Overview

overview

10

Static

static

3

0e5866c048...02.exe

windows10-2004-x64

10

168a3cbbca...f6.exe

windows10-2004-x64

10

23530bfa27...e2.exe

windows10-2004-x64

10

25974ec913...91.exe

windows10-2004-x64

10

29e8eb905d...57.exe

windows10-2004-x64

10

2ff2598373...ce.exe

windows10-2004-x64

10

30a7bebd46...c4.exe

windows10-2004-x64

10

36848c0be9...d8.exe

windows10-2004-x64

10

369e096918...34.exe

windows10-2004-x64

10

397f0bf375...c6.exe

windows10-2004-x64

10

3a437fa895...c1.exe

windows10-2004-x64

10

3f23e445a9...39.exe

windows10-2004-x64

10

44dedbcb8a...5f.exe

windows10-2004-x64

10

6aec122dba...ee.exe

windows10-2004-x64

10

b0d3a36603...55.exe

windows10-2004-x64

10

b4f17a4609...a2.exe

windows10-2004-x64

10

d2d831c046...51.exe

windows10-2004-x64

10

da40ec1cf9...48.exe

windows10-2004-x64

10

e7a2b48b9e...75.exe

windows10-2004-x64

10

f07691246e...f6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r1.zip

  • Size

    16.8MB

  • Sample

    240523-l58bcacg5s

  • MD5

    7ee45202c429166cab634331ae0ea8c8

  • SHA1

    ee84caf1a37da7d383f6fd97e775179272f11f41

  • SHA256

    92023f346ccc819d9c52da2af751cda1bc5396b5d745c68d99d1d2ff99db093a

  • SHA512

    fd9d6ed58c3a27451fd6b9c88f8a23fbacae717b0e4100977d3b282b11e3e3c39e89b498457ab97ebb529b0a31fbc1e1d04c1a1e7f4d2ca4e8e202679b539353

  • SSDEEP

    393216:XFzPzCGv707yme1P5clZt/NlviLbqwiBlaxUdQ+E0/wRgV:XFPEeQZtvvQqwDidC0IRy

Score
10/10
amadeymysticprivateloaderredlineriseprosmokeloader04d170fb0fb8gromehordakedrukendokinzakukishmrakbackdoorevasioninfostealerloaderpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

kendo

C2

77.91.124.82:19071

Attributes
  • auth_value

    5a22a881561d49941415902859b51f14

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Extracted

Family

redline

Botnet

kedru

C2

77.91.124.86:19084

Targets

    • Target

      0e5866c0482cf393f74fa629a43250b2a3d3c45a5c86eda348a71f8d88c5da02

    • Size

      1.5MB

    • MD5

      e806bdf2cc867c5a39f1cbffe65e695e

    • SHA1

      74dfb1fd9d2b1bcea8948325ca3012e25266b93b

    • SHA256

      0e5866c0482cf393f74fa629a43250b2a3d3c45a5c86eda348a71f8d88c5da02

    • SHA512

      b055a049fcd474d22aff8f9dc90b4cdeb8ea011eb74b11ccce293f9f5f6e04195125e627908e0692c408ef2ceadd71774fc0404cb97a8b96490326fcd729c62d

    • SSDEEP

      49152:kKQ91oNjukCsG9s0+AHTLsI3H9nLp/xKAVe:U91oNjuk8sAH3JBz

    Score
    10/10
    amadeymysticredlinesmokeloader04d170gromebackdoorevasioninfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      168a3cbbca960033cd4ea67293c3f4f47ded711184772caf9f2050ac2f16cdf6

    • Size

      1.5MB

    • MD5

      827616c5464fcc383ad3ef0ea187e34a

    • SHA1

      ecded2c0f2ac47d156bebc9c7ce360b1ef471ff1

    • SHA256

      168a3cbbca960033cd4ea67293c3f4f47ded711184772caf9f2050ac2f16cdf6

    • SHA512

      985d13422ec4efd209147a1009d42be01e74e785a8256f0c07a9991fa30710897491a0fc9beb8d29b42a279a5639a87650dc4a6028ef1e871a5de5ebc6e1d67a

    • SSDEEP

      24576:5yf7bF2EiBtiau3+RH2VxEm0Lm23oliLiR9+FDTkx1lveYOrMgBA7cFmhIrUeTr:sfXFfiKORH2XEm0Ld4llR4hgxHveJr/O

