QEzrKEP3ve7yRfsK6KRFjEXtaBv7FlbeVeR4No5/Z:pMrvy90BKU/e7RK6KRdEXYp7f6VG4N2Z
Score

10^/10

amadey mystic 59b440 persistence stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral8
- Target
  
  8c970cc94c6aab0b503af6d60e60f5c6c870576c82be9233ab884894899a97d3
- Size
  
  476KB
- MD5
  
  d102d74d723e6d923e01415cd5ad000c
- SHA1
  
  4915d3a0cca73089132731e78c415360fcbbedf0
- SHA256
  
  8c970cc94c6aab0b503af6d60e60f5c6c870576c82be9233ab884894899a97d3
- SHA512
  
  1f73ec48b7e6a36fab172c4d35345b23bb43ff69231f6c1606b239e6398ab3cedcf7b2a3b12b7ee5b2a05e811daee5d21b12693e4d06139cc6d8194cef9d33fb
- SSDEEP
  
  12288:8Mr2y90RhNlSVqPwTdRWKREEXYp7+dwu2bWN:ayOlStHWKaEA+yu1
Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral9
- Target
  
  9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24
- Size
  
  662KB
- MD5
  
  ad556af301bc23d9d68e88347510597a
- SHA1
  
  33c98a0a8322aa276c825a76dfbe90eb89adb0ed
- SHA256
  
  9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24
- SHA512
  
  13b7701cdd1b901df94c7c4dafb68bd37949c822aceb29aa55d04bb5084772c9886f9e8de81e4ed221cfb6c44fa101f395120c02d520fc9fcf03e42e2b80303d
- SSDEEP
  
  12288:3Mr2y90oQvlJuZN/gE/AT4aV+nD/xybAP5fI8CR5dXyALD8J0v:RyRQvlcND/AT/V+tpP5fVCjdiALYJ0v
Score

10^/10

healer redline mrak dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral10
- Target
  
  ae96a881fddd0471c5a462a0b27848d72c34ba866c6061e0f84ab3a1097a7a69
- Size
  
  277KB
- MD5
  
  7914d68695cc6f54cb467bbd1ea1b980
- SHA1
  
  a44f0dcc322e4cddf86f087ca9b97b7c44fd6091
- SHA256
  
  ae96a881fddd0471c5a462a0b27848d72c34ba866c6061e0f84ab3a1097a7a69
- SHA512
  
  644f90613eb98fe37d95d215271f468ffce81bf939000b9acf5479ae8a8d2668202da25ebab5df1095349bfa3ab650cbfdd2a723f9e3b5bbd3bb7be8471eb07e
- SSDEEP
  
  6144:K6y+bnr+Wp0yN90QENekbA4OPoMeP90Rk7WD6:GMriy90vekbLOQMeP+k7WG
Score

10^/10

amadey healer 59b440 dropper evasion persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral11
- Target
  
  b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5
- Size
  
  845KB
- MD5
  
  48567c75c4c768747990b660f8c98486
- SHA1
  
  c5d74fb54ab54eb6097414ab1a4c3f80481dfdbc
- SHA256
  
  b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5
- SHA512
  
  352575ff5f4c3d71905472f5fa1821bd89c0a74f2f66eec4a8529a05ff8155e24fb095fff87c9b425a855f94bd2e29178faa2a8b1bbf4d45c5dce2601f147cb2
- SSDEEP
  
  24576:wyTGPDzqeWDz0usMLfZU1nloJ6e6uVQgEb:3SP/9+z0usCq1nmLFE
Score

10^/10

amadey healer redline fb0fb8 mrak dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral12
- Target
  
  c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351
- Size
  
  600KB
- MD5
  
  520164b716b018381b9c742d869b32e4
- SHA1
  
  c106a10d377bf9b4bb5a4fe99565e2a3805eca05
- SHA256
  
  c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351
- SHA512
  
  fa004fa2f7170cd50a2ddca65dc26d9ab732ee6f1db843458215827f5ee26f102730e0bbf616276c42643224eef2205fc4d14238c9838d3cdd5a3c58e9316c9e
- SSDEEP
  
  12288:bMrRy90DursHSHejS8J0CUKR/e7tRJKRoEXMp71vTkMFnhCF2ZR:+yppH6J1UqG7tXKqE81IMFnhd/
Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral13
- Target
  
  c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435
- Size
  
  812KB
- MD5
  
  f5f40df358fb020b709a87b5ed4ec4d3
- SHA1
  
  7a1412af73b32c7c9a61007863b57f50570645b2
- SHA256
  
  c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435
- SHA512
  
  f45fd35998f15a6204494bb8e99391571f35e6e4867e56bf78a818062c75942eea2a63cf93df732f7ed0d6eaf79d49e4a165b1b6ad62df994550e57a1125d3ba
- SSDEEP
  
  12288:AMrsy90fafIyG5ojpCh/IL7ElM0kHP5/rmMsj+IgMcFLzZp1/9mOh8++OM:cyMojpCh/+7C4xrmMi+I4Fpr/kOh8D3
Score

