Overview

overview

10

Static

static

3

1b7cbee30e...8d.exe

windows10-2004-x64

10

1cb2277eea...2a.exe

windows10-2004-x64

10

26dae86d00...a2.exe

windows10-2004-x64

10

35cd974b16...ec.exe

windows10-2004-x64

10

45e7028a78...91.exe

windows10-2004-x64

10

4cd2f124df...48.exe

windows10-2004-x64

10

5fdef2b38d...0a.exe

windows10-2004-x64

10

7284e9e031...c7.exe

windows10-2004-x64

10

781c022afd...54.exe

windows10-2004-x64

10

84163f9b0d...a5.exe

windows10-2004-x64

10

90251e43cd...e4.exe

windows10-2004-x64

10

9a3023ff33...37.exe

windows10-2004-x64

10

b4b999d8f3...50.exe

windows7-x64

10

b4b999d8f3...50.exe

windows10-2004-x64

10

bdd93956fe...8b.exe

windows10-2004-x64

10

cf840721c0...70.exe

windows10-2004-x64

10

e52fb58b8a...f1.exe

windows10-2004-x64

10

ecfbac56ff...9e.exe

windows10-2004-x64

10

f0f492b9b0...9a.exe

windows10-2004-x64

10

f921df4c23...0d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8f7ecfcea350d8e91e6bb9083833f37b57aa78d15022b68c407055e2463bd982

  • Size

    16.1MB

  • Sample

    240522-xw1exsdc2y

  • MD5

    00f1368c96f5e76e0c03bfa80ca07e53

  • SHA1

    5d2ab6af38d4e9c0fd02e79568ad23d8604116f0

  • SHA256

    8f7ecfcea350d8e91e6bb9083833f37b57aa78d15022b68c407055e2463bd982

  • SHA512

    a1bf4110014ad2b888f08b22906d0e46b303ac23e96359a411cba7d098005a62cdcd9c803cd92e83b5057b2a4a2edad958020891893d173c016e914180e1a2d1

  • SSDEEP

    393216:MfqV8IVuWsGuQG2FrQI5ckq2/sWqTuGwLYPJ0J14AUs3SBbNz+C:vV8neGTIxqoETuwB8+7

Score
10/10
amadeyhealermysticredlinesmokeloader59b440fb0fb8kedrukinzakolyankukishluatemrakbackdoordropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Extracted

Family

redline

Botnet

kedru

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

luate

C2

77.91.124.55:19071

Attributes
  • auth_value

    e45cd419aba6c9d372088ffe5629308b

Extracted

Family

redline

Botnet

kolyan

C2

77.91.124.82:19071

Targets

    • Target

      1b7cbee30e4459916b5b164befe5e20b7a876df411fdb5d2d2cd7c073a28b18d

    • Size

      812KB

    • MD5

      732e8b08f55b84327bc9756784510ce7

    • SHA1

      3f8319e7098f2d99025c21c4cf7faa3e67b31957

    • SHA256

      1b7cbee30e4459916b5b164befe5e20b7a876df411fdb5d2d2cd7c073a28b18d

    • SHA512

      afe862b4f008d5b18d0aeca1a3e6ecac28c8724f301df381e591cc170dcc39dfc0bb6aa96814c668c5f424e03736f9b448acc8c104e6107d3d66afe28da11ab5

    • SSDEEP

      24576:1y07ft7pdSgS37uybqnoffSrKMf48ABP:QAfTdS8ybqIEAB

    Score
    10/10
    amadeyredline59b440mrakevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      1cb2277eead0aab1238acbbff542f7d6307542e95025dda95856efeb7bc12a2a

    • Size

      320KB

    • MD5

      49302c87b30d9bcb659e9a43e23d1a35

    • SHA1

      158af98db3289bffa6b03298388b58c60767c686

    • SHA256

      1cb2277eead0aab1238acbbff542f7d6307542e95025dda95856efeb7bc12a2a

    • SHA512

      be18bcdcb8bbf1b2cae94571e87a1487d1eda7f269204a93cb782532114cff7872df250cd3cfaa0a1a8dea3b35a8a8de9b3026409019c0a28a2d854a8de9bbb6

