Overview

overview

10

Static

static

3

1bd70f5afc...20.exe

windows10-2004-x64

10

20d5ad811e...b7.exe

windows10-2004-x64

10

2ca6e4b470...97.exe

windows10-2004-x64

10

30323f682e...18.exe

windows10-2004-x64

10

426e1b8066...18.exe

windows10-2004-x64

10

43ea4b5927...9e.exe

windows10-2004-x64

10

44ba27c950...f2.exe

windows10-2004-x64

10

6e35231281...45.exe

windows10-2004-x64

10

7cac44d1ec...c4.exe

windows10-2004-x64

10

823db2b88d...40.exe

windows10-2004-x64

10

a884418225...db.exe

windows10-2004-x64

10

c68d91a00f...d2.exe

windows10-2004-x64

10

cabcad649e...d3.exe

windows7-x64

10

cabcad649e...d3.exe

windows10-2004-x64

10

cb4c64011d...ef.exe

windows10-2004-x64

10

d55f431b8e...57.exe

windows10-2004-x64

10

dea00ebf60...e0.exe

windows10-2004-x64

10

e017c199a6...9b.exe

windows10-2004-x64

10

e01acda385...7b.exe

windows10-2004-x64

10

e46b62442d...14.exe

windows10-2004-x64

10

ef7029b98b...78.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r1.zip

  • Size

    16.7MB

  • Sample

    240523-lphqracc4s

  • MD5

    0ff720773a3aacb60b425609b8435d0a

  • SHA1

    6cdabf28baabec276eb47b13724cefe7be6ca26b

  • SHA256

    9b80269950e0f1b633a8f97657fa8c4843d63cc1062890797edcbbcf58625520

  • SHA512

    a84ad2acb741207143eb27056815c0c24ef2a36bfc8131da817a10e8ce44e89abfb21130a5eed8c70de2eeed17f9d21b8f80c651bcec2ee709b4a85f9e0a53e9

  • SSDEEP

    393216:7PdDhiTgnd/CyW5IJ3lU3WSqg0ShV8JkE5FJdXO1Yt5:7P+End/DFJ3lU3gg0o8m0XPt5

Score
10/10
amadeyhealermysticprivateloaderredlineriseprosmokeloader04d17059b440daf753dartsfb0fb8gromegruhahordakedrukinderkinzamrakbackdoordropperevasioninfostealerloaderpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

darts

C2

77.91.124.82:19071

Attributes
  • auth_value

    3c8818da7045365845f15ec0946ebf11

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

daf753

C2

http://77.91.68.78

Attributes
  • install_dir

    cb378487cf

  • install_file

    legota.exe

  • strings_key

    f3785cbeef2013b6724eed349fd316ba

  • url_paths

    /help/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

04d170

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

kinder

C2

109.107.182.133:19084

Extracted

Family

redline

Botnet

kedru

C2

77.91.124.86:19084

Targets

    • Target

      1bd70f5afcc29724401d52710f012058d999560c75bde3fd609f66ffc0bd9720

    • Size

      655KB

    • MD5

      9e3b491b79a3f531499f4c5b9c6e4181

    • SHA1

      e4af677226d01e5bf1a05cb8e06599ebac84d82e

    • SHA256

      1bd70f5afcc29724401d52710f012058d999560c75bde3fd609f66ffc0bd9720

    • SHA512

      99ed75c1d7731e032ce4f7c85df8946d2830f00004d079763fd96da5a443dca4cf9219df1889a550c4cc1fc630916309601507da5dc44e7189a19291f7237275

    • SSDEEP

      12288:OMrHy90Ur0MAYbIdHpBhA+sZlVmzWVvExD4ipCDU0pjFTW:Jy/r9AY0hp/BYlQg9D3dpW

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      20d5ad811e156e522c088718e9fad42c9719bbca8aa4b3f144c468550177d6b7

    • Size

      1.5MB

    • MD5

      befe5f1c063836f70bf44237b916e619

    • SHA1

      eeca7ed0b98f96c5d70c56fbc9bf9e4beeaa1317

    • SHA256

      20d5ad811e156e522c088718e9fad42c9719bbca8aa4b3f144c468550177d6b7

    • SHA512

      0fe262519c341adfda710a1b71ec0831c3cc1c848ea0454313e6d95ea67eb444ef30007fa0fdc805d116a793689228f54dc9c3d88f9f58d132d5a52b2c9edf73