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      23530bfa27653b3a30a5c3778bc7c58fac12efe736252f4527f831347afec4e2

    • Size

      656KB

    • MD5

      1edad7173ff4980ba01132dde4b1acf6

    • SHA1

      0dc835fef444b8ac27f4eb977367ad36969360e4

    • SHA256

      23530bfa27653b3a30a5c3778bc7c58fac12efe736252f4527f831347afec4e2

    • SHA512

      048db62ffae6ea5b221ab7d7e3b9b549fac812c9eef01022d63e9a83cc4e5833611d1151724a1c592369b027a73dd7f480c0f622c435b7ac2088029162c0ce1f

    • SSDEEP

      12288:OMr6y90+DlfYNUo/MORd2i5HBOxPghpdfdE9vNsnr3PLL8t23/O:0yRDlZwRdfhIghnfyzsr338t22

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      25974ec913921f8a9dbf6d175cbf975173e12a47c730f07db9ff7336aa799391

    • Size

      502KB

    • MD5

      0c649b9bfe03a9df5f7005313d592a02

    • SHA1

      2de0347a93ec769078cbf275d68e6c17efefefec

    • SHA256

      25974ec913921f8a9dbf6d175cbf975173e12a47c730f07db9ff7336aa799391

    • SHA512

      69c461e9c6ab1d3f2c88975fd7adf42411990772ae3a98427de06d864f85cfe955f89553418bb31d60a28d640847be5e9a08116978ae4821699f1f2e98440ba7

    • SSDEEP

      12288:rMrFy90bvAiHuU2YQ57uk4+0vmuWDRQAKKDg0n6iQ:6ycAxU9e7g+0vmukQAPBQ

    Score
    10/10
    redlinekinzainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      29e8eb905dd243a014498d2c372ce7c07306a13d8848307d94468ecc7f523557

    • Size

      1.1MB

    • MD5

      f76cf4b722e08339cdb005eed5f22f97

    • SHA1

      06318afb4105b8dfe61c00731a51fc39551a59e0

    • SHA256

      29e8eb905dd243a014498d2c372ce7c07306a13d8848307d94468ecc7f523557

    • SHA512

      689ffe1dfd59bec6b6641a1cbb619edd7502b76418aea01986d7570880169369257a5bee1f08f1e309995581267502a5c0fc82987f55becc6a08428b39ceb129

    • SSDEEP

      24576:NyiRZqrUwoAwNz+uqVuFKEh/rtAK8gOjw9C:oiRQRw8uqVEKortybw9

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      2ff2598373e4f2608549579f5029d8c3106c485e2d1768ec605951faad4c9ace

    • Size

      759KB

    • MD5

      e9600fdfb902a613522b2946389b33e4

    • SHA1

      62956ffd30a62b2ba1174e7a486dd73aa72957f2

    • SHA256

      2ff2598373e4f2608549579f5029d8c3106c485e2d1768ec605951faad4c9ace

    • SHA512

      0e43d90e8c741f31d026167ff528315c5680e8527d611d0b11ba455e54895db38bd30a1966e3c51803b4005239245b9ba12d416047741f6e0397cf62719524e4

    • SSDEEP

      12288:7Mr5y90joTirjM7uV+R6DjO0dx3ugZxM9tuh6UhKch5SCtBDOE8ZOl+Wf0TX7Xhs:6yco+E7uKUx+gZUrWiuDFIOcRTz00c

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      30a7bebd46e90f9faf44a72b002a8447cd4d7a0f4982658f32e50b6ad9e400c4

    • Size

      656KB

    • MD5

      656f3e6f6efd1cdb63ddca773f272823

    • SHA1

      3fd19d3a0b9340272115d779416555a87502a5ab

    • SHA256

      30a7bebd46e90f9faf44a72b002a8447cd4d7a0f4982658f32e50b6ad9e400c4

    • SHA512

      651f1d36ebce930680784331b23882cf598cb420404a62a02314b6c08e66c6298b9689e544bb80fd3202c8f13c465c26f5229a4eda9f4b64c68287abe05ee596

    • SSDEEP

      12288:cMr/y90/e09RBbmnTKwwIv4A5NUGg1c8Pn9//4dkL3q/sVs2Y:7y4e4RaKKNUjRP9FD8sVs

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      36848c0be9ce6eaebbeca6101443f6ab369e9c84bcb678b2d8f07da9540c66d8