    • SSDEEP

      6144:KCy+bnr+Hp0yN90QEIrKEP3ve7yRfsK6KRFjEXtaBv7uNC3QdGYHeZDSRA:KMrTy90SKU/e7RK6KRdEXYp7PQj0b

    Score
    10/10
    amadeymystic59b440persistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      26dae86d0011ac84e93abfd2169b28a6dee3498b8be9c3b84f657506d4e2a9a2

    • Size

      1.0MB

    • MD5

      ba3d04982933c6b5e4050768f8d27f0b

    • SHA1

      3e7af9fd14b090eb598b58bc812338c23009db69

    • SHA256

      26dae86d0011ac84e93abfd2169b28a6dee3498b8be9c3b84f657506d4e2a9a2

    • SHA512

      5fb8eb13c25e277be1932963e05577779035e1792f5704196593a6d4ceeb60e09f222623ab81feba01fe6bf00bcdd1602f7943a80c7cbca2e32a30cbaf44dd96

    • SSDEEP

      24576:1yw7VWue42Icf3RTglp+BQ+Qkkpawj42cM/ov98jC:QwBWueVRTglo/PK/j41kov9a

    Score
    10/10
    amadeyhealerredlinefb0fb8mrakdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec

    • Size

      1.3MB

    • MD5

      d1f9a12cbe2463928f93af9df2581972

    • SHA1

      9d71be92b4a421e298ae6fc509d326e6fcd3b3c1

    • SHA256

      35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec

    • SHA512

      125939fc5108d907644aea134f4c3a4ec961a3bb1a6111db4863b532ed671f685165154689a14f9bc735ab887d1296aed99f373ab3f98c1a0f9a590d52a41e83

    • SSDEEP

      24576:by9RXWCPEo9sN4cLWpA7eCKs6Rg8m/ZWOBjSYK9SvBsn64boafIBQ01K0Vry:O9RXWSEo9smcL++cs6inHBjSBA+rpk

    Score
    10/10
    amadeymysticredlinefb0fb8mrakinfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291

    • Size

      755KB

    • MD5

      a8fcd15d6414b6c08115a5e60be61b25

    • SHA1

      830a5c4f18c0367b4670f93b8453b0db062bb1a1

    • SHA256

      45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291

    • SHA512

      b7fc5d3eba1a930a4bd10f66dc0fbce764e699590bbc401bd4332ab665db0bf5b0c057b2f6ede46bad0d23faea64700a203cc869030b9bbbfdd6852b3e6db321

    • SSDEEP

      12288:SMrMy90Di0caFI+xNOWU1lllt3m/S9nBu8sUYItU0chSrVBRXqO:iyIiPaB0lPMS9nKItrTJ

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      4cd2f124dfaf247a46d235c0823069c1056a2efb67c0f74547fb75dcfb603748

    • Size

      1.5MB

    • MD5

      6f45d427a511cc1ecf60a30abb1e1937

    • SHA1

      c4b5ad5e2ed6234265afd495f4e18f768890f9f7

    • SHA256

      4cd2f124dfaf247a46d235c0823069c1056a2efb67c0f74547fb75dcfb603748

    • SHA512

      871117b4e8dd4da8e0274cfc55945fefa937c6fd4909634fe1343d10901e82a47afe652f06de03934eba8ea0c8cfbe12e48090ef56363d2fb3e047cd9080bab7

    • SSDEEP

      24576:cycO+kKIkuEmaVIL4Seir0YcaeC9XDhSv/6/BUqt7Ho8uQJpVD63Lq/SXD:LYPFmvveix9NQ69c8uQoG

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a

    • Size

      547KB

    • MD5

      ff3fc3b57f2e1ef457d7ce7e7c273716

    • SHA1

      54b6241c92f97be696ae599391a2ce0dfe9e7e44

    • SHA256

      5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a

    • SHA512

      e198c3d34f25cc5f2c24286b4e5a5de944322f3fdd4746c364ddcde0835129e7cdbda89d8166f2ce2590744aa35e5deaef0528107031387ba6d2edda2b0a5c63