    • SSDEEP

      24576:jy4nIp1D1ArWtg/x9TVZbQ3FBriDt4ZMWe1QkKctCUfe8jrBUsalIliK++17Aq:2Sgmnx9ZZOiDS56QuTmesbPi7

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      2ca6e4b470413b98976384ac3e479028c30b8486b2ebb4a4dd8e4e2142faac97

    • Size

      761KB

    • MD5

      beca03b004cff0040bd6fe86c8bbaca0

    • SHA1

      6982391f353b0884dad9cfe6a74989cde215b6aa

    • SHA256

      2ca6e4b470413b98976384ac3e479028c30b8486b2ebb4a4dd8e4e2142faac97

    • SHA512

      f720259a5620da7c2d8405356b9496847d52a793c1e109ea11a637f91b20b88af0adf4e2ea352b0a89861c4b55d20b363ae11a7a8addd396fb5084d8cdcf090a

    • SSDEEP

      12288:xMrmy90OmdMUmVSz10z5WiWpsQB6+W5hu/G13XxRZDVYDOGmRjd4LjNIp:jyYHmgz+IvuQB6+W5w83XXrYDOGCOjN4

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      30323f682e6a32aa6d849428448a5ebd9b9590ee3a331da4fd2f5934b4c13818

    • Size

      1.0MB

    • MD5

      8ca2e2b6df85b28cc622787bdd25971c

    • SHA1

      c6694cda5bba6ce87b6433a180dde1c90f6f22bb

    • SHA256

      30323f682e6a32aa6d849428448a5ebd9b9590ee3a331da4fd2f5934b4c13818

    • SHA512

      a3b689b8deee65b87390a5bbb312eb188cac6485f1f485b98d0016f7180adec0db4c0e6e7aa8066c1c82925ee6257df4f221f16f61e67a358395d6ff019125f8

    • SSDEEP

      24576:0ycblCljSywWSdCPVlvVqUIv/jzwvvAL9:DcblsjSyGdCPVlvUU2/HwHA

    Score
    10/10
    amadeyhealermysticredline04d170daf753gruhadropperevasioninfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18

    • Size

      652KB

    • MD5

      a8b9734365073ce340b1123741d71abd

    • SHA1

      ba40a124883de4244aa8c1c389e94ddb9fddead6

    • SHA256

      426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18

    • SHA512

      0f34f2c85ea88f4a6b440889df26087036a8802d8ea04ba3a5a1ec3db4745007806778aa24a1b45bb2db1902b841fd35099081b55daa9576d2b79e5636eaa76a

    • SSDEEP

      12288:8Mrcy9031jOhVjzy5AfppTmgmbdSqEfEFoGeKaHsUPkiD:AysWVfySppTmgcjqftrPkiD

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      43ea4b5927abdf60c2312374034e3b21c33a1082d31190027a6b747b84aef49e

    • Size

      1.5MB

    • MD5

      c45e1f8653a052bdb4d697102396e863

    • SHA1

      6e8f88305f5c7359a816c519a82ef03c676d1e35

    • SHA256

      43ea4b5927abdf60c2312374034e3b21c33a1082d31190027a6b747b84aef49e

    • SHA512

      6c2800555c67a354e0723774ac94722773643c10ff07ebb569e90de3e9404aa0121b4e4acbaf0c690139a2a438cbe51ecce9d0e16b3c3eb836caf579f48db44a

    • SSDEEP

      24576:YyfuS0vx3E0sZomjE5DHLQcU+s+ee997Di17mn/MnYCIuKy:fGS0vx3TTmjEBQcU2tLeoMYCIu

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      44ba27c950b0c14f429cb6252215fa6bdf9cb6c714a1890cbaae75274f91f4f2

    • Size

      559KB

    • MD5

      19acbb53fb57ee0970d5ad438b17e6c0

    • SHA1

      8b604ca7a275ac23dfa9d8533d335bf0f35a8b4c

    • SHA256

      44ba27c950b0c14f429cb6252215fa6bdf9cb6c714a1890cbaae75274f91f4f2

    • SHA512

      7a765b8aa6043938099ed5b1f36858f2dd53dd85f6e1c577e136327a7218cd13e732c3e740827510bb4c1eaa11767f1f82106bab6adf068ad6bc00c1d34df208