    • Size

      434KB

    • MD5

      85489a57e51626c1e1a4dcb181b9434a

    • SHA1

      458fb04a2fc26ba5b763c6a284ac19e3ba3ac18c

    • SHA256

      36848c0be9ce6eaebbeca6101443f6ab369e9c84bcb678b2d8f07da9540c66d8

    • SHA512

      5cc705b5d00058697d2d0b20bd1b5f56fe4637a1f7e07488571cde4b8e3e02a079cbbf5286c13926d55e5ce1140c63bed5a07ec3d12212235554c99ec72ab37e

    • SSDEEP

      6144:Kiy+bnr+mp0yN90QEhkZAPjw2Yep7wEL5sl7eo2dTu90J751wojFoheDsmpl6U:yMriy90kbp0LtsU7doSlvhohlmpl6U

    Score
    10/10
    amadeymysticredlinefb0fb8mrakinfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34

    • Size

      768KB

    • MD5

      4d1dc164a1a95c87bef2a357c41bf9e9

    • SHA1

      02a094938f6119cb4e44afb4eb4f568627614e61

    • SHA256

      369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34

    • SHA512

      acd7994b25576cc1b51dec79fe45909e37d0e11924eff27b39e75b441df4e0870472da8f8c7acbbd76dbfcc94a06830c98780c3196ffe9b87967e48b6e8b96e1

    • SSDEEP

      12288:IMriy90IS6DfCzMyG1J50BDhAQTlUtajgfKoc24s9gslFkc1aBR+:aySOfCwHJ2VhAQTlU2K4Ug7+

    Score
    10/10
    mysticredlinekedruinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      397f0bf37598f6fd4fd6a8933cfdbaebedc80de5b8929b28899fdcf9b7ba0cc6

    • Size

      655KB

    • MD5

      4e466ef961838d0961fab3f7211bfc4b

    • SHA1

      627306e28905086a367de959e57aea8ea082795a

    • SHA256

      397f0bf37598f6fd4fd6a8933cfdbaebedc80de5b8929b28899fdcf9b7ba0cc6

    • SHA512

      0c8264f1a82c1e0ad797a66359b08763d86f484c22c4bb1fa6420fbc75cb436d7a1ae64a4e91ab7d5e6fde5eac84710747801965b936ab46aa37f6f576e256d1

    • SSDEEP

      12288:8MrPy90pUrpJJTLnIGBW82SCvM5/JT+LvZNxgfEg7iBcl:zyuUlJt7IGfHCohCLvZEfP7iOl

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      3a437fa89562e5fc34e761a6ede9c12aa1d8ef1be68ac45a97f3719b864fd8c1

    • Size

      758KB

    • MD5

      62b7e49772a7782a7353405abf749571

    • SHA1

      8a85acbcfedeebff6de882f7d1322c61471769fb

    • SHA256

      3a437fa89562e5fc34e761a6ede9c12aa1d8ef1be68ac45a97f3719b864fd8c1

    • SHA512

      949f0d041791833e1c22fcc117ea6a6446ada56022eb5dfb2cccf06a7b878031090e6bb3f7fc1ba9bea477976a77219b35cfe25af287976e42dc6cf44b7ba1b5

    • SSDEEP

      12288:cMrHy90pjxjCoD2XkNFLFUl1CTH7WhhaJgiMiiZD9wgnSwu5:jyUjxvBhel1EKqJglisL1u5

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      3f23e445a9c2f529b4cbc3f4ee40ef64fa1fe69a8d4a241b103ec8c749376239

    • Size

      761KB

    • MD5

      3708d6c379f5b50d423b1424543b3d50

    • SHA1

      5e4a40b2f33cb8c0b18c5f4bc579be09e58256d9

    • SHA256

      3f23e445a9c2f529b4cbc3f4ee40ef64fa1fe69a8d4a241b103ec8c749376239

    • SHA512

      f8a615e714e9209abb477e948441857a0675e2a4595044fe476faac009a14d00f391769152108908f3d839dacf1812a754d7ce369a197b9f5edec98e9db5596d

    • SSDEEP

      12288:TMrky90AWjLhr4N8GQ8s2BmKybvodZBG1b8p3uqjd4vI6pejdxl3sqP1cI:nyyr4NMZqIbwde1b8NuKWZcjh8qP1cI

