Overview

overview

10

Static

static

3

06f1b755da...d3.exe

windows10-2004-x64

10

14b33a31c1...19.exe

windows10-2004-x64

10

16f3c19a7f...1a.exe

windows10-2004-x64

10

192ce44be6...d3.exe

windows10-2004-x64

10

208bd49be4...cf.exe

windows10-2004-x64

10

2ae8e0e720...19.exe

windows10-2004-x64

10

2b74e820a6...32.exe

windows10-2004-x64

10

396631ba37...a0.exe

windows10-2004-x64

10

777259b2de...25.exe

windows10-2004-x64

10

7f06170b1d...e6.exe

windows10-2004-x64

10

80f9db3963...66.exe

windows10-2004-x64

10

8d2837f05f...42.exe

windows10-2004-x64

10

9a7ee6b801...e4.exe

windows10-2004-x64

10

9c8e4ed081...a3.exe

windows10-2004-x64

10

a68c5e94f5...52.exe

windows10-2004-x64

10

aaed2c62a2...28.exe

windows10-2004-x64

10

e097574588...fe.exe

windows10-2004-x64

10

e256d9f4b9...eb.exe

windows10-2004-x64

10

f02caa1867...71.exe

windows10-2004-x64

10

f7447a8c0b...af.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

  • Size

    18.6MB

  • Sample

    240523-l26ncacf46

  • MD5

    17021f932242b4675408601764ba0df9

  • SHA1

    ff6af180438661890917b372d0197dc34253b5f4

  • SHA256

    9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

  • SHA512

    c330e147f31d62dafcaea2471a895aa3aaab6364f237d4c525258be0dfae5a43e131d73b006b4f99dd2453d7da931f07e958255dd5a326ab3224138beebdedfd

  • SSDEEP

    393216:3hFfBrTev+dIaSlILsdcWoW8KT00wJoBjwtv+rBo:PV4+4KPWNi0wWBjwkBo

Score
10/10
amadeyhealermysticprivateloaderredlineriseprosmokeloader04d17059b440fb0fb8gadkihordakedrukinzaluatemrakplostbackdoorpaypaldropperevasioninfostealerloaderpersistencephishingstealertrojan

Malware Config

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

kedru

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

luate

C2

77.91.124.55:19071

Attributes
  • auth_value

    e45cd419aba6c9d372088ffe5629308b

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

plost

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

gadki

C2

77.91.124.82:19071

Attributes
  • auth_value

    2efd98e4d8880b45676de60a0faf778f

Targets

    • Target

      06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3

    • Size

      661KB

    • MD5

      cdca3895f27cdc05ca4e3805722b13a8

    • SHA1

      908e4fd065b858e327ed442c9db06f432c5b7522

    • SHA256

      06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3

    • SHA512

      b36b19510dae31d34dd68c965c94da203ca1b03234aa01b9975b05f9f987552039ee7d52e867861e5bd9267e0b85442bef26fb8e6a4981e6c903f3ad936a3bbd

    • SSDEEP

      12288:eMrCy90WnmXRO3Rrm7fhF/4ZwsSdqSZEiAjyjElCydS4U:Qyfb3ELf4ZStGiAjt7U

    Score
    10/10
    healerredlinemrakdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19

    • Size

      1.1MB

    • MD5

      b0be87fbefa8fb816eda48b5873f30e6

    • SHA1

      580f46fb499394653f1c7a29a1bc0baccad32c0a

    • SHA256

      14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19

    • SHA512

      b7292045ce5adf9297dc9a4e68f9f749cab705e8dfb229fb4a8159d675d627ddd741733f6d06ca36b9987c3f8ea9f4d3fc61a9135dd18d3c7af176be124769f8

    • SSDEEP

      24576:Jy29JdP9SYg8rvouFInG4qc3+BbLMtuQ/dIkFSE9s31hV:825FSYggoIInGu42uqdIke31h

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a

    • Size

      657KB

    • MD5

      01a84bc0f9662c85b3e51840340584e7

    • SHA1

      f9b058a4d293cd4736466b97a75159823e2a0ac9

    • SHA256

      16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a

    • SHA512

      b78da685b4ac48bf111285dadd929e76f2282f50e66c31df783dc92c677d8c6d3ee5d64aa11b7d70102cf556565bdd29b6a7bbd0b88582115471d77ef73f193d

    • SSDEEP

      12288:KMrhy90Dr/7bS2jGH0CwdYQS6QbyfFAF0oxJ5myPoOmIfb:TyanVGUCwd/S6QbyfFA75oOmGb

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      192ce44be6557d6d98a2de008c00df07b0f5063ea96bbd2751389b1f82c5f6d3