    • SSDEEP

      12288:cMr4y90LLrvKoJZVVY+s/Pyf2Sh5mERfbj7WFMFj+TP8fZCOu:8yw/JtNgxizj7W0jkCZk

    Score
    10/10
    mysticredlinekinderinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      6e352312813a28290ff0ff1a92702c185aae40663ba027e0a0c2d464d283d345

    • Size

      769KB

    • MD5

      163f527e958ebaf658b84995c92043c7

    • SHA1

      aa756481eb453ab6845dd4e7426fcb1744899eda

    • SHA256

      6e352312813a28290ff0ff1a92702c185aae40663ba027e0a0c2d464d283d345

    • SHA512

      0e4ad47429206876f809401d7f1c91e560eaccfa2559549b044740273f329d6461e9098710dad1ed8939a06e36673d3d6c4a9c76f9977ee0c17e1456ea4c6008

    • SSDEEP

      12288:HMrpy90xBP7BNGJBaCDT8ToDzhyzCKS6yGo67vG0EaQqtkkaRVk5i9/jh:SyGPNcfhyzCKIG3jrkkaVk54bh

    Score
    10/10
    mysticredlinekedruinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      7cac44d1ecd3f5639f33ee135e671d1baab428e0ead20f5eae7b4d2be71debc4

    • Size

      758KB

    • MD5

      7bc7a630b99ec4f5cb33509167d30fde

    • SHA1

      ee5c020cc75b7540d3a5e62fc42c7ae50f466688

    • SHA256

      7cac44d1ecd3f5639f33ee135e671d1baab428e0ead20f5eae7b4d2be71debc4

    • SHA512

      ec1523aef1fdef867403b57b0b5d0623d7b4888785f815d69fbb6899ee9179e473d1500694a32d81a4a4cd4574559d888e9d189bdee9fad651f293db7ba77562

    • SSDEEP

      12288:LMrey90q1dkxynN0p0WWoxYvlehFYk3ImYhABJyE846g5I57TSMQlOPDpg9avL1Q:Ry3eqN0pbxYvl4FZ33Bm/X57T7W0DpZ6

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      823db2b88de38daac96f8e746abe924341117f170be5cd8a57a2db86d001bc40

    • Size

      654KB

    • MD5

      531a55b0843787d264949a52cffaf364

    • SHA1

      03beb7ab2f6cdcb2d8e50e0c421c477ec542485a

    • SHA256

      823db2b88de38daac96f8e746abe924341117f170be5cd8a57a2db86d001bc40

    • SHA512

      13767a9564609db88521e9606781d881b87d1ad6e774849d8c0cc7ba9ffded0853d0404f5bd16013d94203c270c9586987f12eb5eee879318287e3f06f7a6280

    • SSDEEP

      12288:/Mr6y90PeSqiA6ByIjd/ZMQCXOps5DgKWwLNWaUN1MOgsoo0H02LY:RyJhJs/ZMQCv/LNWqOgsbq9Y

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      a8844182255c5383be20ec415b7286551bb27f4713458001503fbb103d2c31db

    • Size

      540KB

    • MD5

      e608e4390308014ed2506afc51f37aff

    • SHA1

      76512e644442202163b9f2263e27f47419cf23a9

    • SHA256

      a8844182255c5383be20ec415b7286551bb27f4713458001503fbb103d2c31db

    • SHA512

      3207e41e9cd605f656c2ab67e3a1ecd6683a122997c1e2ce0c6d1d81cc386c0b35f63ccca8544666edefe5d0f62ed13f15e6e40f174f5c8165fc02ea7c258676

    • SSDEEP

      12288:bMrWy908tzVcJEW7nALhp1z/px4WrIeZux1M0B:9yltezAtnRu3B

    Score
    10/10
    amadeyredline59b440mrakevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      c68d91a00fd95a921391069a12b7eba5c82ab3db1e6c4d5868561527424cf5d2