    • SSDEEP

      12288:JMrgy905aKrXt7d3Hl/HtIlrQItcqbfA:xyNKzddXl/6rVCwA

    Score
    10/10
    mysticredlineluateinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      7284e9e031d95f98bb1c673f3691adb26e5acc31e6d2c745b85bc97fc82edec7

    • Size

      758KB

    • MD5

      ea8d2762441d6ff25ed7f3e5746d96e0

    • SHA1

      67555a05119607f47186e794df375f87a76c373c

    • SHA256

      7284e9e031d95f98bb1c673f3691adb26e5acc31e6d2c745b85bc97fc82edec7

    • SHA512

      cca9ea5cf244c143207e9dd380540128bdfe0850c6c600002e8342ccfb3a17c75ab5db65d11a0b8668e487e8f4ba23223a367d7f795c71ff5ca109911e60f770

    • SSDEEP

      12288:qMrNy90uQ9hUgNP4b17YufW1irR4VsEKytcWybQ621Q4eJbmQT6S:nyeXtNgbZ41+Rmc0cWOQ6n4ebm4

    Score
    10/10
    mysticredlinekolyaninfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754

    • Size

      759KB

    • MD5

      aa1f1a243e1c643d3628a1d03fe3dfe5

    • SHA1

      9a7e886e9cf0a312e98a6ec70f2d2a67eb9ac486

    • SHA256

      781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754

    • SHA512

      eb319b6eeefc62ca9da42ac8a8b935988dd8f850fc0c02000dc08c4e56e8b9cd27dbdea3eef713a2c45a381c57add3fca4dd3d79663b888b4462c76929cc1337

    • SSDEEP

      12288:zMrxy90kdsZQT9R4xmy3mv88YzniUK2WsJ/wt17qS20y353p6ua4En6oxOcKmRgt:iytT9o7Wtu9WsJ30yJ3lXmJxq5

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      84163f9b0d959067de44eac4cb117f34b55119476a35c8291d0be25585618ea5

    • Size

      1.1MB

    • MD5

      0f5d5a729ff93532847ef909acb40245

    • SHA1

      c1ee789c3def4120069e9475a8c01b93d5d20561

    • SHA256

      84163f9b0d959067de44eac4cb117f34b55119476a35c8291d0be25585618ea5

    • SHA512

      1cb7bf999338addbf3bd31e29c2a3811b3fa44d975ae0f526372f8341f602c9bf51802c2ef3c3e5502050bcdd7d4edf7e1bba03f70d7aa0be1f2ccc3b571c7d8

    • SSDEEP

      24576:Wyzs6aHdcaYZclKIEyGx8QxOtgrqNw0pc/T75Or1usTxW:lzsdHEylKIEyC8QEtNw0pc/TRsT

    Score
    10/10
    amadeymysticredline59b440mrakinfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      90251e43cdd68d8c070a8180eb78fdfc113d4e2ff40733af3a3332c51744eae4

    • Size

      1.5MB

    • MD5

      06af0401aecc9790eba539a0104ee492

    • SHA1

      aab2d55f1489d364efe7b939eadb248b5022cba1

    • SHA256

      90251e43cdd68d8c070a8180eb78fdfc113d4e2ff40733af3a3332c51744eae4

    • SHA512

      19561d373013c2148480b60e5682a6af820cdd9443bfd7ac31885d6f8706dbddf6a8ca823c8270e1aa71d02f85dd4bd7ced72b4923cfc6de8f57f641ff43860d

    • SSDEEP

      24576:zykRQJVu8VgorcHsJvivI/xtXStQ+wc2ybyXaXNE74Nz5fPy+f1n7v72gEh:Gkyfu8VgorcHs9iW/yGXao+9LN7v72

    Score
    10/10
    mysticredlinekedruinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      9a3023ff334b34f4bea043eedeced95c41485b4799d3c2d56c0cb04b60143937

    • Size

      761KB

    • MD5

      05d9d7be64bbf82f6d363494fdf307ff

    • SHA1

      f707a315b91d16adcae27d23b44e04ddb8416e9a

    • SHA256

      9a3023ff334b34f4bea043eedeced95c41485b4799d3c2d56c0cb04b60143937

    • SHA512

      95c08f4ee99c6d2c6824378cc356cd9d32db6c380e2cc25f90ca31ffd6030d81dcb2a31939a17e5980898f0100491903eeac23bf8e96df3611b23458526a5b80

