amadey

Sharing

Copy URL

Twitter E-mail

General

Target

r.zip
Size

18.6MB
Sample

240523-lxna7sce4y
MD5

17021f932242b4675408601764ba0df9
SHA1

ff6af180438661890917b372d0197dc34253b5f4
SHA256

9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53
SHA512

c330e147f31d62dafcaea2471a895aa3aaab6364f237d4c525258be0dfae5a43e131d73b006b4f99dd2453d7da931f07e958255dd5a326ab3224138beebdedfd
SSDEEP

393216:3hFfBrTev+dIaSlILsdcWoW8KT00wJoBjwtv+rBo:PV4+4KPWNi0wWBjwkBo

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

gadki

77.91.124.82:19071

Attributes

auth_value
2efd98e4d8880b45676de60a0faf778f

Targets

- Target
  
  06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3
- Size
  
  661KB
- MD5
  
  cdca3895f27cdc05ca4e3805722b13a8
- SHA1
  
  908e4fd065b858e327ed442c9db06f432c5b7522
- SHA256
  
  06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3
- SHA512
  
  b36b19510dae31d34dd68c965c94da203ca1b03234aa01b9975b05f9f987552039ee7d52e867861e5bd9267e0b85442bef26fb8e6a4981e6c903f3ad936a3bbd
- SSDEEP
  
  12288:eMrCy90WnmXRO3Rrm7fhF/4ZwsSdqSZEiAjyjElCydS4U:Qyfb3ELf4ZStGiAjt7U
Score

10^/10

healer redline mrak dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19
- Size
  
  1.1MB
- MD5
  
  b0be87fbefa8fb816eda48b5873f30e6
- SHA1
  
  580f46fb499394653f1c7a29a1bc0baccad32c0a
- SHA256
  
  14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19
- SHA512
  
  b7292045ce5adf9297dc9a4e68f9f749cab705e8dfb229fb4a8159d675d627ddd741733f6d06ca36b9987c3f8ea9f4d3fc61a9135dd18d3c7af176be124769f8
- SSDEEP
  
  24576:Jy29JdP9SYg8rvouFInG4qc3+BbLMtuQ/dIkFSE9s31hV:825FSYggoIInGu42uqdIke31h
Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a
- Size
  
  657KB
- MD5
  
  01a84bc0f9662c85b3e51840340584e7
- SHA1
  
  f9b058a4d293cd4736466b97a75159823e2a0ac9
- SHA256
  
  16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a
- SHA512
  
  b78da685b4ac48bf111285dadd929e76f2282f50e66c31df783dc92c677d8c6d3ee5d64aa11b7d70102cf556565bdd29b6a7bbd0b88582115471d77ef73f193d
- SSDEEP
  
  12288:KMrhy90Dr/7bS2jGH0CwdYQS6QbyfFAF0oxJ5myPoOmIfb:TyanVGUCwd/S6QbyfFA75oOmGb
Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3
- Target
  
  192ce44be6557d6d98a2de008c00df07b0f5063ea96bbd2751389b1f82c5f6d3
- Size
  
  768KB
- MD5
  
  0de600ae6ec8490fb19ad446930f8581
- SHA1
  
  79c2e47abfcdcb80601a81d332f280d219a94872
- SHA256
  
  192ce44be6557d6d98a2de008c00df07b0f5063ea96bbd2751389b1f82c5f6d3
- SHA512
  
  95f5a3954717d1e180d4ece7078c021ad336310abdcda5375e709454835c0e9313c4d9aa9986a4da08936c0c29bca9c99a30c8d14904083c44ccf2a0ba39807f
- SSDEEP
  
  12288:DMrDy90GW5A7L+zRAfUBhN5wCPvRLDXq6LI9Gi23rfOttApNxdNMJPXP:oya5MfU/NvRXq3UikOtWNxdNMJ3
Score

10^/10

mystic redline kedru infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral4
- Target
  
  208bd49be44846fa019a8a4b21da09b934676de6c05e6688624fa6608f3917cf
- Size
  
  812KB
- MD5
  
  f7e69c620af0bbd5653d5fc8405ba587
- SHA1
  
  73008bbde185403def406416c45415afe1cef642
- SHA256
  
  208bd49be44846fa019a8a4b21da09b934676de6c05e6688624fa6608f3917cf
- SHA512
  
  07be351902a0d7ba7fffc00fa18688a052df745c669439a03da3becfded56c445085848621951b3023cc1f145620a65a761fcb41472b5a50568366ee5e900e1b
- SSDEEP
  