10^/10

amadey redline 59b440 mrak evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral14
- Target
  
  d876400b35d912e211572e1acd02738c757f24f8adf82ea7ac3ce91f74c8e404
- Size
  
  812KB
- MD5
  
  c32af393533d7be2f96748156338d33c
- SHA1
  
  a58be11608b6f27970a62122c7bb6d4e8536a02a
- SHA256
  
  d876400b35d912e211572e1acd02738c757f24f8adf82ea7ac3ce91f74c8e404
- SHA512
  
  9e1f47b3c20f4fa0b0e97758ef702aad9781756266c7c6c8916e189ca00cc477e641524fb84a61b50604adc0e5f231d7a7ca069576dd27631ce1fd58ce2146d0
- SSDEEP
  
  24576:Uy72IKmbWYfa3qnoWU0+AhWPlWLZJoXi3Om:jyHmb5i3qAn/PcLZJoXG
Score

10^/10

amadey redline 59b440 mrak evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral15
- Target
  
  eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352
- Size
  
  645KB
- MD5
  
  5c7efd9ec3e27bb93244365f3ccf6bd7
- SHA1
  
  8cff2506763935140038ddfd27738d40ebf05eab
- SHA256
  
  eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352
- SHA512
  
  ea7f94292cb9c024af86dd3176afb4daa7940d2fc6c3616bbba3d9493251273ab921916a04f6a5fd629a5204199ea9dac8948bd03a5031333773e695bf32ac20
- SSDEEP
  
  12288:6cMrEy90nyAH07CUhQWRNJcN7MOApGiBg4D/ovR18txF7y+bR6Vq:64y13eUhiPA8iBDxF7+o
Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral16
- Target
  
  eb7c2e9dc2416d5168ea11cdee85ea662e4aa32921edbe521787e1a7dcc79228
- Size
  
  771KB
- MD5
  
  593fd33436446b18f88bd2d596dc126f
- SHA1
  
  1ab1f4b4a6057cf0d51780194be0a4358502fa30
- SHA256
  
  eb7c2e9dc2416d5168ea11cdee85ea662e4aa32921edbe521787e1a7dcc79228
- SHA512
  
  92c5f75ae577806092ba01d709b498aa122df86d7bcc6b7b15aee4ff1fc84137309a66fd5a6a66ba9f05c44113edffe4aa6fd81e218f8d4121b2dc0ef4680604
- SSDEEP
  
  12288:TMrJy90MI57GM5n2MwKciVlDz22oIjdLibc69f44FJ2RHDBUwXpZfSr:Sy3q7GMHfRVlH2IjdO5fHOuwXpZfA
Score

10^/10

mystic redline kinza infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral17
- Target
  
  ed2eb0d5dcf8c04d4b8381812154164abb842db1d4f3059e6d7d12293004ffbf
- Size
  
  943KB
- MD5
  
  6df35c0bf802827179491a87b3fcaef6
- SHA1
  
  6c11c82d7422d46b4d1e143f25e3ae467c81eb01
- SHA256
  
  ed2eb0d5dcf8c04d4b8381812154164abb842db1d4f3059e6d7d12293004ffbf
- SHA512
  
  184e32ed3c876db2b436ed847e6e485fe836ff40ea52bea0d79fa255ebc55e20427ff55dfeb5c197591f29e83565acd533745a0fcd0f59b04e7a153279dc7e69
- SSDEEP
  
  24576:+y3lCj5PuU09H6ASUTFegI5QEpHUVDus7CY7:NI5a9HHxbUHGRCY
Score

10^/10

mystic redline kendo infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral18
- Target
  
  fc2a3968133c3c96ae55dfdd56ca5b4dd51ed30658a98d55193b96e1533f4013
- Size
  
  814KB
- MD5
  
  4527bf2f344a13d6185f1a6da0302c2e
- SHA1
  
  bd22d40e1536515deab632cec917ae895dd3587e
- SHA256
  
  fc2a3968133c3c96ae55dfdd56ca5b4dd51ed30658a98d55193b96e1533f4013
- SHA512
  
  1373be04134192b800c106ba9214941e12cfd6366b97023a07724ab7a86468996509604a20e6284cb5d549d4a4bd5a193e511487a054ee059c226f849f548c1b
- SSDEEP
  
  12288:kMrAy90Wv+ehdmYET2qlvV1x0nt6o58Q82qcaLRjWwL0Gj4iycQLrZNNqXGl6u:EyLvPhXYzJjTo982v5a0duQLXlp
Score

10^/10

amadey healer mystic redline fb0fb8 gruha dropper evasion infostealer persistence stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Mystic stealer payload
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral19
- Target
  
  fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890
- Size
  
  1.3MB
- MD5
  
  5bbe0d4d9a0315328670257d051d24ec
- SHA1
  
  703f9e52cfa0752b6fe32ce544542d41c26f3414
- SHA256
  
  fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890
- SHA512
  
  346a4a5629c810d01660ca7b5fe27ca96b89df01e8fe8966858538ed64e06b35fc3aa6d4f39b7f2edfcad380e33a0e634d48c7eba4da1e928f6d0fee0644c35c
- SSDEEP
  
  24576:6ybUKxddkeq9KQxslEr58eZS7EWzWvm9bb+0je8be0QDeBc1:BbZniKQxslE98eZS7LT9b7bCeB
Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral20

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Amadey

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Amadey

Detect Mystic stealer payload

Mystic

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Amadey

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Executes dropped EXE