    • SSDEEP

      12288:qMr/y900kfIXRO68a220RojTx7cl6ozZ0QXhWQGe9q5j9vmWJjiD5c3hjDh:FyafIhO687Ro5mzZgQGe9q99mWJQ23hB

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      b4b999d8f3fb923a4d4cd17b173ba8474c698443430fdc63b8da6ad6eae57d50

    • Size

      269KB

    • MD5

      c019e19af0d4a7b3c4c51f45c50c7d9f

    • SHA1

      ea0f9c0365bbc8aa19f43556c5552657d218af8c

    • SHA256

      b4b999d8f3fb923a4d4cd17b173ba8474c698443430fdc63b8da6ad6eae57d50

    • SHA512

      eb6ee1e040b6b593d60d5f4cacfdbd7db65977789a3035ab1640afd9aa2f2be055137289100f91a8e2b85156124b157ef5d4435bae4d9893c24277542699494d

    • SSDEEP

      3072:VjT/e0ctZI6461YHBe6Itf1/iTY6ce6pn++RcNLkBHgDK6gpRnUuEeAg0FujD7zO:VjxctlMQMY6Vo++E0R6gFAOfLh6zd35

    Score
    10/10
    smokeloaderbackdoortrojan
    behavioral13behavioral14

    • Target

      bdd93956feba699c1eac73030a5ce8e55ae51fab4852062d8e46e8ed460a2b8b

    • Size

      830KB

    • MD5

      9c50d39c6ed47f89d58009df0a2a3e4c

    • SHA1

      5756a2f2448ce80c83e10962619e5cd416f8ee88

    • SHA256

      bdd93956feba699c1eac73030a5ce8e55ae51fab4852062d8e46e8ed460a2b8b

    • SHA512

      9d1dc06eb982fee68c190f60e61da71cf55f65394403f06ff063cf6c3b05221c8fda2c6b1fe956fa85ae9ed491c5d6d6d7095f9d1f30d5132d3e5a089a9a0c9b

    • SSDEEP

      24576:QyeH4/JFWyn+4lOHy6XJAcR1OX8e2a5QN5g87xE:X7TWkOS6XJrU3

    Score
    10/10
    amadeyhealerredline59b440mrakdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      cf840721c08fa286313bd7ac68fc5bac88559652036dfbdcc7b3c6f0cfa13d70

    • Size

      653KB

    • MD5

      14656483a2946f19c7c918dbe5d537f4

    • SHA1

      0f55bc8757709fc17cf86317ddd8a9b92eb9f94f

    • SHA256

      cf840721c08fa286313bd7ac68fc5bac88559652036dfbdcc7b3c6f0cfa13d70

    • SHA512

      222259cbf31951a3c8bd567e715f312538fda0253630c0bb62e9bad472e8b75ed878cc4a7fcb583d9ed4d2ba6e7ba4350f06025f64d9560b16b2af93fe5d8e75

    • SSDEEP

      12288:pMrNy90j2CrZ3gEuD+IxNXGEWmnP4HWaZ0RD65h3Ef+5YW2x3iY3S98:Ey82+t1IlGE14HWnRD65ha48

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      e52fb58b8a7d4f8b7eea558e3f50385d34e76f92baeede9698343046ba3273f1

    • Size

      1.5MB

    • MD5

      8fde3216e73d756d94ba8e15320501fa

    • SHA1

      247978fa6f3bb3f35054d83b48d7a9c53d32e85c

    • SHA256

      e52fb58b8a7d4f8b7eea558e3f50385d34e76f92baeede9698343046ba3273f1

    • SHA512

      2ef546b5120aa44843ba0333082306f818bed77c64a274eeabb26a0e1f020016eedddcc0cdb074caf08c0d236ebe3ae17fc6e6c0e188e3d221c307a5a3e3731e

    • SSDEEP

      24576:NyFZjHfm47W10kxzv7SDFyMr8JC0dzCHDRwTeFq9HA7Yxm5NPwl:ozjHfm4aTxzv7SYcMASTaQxm5NI