  24576:ryTEwKx9ELd2lTQ9TgFldOrHWzB3Ka6m:eUgLo5Q9Ttr2zBj6
Score

10^/10

amadey healer redline fb0fb8 mrak dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral5
- Target
  
  2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19
- Size
  
  562KB
- MD5
  
  d251764d069bab0638824c87cb165aeb
- SHA1
  
  0d494f305b99a1dc6eb0a5975c9a14752a41a166
- SHA256
  
  2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19
- SHA512
  
  6b53824cf7ab1cd26f8052544a446471f1719bc8dd75ee5bdd7bd0db9044c16b756fd975c29549e8f1549027674c0b9073749cd5365dd77570e0d2fcb4f81b8d
- SSDEEP
  
  12288:1Mrky903T8TiTWrrVK31Ht/q7CErraIitJ00Q9ZQkoCiznSVk:tyHJCH/ErraIKu0uQkbCSm
Score

10^/10

mystic redline gadki infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral6
- Target
  
  2b74e820a68dd1debb652cc1750992f001f4f19c4e98e9c2bbce0139f6c42f32
- Size
  
  1.3MB
- MD5
  
  5fd4292227679641bd077b5860cc1b20
- SHA1
  
  6d16d9ed9789439a53edcb08fc29c94dc333ddec
- SHA256
  
  2b74e820a68dd1debb652cc1750992f001f4f19c4e98e9c2bbce0139f6c42f32
- SHA512
  
  18a29392c34b6cf2efec0cd7c8fe3d1c46ef140eee726ec2a6bcc78cdabbce19b7ba74d434e1bfed37acc40ad1e91146ad56a011dc670bf696469dc8723021f8
- SSDEEP
  
  24576:nyuoJKNzEOwgX1dtUiF7y3rnffcn+CnHREo6MsW:yuxwgWKy3rffcnlLT
Score

10^/10

mystic redline kinza infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral7
- Target
  
  396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0
- Size
  
  1.1MB
- MD5
  
  491a1a616709c3545421cfe7e9a0a5fe
- SHA1
  
  6209307eb09238a51579b3edc7bfbde97c768f0d
- SHA256
  
  396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0
- SHA512
  
  87a8177818b18120384e0bc87a8c708064220015e222f15803065883749afce38e2a5c5e9af6ddcf5f3f15ff18818a10290f5cd42a19095dcf11af9d779c9491
- SSDEEP
  
  24576:sy0xoIFWVsveTG7W2KWEbrHG0+1TryyzBEPx7Ff5F4LTmmgcDAg+j:bPIFWVs2TGS2KWEbrm0QyIqPD4TQ
Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral8
- Target
  
  777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025
- Size
  
  758KB
- MD5
  
  58a76a83d31f69b1e0993a815a2517e0
- SHA1
  
  6ceac1337bc5e2da34b589f7576afb4a51418b68
- SHA256
  
  777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025
- SHA512
  
  a8971952932e832df09dc342f815a4fba0b70c2cfc749f75da4f637aec932ca65ea2d208ef6f21ffc27110ecd6208bb5249404f79c7b02ddd7a3f9531a347c22
- SSDEEP
  
  12288:fMrcy90nMThj98Ro0z8P0OUqXZhvGzDVhhtiGCUg5P8+zgdHQOPdJiYa7:byn5ORSLZJ8pdlCLkHZdJxU
Score

10^/10

mystic redline kinza infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral9
- Target
  
  7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6
- Size
  
  759KB
- MD5
  
  cf283b15a0808e714c3020620715628a
- SHA1
  
  69bd17b4907e8b78c53429930364dbd013fe55da
- SHA256
  
  7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6
- SHA512
  
  6279071eca90cc1a6fa7010c081dc24cf3135bf46fc68dbfa83a918afa1b75e87cbdf401fbe07ff38c42ec71bfce69914fa0937bf32cd39dcc899d3caacfebbd
- SSDEEP
  
  12288:QMrny90ZKeg3G9Lrl3sBzIhill3+XhfOR0u7l9AJ/62muR4x7p:nyoKeg3G9Lrl8ZneNOP7J2D4
Score

10^/10

mystic redline kinza infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral10
- Target
  