    • Size

      1.3MB

    • MD5

      de7d8d1ea9ec74fca10fd63873b1fde4

    • SHA1

      4c951da991a818ce7f8abe42f63ffb431a852a47

    • SHA256

      c68d91a00fd95a921391069a12b7eba5c82ab3db1e6c4d5868561527424cf5d2

    • SHA512

      e32819236f4147eae4ab734405e3a1807697cdfbd063587f42a5bb9914dd9f4bfc98f73a0b4e917da72bf0a2da8782a93fe0d151697a19db47d23d323e60f53f

    • SSDEEP

      24576:myK5ZJS6E1Nqug0ntSTM5GI+Xt3LEttlYWo7vKxso44vrtH9ex4mkQdmNIH:1oPbqNqp0tv+Bvjmsd4vFkx2gmNI

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3

    • Size

      398KB

    • MD5

      1962a9d6f9bb3071aee41ba0612974b4

    • SHA1

      c2fc7ba89e6c27d019b701551be1ac223518d463

    • SHA256

      cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3

    • SHA512

      242a38160ba03d1cafc1e966e6bfeb79485b65d837872733483ce2fa20aa87319943a5be8cc8a536ea85accbd70237560ff2d7a2b1c2830ad66f050388576176

    • SSDEEP

      6144:POrViSWAs3WHexAVklAO8V38RC9M/HdDCnlyPoPGC6:PCiSWLT+VMRC9uenlyKGC6

    Score
    10/10
    redlinedartsinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      cb4c64011df6d9448d6e9f657a89d6cc8dfd2b81fc8262bccfab2f05465c39ef

    • Size

      475KB

    • MD5

      17ca9d808925fd7b581715d035aaf7b5

    • SHA1

      1b871f421945f1c0aad57afd64a66fe6cef10ee9

    • SHA256

      cb4c64011df6d9448d6e9f657a89d6cc8dfd2b81fc8262bccfab2f05465c39ef

    • SHA512

      0508071c4973158a87112e9e41f94cf65aaad40e47abac29e951ca8f05542f5c14ce99e94bb9b8a48a452c37ecb61a639e0d8399ffd1081eed2a0d30093c6b54

    • SSDEEP

      12288:BMrIy90iEk/sDEKKA/e7lK/KRHEXYp7Tgl6zyTf:dyDUQKzG7lcKpEAsl6zOf

    Score
    10/10
    amadeymysticredline59b440mrakinfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      d55f431b8ea5ad86d41def5d797c360d619becd2b366e7210433952a81c4ac57

    • Size

      1.0MB

    • MD5

      ec3305d183846a3c92c07d0053b41f3b

    • SHA1

      4ea345e1ba5c1076a422310d48b1682ca2dcd56d

    • SHA256

      d55f431b8ea5ad86d41def5d797c360d619becd2b366e7210433952a81c4ac57

    • SHA512

      270a856c6522f0f683c64590393b286b825bcc39a99585417a125b3525451aa43bc7c5f9c7735d8504defafbd801e5632628245422859718656c3ab496eca76d

    • SSDEEP

      24576:KyP7XiJUqJaiZXcZA3g6NQ8QdfCZiGKN8b7GAoCgnL+eT:RzmEmsZAQ6O8QdfWiGFgn

    Score
    10/10
    mysticredlinesmokeloadergromebackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      dea00ebf6034d535aea8f56cd6017972814dfb3374887346a9c9c8182c1110e0

    • Size

      1.5MB

    • MD5

      290deb5ab4151b46f29bf37ab8758ad5

    • SHA1

      b51aeba964ad27b21cfa57bfe56b5a0d5524f600

    • SHA256

      dea00ebf6034d535aea8f56cd6017972814dfb3374887346a9c9c8182c1110e0

    • SHA512

      5105de103ed8dffa09a59623c299c4f87ac621805159d08287ec3b1f1f426403522ae07a235678521a4bd21048202536d04ab65602aa139447aa3b2386471433

    • SSDEEP

      24576:AyrMyci1LXoDigLRi8JTgeuMgJQjjfOKs80ovQwpWgqTLnysS6FioMxt11aRA/Bw:HrqyL4iqikHgJEjfOR80iQw4gyys51Ko

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      e017c199a693aee53fef17402d6258dee359f1092c5845f73d404e2646590b9b

    • Size

      1.1MB

    • MD5

      a5806b1c53acceed775b77445ac26b79

    • SHA1

      3de6b77bdceee962ce162b643ae2e19bec370c6e

    • SHA256

      e017c199a693aee53fef17402d6258dee359f1092c5845f73d404e2646590b9b

    • SHA512

      302b2911f4cd2d9b6b5e9a0074dfa3d073575a2cc30432a92eac8d7183af760b69546dacad1f0902649bda95b115e3a94eae4b6314399c086abeeef5bd3d03c3

    • SSDEEP

      24576:GyTJ69GsovlWgZtLq/2NMA15Z09uses5g3+YB1s95AW9n:VTJ6ovldtO/2sZYB1s91

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      e01acda3856cc169ddd84def2f4c60a6487d82da3d3c35333bff09986229bd7b

    • Size

      646KB

    • MD5

      6c89d3f6b678bc64af6da3c9cacac5eb

    • SHA1

      42da6d05e4fb3d6e51d47dee8f4a2c2c6cef04ae

    • SHA256

      e01acda3856cc169ddd84def2f4c60a6487d82da3d3c35333bff09986229bd7b

    • SHA512

      168a384f58da9afbb13ea68ca814142ac573c2267eb9d846f5432e0340e3d9dbaa6bdf0f1cf44a1388050b736e28ef04d2a689136d86b2bcfd5c7ffa207e4130

    • SSDEEP

      12288:JMrqy90W9/nMPyouTEjheF02hAyGg7mLaf8T+XfvMVk1U8nz:vyNnMPxjmAmRihEz

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      e46b62442d214e617c5a6224fef70a4e5ed02b730b85396408e198e85f21eb14

    • Size

      1.0MB

    • MD5

      6c03229d81fc567135786fbc627f7928

    • SHA1

      ccd1f0b5ed2a01df2e350c08ea4753bca734eadf

    • SHA256

      e46b62442d214e617c5a6224fef70a4e5ed02b730b85396408e198e85f21eb14

    • SHA512

      88f008f2b3550b1a1acea62e3ad8e9500db30169267ef98ea167bf1601c5c784a363a7b384782fb6cccb6c0a0a2d7544ab5348fc81b6c1bd0cecab92ebf20080

    • SSDEEP

      12288:8MrAy90oPXQxQoIyewS+wtFSvQM4yddHQiRXRVUS8MK0XwYT/GbktvfVQGuWi2bB:8yeQ7mHQixRyqK0LyE3u2QgL2ILFgM1

    Score
    10/10
    amadeyhealermysticredlinedaf753fb0fb8gruhadropperevasioninfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      ef7029b98b2432c74d1512668109e659b6f7e89d2d4469a291c54309ecec0878

    • Size

      1.0MB

    • MD5

      8de6d338b7917582cc3494af6b19aa54

    • SHA1

      d4a666f93ac4befe23ac409b79ac195d4dabd653

    • SHA256

      ef7029b98b2432c74d1512668109e659b6f7e89d2d4469a291c54309ecec0878

    • SHA512

      6539908b8811e5edcf4661ac0204f440f9dea305dabb4d76dcdb476647b41c2473d0881c4ed89ef5b4170160efc8741cc9381e1c61f1ccdd4c35a7ea720d1b57

    • SSDEEP

      24576:7ycaV23mvVElyJqnozp4xiJ5io2YrvXCxRhA5rWtVnyc8:ucKy8JqWH5iYTXuRhu6Pn

    Score
    10/10
    amadeymysticredline59b440mrakevasioninfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral2

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral3

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral4

amadeyhealermysticredline04d170daf753gruhadropperevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral5

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral6

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral7

mysticredlinekinderinfostealerpersistencestealer
Score
10/10

behavioral8

mysticredlinekedruinfostealerpersistencestealer
Score
10/10

behavioral9

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral10

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral11

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral13

redlinedartsinfostealer
Score
10/10

behavioral14

redlinedartsinfostealer
Score
10/10

behavioral15

amadeymysticredline59b440mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral16

mysticredlinesmokeloadergromebackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral17

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral18

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral19

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral20

amadeyhealermysticredlinedaf753fb0fb8gruhadropperevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral21

amadeymysticredline59b440mrakevasioninfostealerpersistencestealertrojan
Score
10/10