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      44dedbcb8ac06abbb0645f455edb582c6bc3a229eb0f288d6e63c6181d50d65f

    • Size

      642KB

    • MD5

      6d1a0affbbb9d7130d459291ba4d1f53

    • SHA1

      89aad26f45b8dc2366ff70f087b00bb91dd11726

    • SHA256

      44dedbcb8ac06abbb0645f455edb582c6bc3a229eb0f288d6e63c6181d50d65f

    • SHA512

      502a5dcc0ecfe9498e96529da91c646df3f0820e99f99f736f0360f45021ffd81a8417a328ed6be1f3252a49ed06e5facf9c363420e3e3e8e03a33066f6c95a3

    • SSDEEP

      12288:uMrLy90MFXwbExD25uQaHJnRuUP3KJeIVbIgB0dL:JyzXwcD25ulnRTPKJeWIga

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      6aec122dba60c94432d6aee116732395d28cda2ecb306d8ab832d137811ceeee

    • Size

      1.4MB

    • MD5

      55f3afd7535f8c22d6d61c062a48613b

    • SHA1

      6320045a41fb22d0125f65b4609d7386d1cf2f4b

    • SHA256

      6aec122dba60c94432d6aee116732395d28cda2ecb306d8ab832d137811ceeee

    • SHA512

      7d7ca3ec7865937d9bd1a6bd139417ba39071dadcd929c6fd7d72108597937a8e24afba26f126a62d798809db831b948b0027a79abf88cff5265ce2a4904969f

    • SSDEEP

      24576:lyERVRikOROI9Dj9w0Lfve7noODwJZXcn96Fs5rNwnddTvMEFF1Bi:AEzMkId9wW0EJZM96FsFMTv/F

    Score
    10/10
    privateloaderredlineriseprosmokeloaderhordabackdoorinfostealerloaderpersistencestealertrojan

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      b0d3a3660331ff8ff0504498edd9bff28eeb733ac6d718bd589cac5bf7c59855

    • Size

      1.1MB

    • MD5

      dc72d7d70dae7741e434fff52b666bd2

    • SHA1

      4de1f74fcabeeee9bd171be7106862750c2de7ee

    • SHA256

      b0d3a3660331ff8ff0504498edd9bff28eeb733ac6d718bd589cac5bf7c59855

    • SHA512

      877cb3808259576e169e9bf5b0153e32f96fc9709f7adf0b8da29196a8940f87bd0c17ff8831d1f6da150f432bd666fb2b5053d813f660a2effaa417d44d8480

    • SSDEEP

      24576:oyaQeJ5nIkKw7t42YVCp4bLueYRbtY4Hp0klodN1lbsh:vaxnjKwGPy4ueY1tY4J0kly5

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      b4f17a4609e2cec3a4889b16b6afbe340483f8403878fb6bc6d524be8e5764a2

    • Size

      1.2MB

    • MD5

      910fefd3f292d4d7610f6a3808b66374

    • SHA1

      87530428d2bb2886054f0653431d00546c30227e

    • SHA256

      b4f17a4609e2cec3a4889b16b6afbe340483f8403878fb6bc6d524be8e5764a2

    • SHA512

      52ffec25a6975e9f969cbbfcf1edddea0882a28f886dcb3afd5b842d56c862c53dc440b452853f6ac37cc9eab9d898662fe43f313610a5850c31b9c596de9380

    • SSDEEP

      24576:xygcC36v7qWUmK7GdziyEpbfzzYRYjtsL+3/bCst:kZC36v7qWp3kXrjts2b

    Score
    10/10
    amadeymysticredlinesmokeloader04d170gromebackdoorevasioninfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      d2d831c046edce3072fd8f388c2954aefb3a8b6e2b64384d613bdd5478a9ea51

    • Size

      942KB

    • MD5

      a4749171d8ad764d03818f126f217d5d

    • SHA1

      6a79bb5f782bdd877dbb1bb4b48d62fd3f785cf0

    • SHA256

      d2d831c046edce3072fd8f388c2954aefb3a8b6e2b64384d613bdd5478a9ea51

    • SHA512

      76848343db7274895acb25a3de56f99434944a8a9bff24de242baeacbb29ee449a92a54b655071aa4033201bd435907ad241b4f903a7fd61b5557eaf74701fc5