  80f9db396349ffd316d40f58b12121eb8671e0af591fa231cd1037ed80d55c66
- Size
  
  1.3MB
- MD5
  
  95d542493374dbe6e7e9169abb4d8b9d
- SHA1
  
  81e518810940fc2b2992369fd314a1ef254e7e7d
- SHA256
  
  80f9db396349ffd316d40f58b12121eb8671e0af591fa231cd1037ed80d55c66
- SHA512
  
  6f4699024fbd3d76686e06f62f1d43153eec1b6be02bec68f111405e21842c81306ad3811cc574eeeb3424d052d856548590ce574b8f92669a788556d5c8aa43
- SSDEEP
  
  24576:VyINMxLEUjKKpiwMUvPtGcrSwppr/hzYqHmBv/Qz7GZ:wWMt1OU9JSwzr/hVcv/QzK
Score

10^/10

mystic redline kinza infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral11
- Target
  
  8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42
- Size
  
  1.2MB
- MD5
  
  8c1c0914a0def51e04e998dd838101cd
- SHA1
  
  b87baade2891a73a85efed31f915502e52ac9c8a
- SHA256
  
  8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42
- SHA512
  
  2a5cbd449be690d512471ca0a3d1c3a8e1e6f88e31cb92cc01c007c418f90f4194f5b4d25c1d8781957be8a050617e21ca7eec9212bc5bac2db0c35db1160b55
- SSDEEP
  
  24576:nybWEzJzFzI7rAK+1QrZkCcedGcTkWKRLGFA34cMaxHzq96AuR6r6SR6T5Es:ybWEzNFzI/AK+1QaCcedGKkT3vxTqUyf
Score

10^/10

amadey mystic redline 59b440 mrak infostealer persistence stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral12
- Target
  
  9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4
- Size
  
  903KB
- MD5
  
  56cbf85c17dc70913672f90b1f36fbfc
- SHA1
  
  205c818fd0e8d76ea21b3cd03704a2ae71f85a76
- SHA256
  
  9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4
- SHA512
  
  dbdde039478539be601d9bec0e9d88ed590f3c35ddf9e98eefe10affcf9dc7b809349741c4ef2ab740d0af6352dd0ce46412028b77a516a1ac6475bcb4c2c5db
- SSDEEP
  
  24576:byb2x0Hx9Isn62mKFE0e1PMGI4InO6fbWaqErse0mdbi:OU0Hx9ISMKFE0eZMlndbsezd
Score

10^/10

amadey redline 59b440 mrak infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral13
- Target
  
  9c8e4ed08188524a9beb39dfd35cc3c50ed0a6344464afcdff53746ddccee6a3
- Size
  
  759KB
- MD5
  
  2046ecfb589e1470442d1971a5e97756
- SHA1
  
  ccc3b65402c365cd1bd4a91df860a4dc4e9fadfa
- SHA256
  
  9c8e4ed08188524a9beb39dfd35cc3c50ed0a6344464afcdff53746ddccee6a3
- SHA512
  
  1807c3b6f112db629c9b7e00e917271918c1cbcb0ff5f9830fe3468c44789a59e1dfdebb5ff8f9d28bf4ec2559801751a7715cecfd3bc73192a022a60784e96a
- SSDEEP
  
  12288:OMr5y90cUoQMHdLd7H0wCdF4f5COt0ij7xV6EGeNdEENlrmFscQyCkqqA:HykTolH0wMywpL5QpmUqA
Score

10^/10

mystic redline kinza infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral14
- Target
  
  a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52
- Size
  
  1.5MB
- MD5
  
  107010beec076341ed4728108616ae14
- SHA1
  
  d521c427abf30e3dea44b2e3a6715310b13d5236
- SHA256
  
  a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52
- SHA512
  
  c3646f0d843750387e5b839247777ae8ad2ac09c8a421f5f51f9da537de753fbe2598b172e704a1e80265305f08c66cd5e60130cbaca52774bc0451ab032ca78
- SSDEEP
  
  24576:ByyUtVJGOjT10AgnfUZqs+D5aT82lA/Z1SMU9sWdtqvO9J:0yUhRT10Lnf8Z+D5YNKR1SMUfdt0U
Score