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      ecfbac56ff2c59238da4332d5cd1561d05a08ac0d65b57b9caf329f063fc939e

    • Size

      758KB

    • MD5

      e5b6df1e49aa76560da57cbe8824d952

    • SHA1

      126481033c7d6ae68352cba3199b045c9e1f37a8

    • SHA256

      ecfbac56ff2c59238da4332d5cd1561d05a08ac0d65b57b9caf329f063fc939e

    • SHA512

      18cea250d8b200f14a5f6e84732365429c43659a53a49e1126ad4de027600465739b45b987d4813deb85cdcb2bcb744fbdd48d6d8e400877bfabe79dc05cd373

    • SSDEEP

      12288:KMr4y90NR5ht6Xs6zqRBEIYdIZU5bH+pOR4tG0+LczQaniPyjXQ6:6ycPwc62rEhoU9HkkTcQaiPqXR

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a

    • Size

      1.4MB

    • MD5

      765269c9a1ce5e07ed722e4dc399903e

    • SHA1

      2ac7ccffbcc8b3ba9356530dc3f39602ac73a08f

    • SHA256

      f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a

    • SHA512

      10d029f8bb12c86e10f24a82f40de263990ae482daba9f5832d5a241affb3b83eeb3334f2ae6a89a0d3e20375666e77d06d0f71ab31171bc739eca86033e8177

    • SSDEEP

      24576:Yy5JBuqqev8GvUk7jT755577FaovivYSM5rJaf8VZ9+Xq8DTFfdOuBbvS+ashD:f5JBsev8Gv9nxYotVJtVSvhdO8p

    Score
    10/10
    smokeloaderbackdoorevasionpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      f921df4c23777a797ffd956196cd2ea4805eaf3eefcc839de781c7e6af836f0d

    • Size

      571KB

    • MD5

      9333ac50afdfd0f4841ce14109290cb0

    • SHA1

      4b87ae7a51fd402f57eec512302336848dda5efc

    • SHA256

      f921df4c23777a797ffd956196cd2ea4805eaf3eefcc839de781c7e6af836f0d

    • SHA512

      8a1ac62aaf5531a95a1cbb2496b60b86c50e7b406483db0fcfe35ea910c2a5a726de4374507d8aee76eb07d67bd8b6d188d56c866c2657b9c4d71835b2e99c03

    • SSDEEP

      12288:3MrPy90PkK06Ds5RF6ImOxhgnLHNKLvFtzNyd:UyKp06Ds5RiOb3HzId

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

6
T1053

Persistence

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Boot or Logon Autostart Execution

18
T1547

Registry Run Keys / Startup Folder

18
T1547.001

Scheduled Task/Job

6
T1053

Privilege Escalation

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Boot or Logon Autostart Execution

18
T1547

Registry Run Keys / Startup Folder

18
T1547.001

Scheduled Task/Job

6
T1053

Defense Evasion

Modify Registry

25
T1112

Impair Defenses

7
T1562

Disable or Modify Tools

7
T1562.001

Credential Access

Discovery

Query Registry

9
T1012

System Information Discovery

15
T1082

Peripheral Device Discovery

3
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeymystic59b440persistencestealertrojan
Score
10/10

behavioral3

amadeyhealerredlinefb0fb8mrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

amadeymysticredlinefb0fb8mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral5

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral6

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral7

mysticredlineluateinfostealerpersistencestealer
Score
10/10

behavioral8

mysticredlinekolyaninfostealerpersistencestealer
Score
10/10

behavioral9

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral10

amadeymysticredline59b440mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral11

mysticredlinekedruinfostealerpersistencestealer
Score
10/10

behavioral12

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral13

smokeloaderbackdoortrojan
Score
10/10

behavioral14

smokeloaderbackdoortrojan
Score
10/10

behavioral15

amadeyhealerredline59b440mrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral17

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral18

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral19

smokeloaderbackdoorevasionpersistencetrojan
Score
10/10

behavioral20

mysticredlinekukishinfostealerpersistencestealer
Score
10/10