    • Size

      768KB

    • MD5

      0de600ae6ec8490fb19ad446930f8581

    • SHA1

      79c2e47abfcdcb80601a81d332f280d219a94872

    • SHA256

      192ce44be6557d6d98a2de008c00df07b0f5063ea96bbd2751389b1f82c5f6d3

    • SHA512

      95f5a3954717d1e180d4ece7078c021ad336310abdcda5375e709454835c0e9313c4d9aa9986a4da08936c0c29bca9c99a30c8d14904083c44ccf2a0ba39807f

    • SSDEEP

      12288:DMrDy90GW5A7L+zRAfUBhN5wCPvRLDXq6LI9Gi23rfOttApNxdNMJPXP:oya5MfU/NvRXq3UikOtWNxdNMJ3

    Score
    10/10
    mysticredlinekedruinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      208bd49be44846fa019a8a4b21da09b934676de6c05e6688624fa6608f3917cf

    • Size

      812KB

    • MD5

      f7e69c620af0bbd5653d5fc8405ba587

    • SHA1

      73008bbde185403def406416c45415afe1cef642

    • SHA256

      208bd49be44846fa019a8a4b21da09b934676de6c05e6688624fa6608f3917cf

    • SHA512

      07be351902a0d7ba7fffc00fa18688a052df745c669439a03da3becfded56c445085848621951b3023cc1f145620a65a761fcb41472b5a50568366ee5e900e1b

    • SSDEEP

      24576:ryTEwKx9ELd2lTQ9TgFldOrHWzB3Ka6m:eUgLo5Q9Ttr2zBj6

    Score
    10/10
    amadeyhealerredlinefb0fb8mrakdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19

    • Size

      562KB

    • MD5

      d251764d069bab0638824c87cb165aeb

    • SHA1

      0d494f305b99a1dc6eb0a5975c9a14752a41a166

    • SHA256

      2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19

    • SHA512

      6b53824cf7ab1cd26f8052544a446471f1719bc8dd75ee5bdd7bd0db9044c16b756fd975c29549e8f1549027674c0b9073749cd5365dd77570e0d2fcb4f81b8d

    • SSDEEP

      12288:1Mrky903T8TiTWrrVK31Ht/q7CErraIitJ00Q9ZQkoCiznSVk:tyHJCH/ErraIKu0uQkbCSm

    Score
    10/10
    mysticredlinegadkiinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      2b74e820a68dd1debb652cc1750992f001f4f19c4e98e9c2bbce0139f6c42f32

    • Size

      1.3MB

    • MD5

      5fd4292227679641bd077b5860cc1b20

    • SHA1

      6d16d9ed9789439a53edcb08fc29c94dc333ddec

    • SHA256

      2b74e820a68dd1debb652cc1750992f001f4f19c4e98e9c2bbce0139f6c42f32

    • SHA512

      18a29392c34b6cf2efec0cd7c8fe3d1c46ef140eee726ec2a6bcc78cdabbce19b7ba74d434e1bfed37acc40ad1e91146ad56a011dc670bf696469dc8723021f8

    • SSDEEP

      24576:nyuoJKNzEOwgX1dtUiF7y3rnffcn+CnHREo6MsW:yuxwgWKy3rffcnlLT

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0

    • Size

      1.1MB

    • MD5

      491a1a616709c3545421cfe7e9a0a5fe

    • SHA1

      6209307eb09238a51579b3edc7bfbde97c768f0d

    • SHA256

      396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0

    • SHA512

      87a8177818b18120384e0bc87a8c708064220015e222f15803065883749afce38e2a5c5e9af6ddcf5f3f15ff18818a10290f5cd42a19095dcf11af9d779c9491

    • SSDEEP

      24576:sy0xoIFWVsveTG7W2KWEbrHG0+1TryyzBEPx7Ff5F4LTmmgcDAg+j:bPIFWVs2TGS2KWEbrm0QyIqPD4TQ

    Score
    10/10
    amadeymysticredline59b440mrakinfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025

    • Size

      758KB

    • MD5

      58a76a83d31f69b1e0993a815a2517e0

    • SHA1

      6ceac1337bc5e2da34b589f7576afb4a51418b68

    • SHA256

      777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025

    • SHA512

      a8971952932e832df09dc342f815a4fba0b70c2cfc749f75da4f637aec932ca65ea2d208ef6f21ffc27110ecd6208bb5249404f79c7b02ddd7a3f9531a347c22

    • SSDEEP

      12288:fMrcy90nMThj98Ro0z8P0OUqXZhvGzDVhhtiGCUg5P8+zgdHQOPdJiYa7:byn5ORSLZJ8pdlCLkHZdJxU

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6

    • Size

      759KB

    • MD5

      cf283b15a0808e714c3020620715628a

    • SHA1

      69bd17b4907e8b78c53429930364dbd013fe55da

    • SHA256

      7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6

    • SHA512

      6279071eca90cc1a6fa7010c081dc24cf3135bf46fc68dbfa83a918afa1b75e87cbdf401fbe07ff38c42ec71bfce69914fa0937bf32cd39dcc899d3caacfebbd

    • SSDEEP

      12288:QMrny90ZKeg3G9Lrl3sBzIhill3+XhfOR0u7l9AJ/62muR4x7p:nyoKeg3G9Lrl8ZneNOP7J2D4

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      80f9db396349ffd316d40f58b12121eb8671e0af591fa231cd1037ed80d55c66

    • Size

      1.3MB

    • MD5

      95d542493374dbe6e7e9169abb4d8b9d

    • SHA1

      81e518810940fc2b2992369fd314a1ef254e7e7d

    • SHA256

      80f9db396349ffd316d40f58b12121eb8671e0af591fa231cd1037ed80d55c66

    • SHA512

      6f4699024fbd3d76686e06f62f1d43153eec1b6be02bec68f111405e21842c81306ad3811cc574eeeb3424d052d856548590ce574b8f92669a788556d5c8aa43

    • SSDEEP

      24576:VyINMxLEUjKKpiwMUvPtGcrSwppr/hzYqHmBv/Qz7GZ:wWMt1OU9JSwzr/hVcv/QzK

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42

    • Size

      1.2MB

    • MD5

      8c1c0914a0def51e04e998dd838101cd

    • SHA1

      b87baade2891a73a85efed31f915502e52ac9c8a

    • SHA256

      8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42

    • SHA512

      2a5cbd449be690d512471ca0a3d1c3a8e1e6f88e31cb92cc01c007c418f90f4194f5b4d25c1d8781957be8a050617e21ca7eec9212bc5bac2db0c35db1160b55

    • SSDEEP

      24576:nybWEzJzFzI7rAK+1QrZkCcedGcTkWKRLGFA34cMaxHzq96AuR6r6SR6T5Es:ybWEzNFzI/AK+1QaCcedGKkT3vxTqUyf

    Score
    10/10
    amadeymysticredline59b440mrakinfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4

    • Size

      903KB

    • MD5

      56cbf85c17dc70913672f90b1f36fbfc

    • SHA1

      205c818fd0e8d76ea21b3cd03704a2ae71f85a76

    • SHA256

      9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4

    • SHA512

      dbdde039478539be601d9bec0e9d88ed590f3c35ddf9e98eefe10affcf9dc7b809349741c4ef2ab740d0af6352dd0ce46412028b77a516a1ac6475bcb4c2c5db

    • SSDEEP

      24576:byb2x0Hx9Isn62mKFE0e1PMGI4InO6fbWaqErse0mdbi:OU0Hx9ISMKFE0eZMlndbsezd

    Score
    10/10
    amadeyredline59b440mrakinfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      9c8e4ed08188524a9beb39dfd35cc3c50ed0a6344464afcdff53746ddccee6a3

    • Size

      759KB

    • MD5

      2046ecfb589e1470442d1971a5e97756

    • SHA1

      ccc3b65402c365cd1bd4a91df860a4dc4e9fadfa

    • SHA256

      9c8e4ed08188524a9beb39dfd35cc3c50ed0a6344464afcdff53746ddccee6a3

    • SHA512

      1807c3b6f112db629c9b7e00e917271918c1cbcb0ff5f9830fe3468c44789a59e1dfdebb5ff8f9d28bf4ec2559801751a7715cecfd3bc73192a022a60784e96a

    • SSDEEP

      12288:OMr5y90cUoQMHdLd7H0wCdF4f5COt0ij7xV6EGeNdEENlrmFscQyCkqqA:HykTolH0wMywpL5QpmUqA

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52

    • Size

      1.5MB

    • MD5

      107010beec076341ed4728108616ae14

    • SHA1

      d521c427abf30e3dea44b2e3a6715310b13d5236

    • SHA256

      a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52

    • SHA512

      c3646f0d843750387e5b839247777ae8ad2ac09c8a421f5f51f9da537de753fbe2598b172e704a1e80265305f08c66cd5e60130cbaca52774bc0451ab032ca78

    • SSDEEP

      24576:ByyUtVJGOjT10AgnfUZqs+D5aT82lA/Z1SMU9sWdtqvO9J:0yUhRT10Lnf8Z+D5YNKR1SMUfdt0U

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      aaed2c62a2146133d41a2c878d138f90f6fd57a1173b0784f6516128378b0e28

    • Size

      1.5MB

    • MD5

      039c520ad29f179727d52fd7bb41ddc9

    • SHA1

      68e44ea4487f50fa6c97b3aa739bf3c2bb15e2f5

    • SHA256

      aaed2c62a2146133d41a2c878d138f90f6fd57a1173b0784f6516128378b0e28

    • SHA512

      e22e81f49b448e7d18f7bfdb3b13688020b279a6fb39db44238e2f695f90dab9f3b9af6409fc80f8a799537f330af753abc8e3548baad183ce24d7a61e74f0e8

    • SSDEEP

      24576:Vy8nyYj4q3Y6M2GWyMu86ZD4SBFL/gfzWHbawDN67vluQaU8t0EOU2luc4kFO6i:w8ny24qNtyMuF4iSqHb/YPaavUcP4KO6

    Score
    10/10
    mysticredlinekedruinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe

    • Size

      762KB

    • MD5

      cce0e6653ee5fa0a395399fe8afaf08c

    • SHA1

      4a4de5189ff93859b4021df87baa7b2978be0dae

    • SHA256

      e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe

    • SHA512

      ff882db3fc989c2fc6bfa3e3cb93210564a1bf4ddf2a2e670e5b33566e49f7d12239097350014b2b0f746dab55324cff2daae792c00b1c2a37c18dc72d585855

    • SSDEEP

      12288:VMrXy90LmNlxfXHTA+RpYhaaKPDXuct1VfGdrAUKhzx4ot1Qj:uyGCt0LIaiPTRGqdtM

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb

    • Size

      758KB

    • MD5

      82d69f920d5865457796a89dcff321e9

    • SHA1

      b983f0ae70afe27f4036ba9bf72d2209e24e322e

    • SHA256

      e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb

    • SHA512

      bfe94ca286e25843736c716b9b1007f6927d05e490875518e91f8d1ce574d5472b7b140abe14a6b7f777a2262b049fedd57f143cd21cdb630ee6de9f6533bbde

    • SSDEEP

      12288:rMrty90yoBOaQUpKpIs7266c/HhBDgjLIQ1WgWK7mUJtSVWrFkfKKu:KyMkUEIs6zGhBDgd1WgH7mgYWr/Ku

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      f02caa18679b8af0e356c5ecf5b840b3c4f001b4c623c0cf33686d9cf4111871

    • Size

      912KB

    • MD5

      e9b14be79a6909ca38f58170004f3cdd

    • SHA1

      b00c579790015e8312c932100446631bac44ae79

    • SHA256

      f02caa18679b8af0e356c5ecf5b840b3c4f001b4c623c0cf33686d9cf4111871

    • SHA512

      f40e080f0d45ea975a223a017af846ab7b28a50ef55a44cf3c25fe708008d5e89a21913192da271001c5589b339e8ee1e27aa3d8820ea93cb383680c4d3f1115

    • SSDEEP

      24576:6yqPzRmBHa4Zyi7tOIfXl93jr+Du4dk1j:Bq8aFaNPzIu40

    Score
    10/10
    mysticredlineluateinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf

    • Size

      1.6MB

    • MD5

      97453055568c0ddae722add23c1805c2

    • SHA1

      520a1d3ecf08a765dc04394ddafec79919a37126

    • SHA256

      f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf

    • SHA512

      52a14c06f6b61b05db155c469bf23153188ec6adc8683acb1c76c6eb090dd50e19e8d29eeae92fd7953bd13ca9095530edd3e14936ef54fe487e80c5e84a81d4

    • SSDEEP

      49152:xmPBfFYwWOac3d97MlGFh2c0AHs69OTryrzItwcHFwqfCtWVbIM:OnYua2EgO369OTAzItwcHF1KtWVb

    Score
    10/10
    amadeymysticredlinesmokeloader04d170plostbackdoorpaypalevasioninfostealerpersistencephishingstealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Suspicious use of SetThreadContext

    behavioral20

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

5
T1053

Persistence

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Scheduled Task/Job

5
T1053

Privilege Escalation

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Scheduled Task/Job

5
T1053

Defense Evasion

Modify Registry

25
T1112

Impair Defenses

5
T1562

Disable or Modify Tools

5
T1562.001

Credential Access

Discovery

Query Registry

8
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

13
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

healerredlinemrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral3

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral4

mysticredlinekedruinfostealerpersistencestealer
Score
10/10

behavioral5

amadeyhealerredlinefb0fb8mrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

mysticredlinegadkiinfostealerpersistencestealer
Score
10/10

behavioral7

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral8

amadeymysticredline59b440mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral9

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral10

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral11

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral12

amadeymysticredline59b440mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral13

amadeyredline59b440mrakinfostealerpersistencetrojan
Score
10/10

behavioral14

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral15

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral16

mysticredlinekedruinfostealerpersistencestealer
Score
10/10

behavioral17

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral18

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral19

mysticredlineluateinfostealerpersistencestealer
Score
10/10

behavioral20

amadeymysticredlinesmokeloader04d170plostbackdoorpaypalevasioninfostealerpersistencephishingstealertrojan
Score
10/10