    • SSDEEP

      24576:4yhABagNJNsKqbH6md/zL/kPG2LZe4cV4nvsKwvq:/hAvN/iH62HkeCcavFw

    Score
    10/10
    mysticredlinekendoinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      da40ec1cf90ce4636876a76bd250b12ca3df8f973c3aa4752203ce19ac39a548

    • Size

      645KB

    • MD5

      ff0a44771f8c71eb1e1133bad5a063f6

    • SHA1

      aa94caffc849a8fc2d13a15dfee2dc9ac8ee3ea8

    • SHA256

      da40ec1cf90ce4636876a76bd250b12ca3df8f973c3aa4752203ce19ac39a548

    • SHA512

      f4bf9a3d722328734efb3f3ea94661141ba0f1ad0b8b0e7977d63bd7f26a5ffff32213ec4608d9d9d8fdfb1d11a65dfaac2452ce7b505a8f4b36cbfa5620e211

    • SSDEEP

      12288:CMrcy90K25kbg2PhnAnD7I+YOTHcd+WIngk9svUzXYY50zpgR4:qyq21AnCOTH5WzMXYu0u+

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      e7a2b48b9e169ff5a481fe8fb2f4f1d9a8ce2a823d5e2140cb1f264b7f525175

    • Size

      1016KB

    • MD5

      286b046acf10fcab8312990c2302253e

    • SHA1

      a55e3416e33d7ecae7c6d96d44ff385b71c3113d

    • SHA256

      e7a2b48b9e169ff5a481fe8fb2f4f1d9a8ce2a823d5e2140cb1f264b7f525175

    • SHA512

      fffd0ed3f0f62d2b407c92fe79696f914392b94746f4360b1f82abf41e2b10032ae9f9dd2bfd5e5149f7549000bf86cdcf08ffe1abc360bc48f91e74fbc83786

    • SSDEEP

      24576:jyqCSgOXmr0c9la2uAR30pUy08WuRzEsk3PV:2qCe2Qqla2RR30pfoR/

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      f07691246ef6b1342b6b3c147dc49c2f4a89eec24e4f141c8ff8768bbc4711f6

    • Size

      763KB

    • MD5

      5fa1a6ff2bd078a1dd67512ae11f6710

    • SHA1

      8413bf1b00ed1df30697a39d5e324504f6d21cf7

    • SHA256

      f07691246ef6b1342b6b3c147dc49c2f4a89eec24e4f141c8ff8768bbc4711f6

    • SHA512

      b3c1914550887a8b8946b7cbac24c55f736f09f42a8b72c7762634a872fdb3aeea588a33c5cce8fdd1ae89ee10fda6027fd326421ea50d2de8871578c358b5b6

    • SSDEEP

      12288:NMrvy90ESlNReuPx5M4ICpezpN9qJclHFsUKruJtI6/h3zbtRUJGvNffKPFZUG:Ky8lD5xrICp0NcUKKJtb/hzRqJgNffKr

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

3
T1053

Persistence

Create or Modify System Process

7
T1543

Windows Service

7
T1543.003

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Scheduled Task/Job

3
T1053

Privilege Escalation

Create or Modify System Process

7
T1543

Windows Service

7
T1543.003

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Scheduled Task/Job

3
T1053

Defense Evasion

Modify Registry

27
T1112

Impair Defenses

7
T1562

Disable or Modify Tools

7
T1562.001

Credential Access

Discovery

Query Registry

11
T1012

System Information Discovery

14
T1082

Peripheral Device Discovery

8
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

amadeymysticredlinesmokeloader04d170gromebackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral2

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral3

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral4

redlinekinzainfostealerpersistence
Score
10/10

behavioral5

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral6

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral7

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral8

amadeymysticredlinefb0fb8mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral9

mysticredlinekedruinfostealerpersistencestealer
Score
10/10

behavioral10

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral11

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral12

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral13

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral14

privateloaderredlineriseprosmokeloaderhordabackdoorinfostealerloaderpersistencestealertrojan
Score
10/10

behavioral15

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral16

amadeymysticredlinesmokeloader04d170gromebackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral17

mysticredlinekendoinfostealerpersistencestealer
Score
10/10

behavioral18

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral19

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral20

mysticredlinekinzainfostealerpersistencestealer
Score
10/10