10^/10

mystic redline kinza infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral15
- Target
  
  aaed2c62a2146133d41a2c878d138f90f6fd57a1173b0784f6516128378b0e28
- Size
  
  1.5MB
- MD5
  
  039c520ad29f179727d52fd7bb41ddc9
- SHA1
  
  68e44ea4487f50fa6c97b3aa739bf3c2bb15e2f5
- SHA256
  
  aaed2c62a2146133d41a2c878d138f90f6fd57a1173b0784f6516128378b0e28
- SHA512
  
  e22e81f49b448e7d18f7bfdb3b13688020b279a6fb39db44238e2f695f90dab9f3b9af6409fc80f8a799537f330af753abc8e3548baad183ce24d7a61e74f0e8
- SSDEEP
  
  24576:Vy8nyYj4q3Y6M2GWyMu86ZD4SBFL/gfzWHbawDN67vluQaU8t0EOU2luc4kFO6i:w8ny24qNtyMuF4iSqHb/YPaavUcP4KO6
Score

10^/10

mystic redline kedru infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral16
- Target
  
  e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe
- Size
  
  762KB
- MD5
  
  cce0e6653ee5fa0a395399fe8afaf08c
- SHA1
  
  4a4de5189ff93859b4021df87baa7b2978be0dae
- SHA256
  
  e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe
- SHA512
  
  ff882db3fc989c2fc6bfa3e3cb93210564a1bf4ddf2a2e670e5b33566e49f7d12239097350014b2b0f746dab55324cff2daae792c00b1c2a37c18dc72d585855
- SSDEEP
  
  12288:VMrXy90LmNlxfXHTA+RpYhaaKPDXuct1VfGdrAUKhzx4ot1Qj:uyGCt0LIaiPTRGqdtM
Score

10^/10

mystic redline kinza infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral17
- Target
  
  e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb
- Size
  
  758KB
- MD5
  
  82d69f920d5865457796a89dcff321e9
- SHA1
  
  b983f0ae70afe27f4036ba9bf72d2209e24e322e
- SHA256
  
  e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb
- SHA512
  
  bfe94ca286e25843736c716b9b1007f6927d05e490875518e91f8d1ce574d5472b7b140abe14a6b7f777a2262b049fedd57f143cd21cdb630ee6de9f6533bbde
- SSDEEP
  
  12288:rMrty90yoBOaQUpKpIs7266c/HhBDgjLIQ1WgWK7mUJtSVWrFkfKKu:KyMkUEIs6zGhBDgd1WgH7mgYWr/Ku
Score

10^/10

redline kinza infostealer persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral18
- Target
  
  f02caa18679b8af0e356c5ecf5b840b3c4f001b4c623c0cf33686d9cf4111871
- Size
  
  912KB
- MD5
  
  e9b14be79a6909ca38f58170004f3cdd
- SHA1
  
  b00c579790015e8312c932100446631bac44ae79
- SHA256
  
  f02caa18679b8af0e356c5ecf5b840b3c4f001b4c623c0cf33686d9cf4111871
- SHA512
  
  f40e080f0d45ea975a223a017af846ab7b28a50ef55a44cf3c25fe708008d5e89a21913192da271001c5589b339e8ee1e27aa3d8820ea93cb383680c4d3f1115
- SSDEEP
  
  24576:6yqPzRmBHa4Zyi7tOIfXl93jr+Du4dk1j:Bq8aFaNPzIu40
Score

10^/10

mystic redline luate infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral19
- Target
  
  f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf
- Size
  
  1.6MB
- MD5
  
  97453055568c0ddae722add23c1805c2
- SHA1
  
  520a1d3ecf08a765dc04394ddafec79919a37126
- SHA256
  
  f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf
- SHA512
  
  52a14c06f6b61b05db155c469bf23153188ec6adc8683acb1c76c6eb090dd50e19e8d29eeae92fd7953bd13ca9095530edd3e14936ef54fe487e80c5e84a81d4
- SSDEEP
  
  49152:xmPBfFYwWOac3d97MlGFh2c0AHs69OTryrzItwcHFwqfCtWVbIM:OnYua2EgO369OTAzItwcHF1KtWVb
Score

10^/10

amadey mystic redline smokeloader 04d170 plost backdoor paypal evasion infostealer persistence phishing stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral20

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

PrivateLoader

RedLine

RedLine payload

RisePro

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Modifies Windows Defender Real-time Protection settings

Mystic

SmokeLoader

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Amadey

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload