Overview

overview

10

Static

static

3

169827445a...fd.exe

windows10-2004-x64

10

2c5911fd0a...9f.exe

windows10-2004-x64

10

3d26ff1c7f...6f.exe

windows10-2004-x64

10

4316c9cb7f...d5.exe

windows10-2004-x64

10

453554affb...f6.exe

windows10-2004-x64

10

4be48036db...87.exe

windows10-2004-x64

10

6843058b07...7b.exe

windows10-2004-x64

10

6ab7739b7f...d6.exe

windows10-2004-x64

10

741b5d1728...11.exe

windows10-2004-x64

10

7dbaeca4ac...3f.exe

windows7-x64

10

7dbaeca4ac...3f.exe

windows10-2004-x64

10

889f2baa64...76.exe

windows10-2004-x64

10

92288ddafe...85.exe

windows10-2004-x64

10

9697ffb24d...50.exe

windows10-2004-x64

10

abd0fa453e...b8.exe

windows10-2004-x64

10

b28f0b1322...38.exe

windows10-2004-x64

10

d89a055085...df.exe

windows10-2004-x64

10

db77a8c068...dc.exe

windows7-x64

10

db77a8c068...dc.exe

windows10-2004-x64

10

e00e311d45...53.exe

windows10-2004-x64

10

e0990290e3...28.exe

windows10-2004-x64

10

fedbb32d49...4c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r1.zip

  • Size

    19.8MB

  • Sample

    240523-lyrd9ace56

  • MD5

    7372914225f6a9fefb6c9f824bce934b

  • SHA1

    60ca200155a154c76bd419590d2976962f25ea48

  • SHA256

    b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

  • SHA512

    d8fc673fdacd756b2d81f14d71724c7be716ad2bd7618a5ebe6806e58970f0cd0cb073df898e584dc4bbce6befdbded05d6577c3bd25c6893a0f5763698ab8cb

  • SSDEEP

    393216:I352sY9EAvP6+7PPHyp0d68qI0XaKGF1bT9ZhXiw9hq:+dcF7PPHypTtIghGF9V39M

Score
10/10
amadeyhealermysticredlinesmokeloader04d17059b440dartsgromekendokinzamrakplostsuperabackdoordropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

supera

C2

77.91.124.82:19071

Extracted

Family

redline

Botnet

darts

C2

77.91.124.82:19071

Attributes
  • auth_value

    3c8818da7045365845f15ec0946ebf11

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

kendo

C2

77.91.124.82:19071

Attributes
  • auth_value

    5a22a881561d49941415902859b51f14

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Extracted

Family

redline

Botnet

plost

C2

77.91.124.86:19084

Targets

    • Target

      169827445a78f6e1cde6f851fe18dbe8b5850a2768cb303f453ceaacfe59d6fd

    • Size

      1.1MB

    • MD5

      fb7f64bb0a4554798853318043392040

    • SHA1

      4c81df15636106a1cedc43f0435443c9b1547f2e

    • SHA256

      169827445a78f6e1cde6f851fe18dbe8b5850a2768cb303f453ceaacfe59d6fd

    • SHA512

      56028f73d5d98c0915462996be04b5a7ebdffbbb7188618e2ec2825ebe0b95cfa1b1fc36192b0ca6af9a60b15e285d515c4c91398d0e5bd45241c7d3ff41cbe0

    • SSDEEP

      24576:cy1c2oUIaB6nHyAA91U3UyIXZdYnVFrNcnoKfaxBS1SAE:L1mUpDt92nlqnLynSUA

    Score
    10/10
    mysticredlinesmokeloadersuperabackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      2c5911fd0a616aa00118b87a5216b4c3312dd590b4988b62bf0651b91fc5b29f

    • Size

      1.5MB

    • MD5

      b61170f2b227f99ed0257b938906f686

    • SHA1

      f6a839a52f0af527b1ae2a4b37946941b18da532

    • SHA256

      2c5911fd0a616aa00118b87a5216b4c3312dd590b4988b62bf0651b91fc5b29f

    • SHA512

      97ba944bc336d05f72362828c87f6101ffd639d8edf47d52e94648396a5075b771dfd46bdfc5347a911460647d4d10eb91032d848374e21b53341a1f1ad86c94

    • SSDEEP

      24576:Ey0Xn/cq0cXV5RSiGOQqZFoZiQVrRmG47oeQBVx6WolM2y32bRu9MzkWfB0yxNlV:T0UwXVuHOvmRr48eQV6Woy52bR0ikgXN

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      3d26ff1c7f2a98b2c2c03ddc43bd17ad629931d425986a46cb7ba3ef54b1ba6f

    • Size

      762KB

    • MD5

      11df01e82b58f1a3d8a5c62a401219b7

    • SHA1

      2773e63a84277c066dcc19d137ee8ead40b0f425

    • SHA256

      3d26ff1c7f2a98b2c2c03ddc43bd17ad629931d425986a46cb7ba3ef54b1ba6f

    • SHA512

      31bcc0b35d3b233e2492d8b926faf5e0125759c25d4e31ad856f18ece1b8f5f9f227318243e2073fa0e9c2a8446975e74e4353fe0c62421205112f39c5b04042

    • SSDEEP

      12288:1MrEy90prXEjmnceU42eTQuYz2IQKg232Jmx95wb4g5AhQVO3f92BiU/oD45f1Uy:Jy+DXce326QuYCF2emxPwb4oAhEOv9oT

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      4316c9cb7f9e1a073313300df45a90e9457dec01ec27e4f7c9725091247276d5

    • Size

      1.3MB

    • MD5

      546b638f06657955666299dcead4ea56

    • SHA1

      6714be04f61627cde0ce56ea6da5dac844faa55a

    • SHA256

      4316c9cb7f9e1a073313300df45a90e9457dec01ec27e4f7c9725091247276d5

    • SHA512

      4a1896a72963c9931520ca4365f8d5e31bd9644562218ea6d5866ca6fb8f8923e4291752c35c255879212aa33a4dd64caa274e019dbe6144bd9f2e911c0096d5

    • SSDEEP

      24576:5yJYHB+O7bfYoN2SO7/OKvsCQnP93Q7tlI2zhFaa5YjBDcP9p3BsdP3l56/9:sJa7bMSObOKvsCQ1AZljtFaZDc3eP15C

    Score
    10/10
    amadeymysticredline59b440mrakinfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6

    • Size

      1.3MB

    • MD5

      c9fecce5ddbbb4c08036eb804806585a

    • SHA1

      de118ddb2f2b644a73e314d1bfc9ff777b84c41c

    • SHA256

      453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6

    • SHA512

      59be1a656c71b2dd3a2891a6b27e842f808074dffdd1b954d0ee781bab2183b048263e9381489223d97e74aff6cd8bfa825cab657c4b9aa9eba9d7f8d234faff

    • SSDEEP

      24576:Iydmfk80iPrZsm2S05doZXri0tAnA+dzNpm5uQVMsi0:Pyk4ZPCU1And58pp

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687

    • Size

      476KB

    • MD5

      1f97ceddfda581c9ec60046f75303998

    • SHA1

      46877392054ca0be8a14c4e1d9b3d29e07207dab

    • SHA256

      4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687

    • SHA512

      fa8de06624492e47336c1df59269b2ce95aa73016f75f50514bc8e7d72d5fd3d453cb9af4b4a7673b91f3582b5ac639f264f674de11beb0cec2535f66a9ae076

    • SSDEEP

      6144:Kzy+bnr+up0yN90QE8nNKUZvdbWjVJGZ0KbFOfs/jfh3Q+KRFgEXtaBv7+hKBfsR:FMr+y90WnrFz75g+KRuEXYp7nBfBp45

    Score
    10/10
    amadeymysticredline59b440mrakinfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      6843058b079dbc0a22ff6542bd36408373534e51519828b2e5059a1c3a0a837b

    • Size

      755KB

    • MD5

      6e2b42c5af81be00ce089c6402751459

    • SHA1

      e87e49393955166a1f1b1e3882b77d51085c2a8f

    • SHA256

      6843058b079dbc0a22ff6542bd36408373534e51519828b2e5059a1c3a0a837b

    • SHA512

      01149b34aaece48cdd430dc8c2a66907d3fb1580088718b2e80c783b8e9030c5c83cfa4b3c239ff0c68a7e5f465c173a0c93b6d32b311ac950369f157d775092

    • SSDEEP

      12288:kMr4y90irAsuxGEW8QklzHVZOGhYZkqfzYiWW9rHZuU/kFuFadflBRX9gCemkfBL:0yNjCCkl7zY9LYR+bZuSKdTgCeLZLGrI

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      6ab7739b7f0b5cc84bf55cd6f09beb3d4860ec6428202c54e8e023161020c8d6

    • Size

      759KB

    • MD5

      b69c615e91840a82076fe1dc0175cd5c

    • SHA1

      bb23d10b27c9fb45af61d9414f31944bbfd6d62b

    • SHA256

      6ab7739b7f0b5cc84bf55cd6f09beb3d4860ec6428202c54e8e023161020c8d6

    • SHA512

      5a4aa247c3bb6167c03c050c2899f8a669c3835a93ee16509dfbeb2f06eae38b4cec1e3c8a5efc65e8df2eba665c1f42b85b192edd3fb2f7d1ce43761d134c90

    • SSDEEP

      12288:4MrMy90OPICz9hQnKZKC5Z7O9mpz53ClrunebLXR0prExFgUI24a211bt:kyrPJQKZKC5ZCkz5SRunebLB0p3UH4ao

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      741b5d17281b7e19ee8dd529a91b547c0bdf8938c84539f745ec882d49373311

    • Size

      1.6MB

    • MD5

      1024fec3b2cca2d8731fc254914a59fb

    • SHA1

      45d91a792f85805515fee405c53b9981ce67fe22

    • SHA256

      741b5d17281b7e19ee8dd529a91b547c0bdf8938c84539f745ec882d49373311

    • SHA512

      f3aac832937c04a62f2663dfd94be4a9645fb22b522c2711cffb8e9bf91630a9f128cb26b957db21225cc88f45c093cc054ebdb2ec67e47fa5b434ce3aa915ce

    • SSDEEP

      49152:5iYBtU/Vq+vgnB79J3elmGO/mvUkk3R9PvS:RBtU1vgB7b3TGOuveR9S

    Score
    10/10
    mysticredlinesmokeloaderplostbackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f

    • Size

      398KB

    • MD5

      d8f765c09c4b7ccdee780360b63a449b

    • SHA1

      064dbe7139eed5510ecc24a0893b7e02418c4a01

    • SHA256

      7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f

    • SHA512

      f26497744246d6621b72abd70e8e3637026ff6bddf535eaf752834b739390aa4e6dfd830ab66ee429516e264f569f8b1822ad3fc6ab1d5ac6011c008a782a2cd

    • SSDEEP

      12288:guiSWLTVm+lfvADXLo/JHIHFtocDtM+avbiwaQGC6:gsWNcP

    Score
    10/10
    redlinedartsinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral10behavioral11

    • Target

      889f2baa640211bf12947cfab6157ff93a774d0b4ed9568df0eb65952cedf576

    • Size

      759KB

    • MD5

      05e9b1e9e4a45d3390b5b633daa40716

    • SHA1

      5829febba902de0be9afd3b3319f941e639ce8a9

    • SHA256

      889f2baa640211bf12947cfab6157ff93a774d0b4ed9568df0eb65952cedf576

    • SHA512

      5f55a5e74477426919414c3a969cd406788e58d75a4e9eb88876e5ebf331f9760129550a9fc65278581b587f993464cd4df1caad9982aea22a7d4b8f160ec4c7

    • SSDEEP

      12288:dMrJy90gMXNMpwN+kHclWLslLMQcwPEH+J3sb4zTnvcgv7:oyRaOlCsqQcw5J3waDvlv7

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85

    • Size

      1.5MB

    • MD5

      425c8308ba915888c763598588323ac2

    • SHA1

      9410ce870c4ce520e471918f4aae9483b41c6b07

    • SHA256

      92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85

    • SHA512

      01ab83ce85b80e525c78b09b80092154fb7546340e848706e1ca2d4133b41e04725bbca849fa5c2c1e9eab4fbcf2a181e2eb86a7e8d5ec190f1caf25da3a7436

    • SSDEEP

      24576:ZyRdA6tQPlsQxiyNcQwRZxDbV8Gubb2XY04aiWWcREuLBu1uAhzOkZ86+Hy:MRdAHlsQxiMwfRJ8Gkw4HtYBu1ucCy8n

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050

    • Size

      1.5MB

    • MD5

      5b1b2dc80e055c1f9326a1559bde65a6

    • SHA1

      ea89222071ba275583438c34bf4b4f8b3158f798

    • SHA256

      9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050

    • SHA512

      ebf613b3bedd1f9bb5db26415f70a35cbd03b5fd1ee0e7e1365802e39d434c8fa3324141c835ef2d0edbf47bb5e74413a1bf4f33e61148a577b082c454e31580

    • SSDEEP

      24576:NyxMR3S1glDa50/SVv/sSf/D+JqaiuzDNV3vhwc9w8//Pkaku0bLYYddc8z:oOrlLSVvUSfyQuznpw0/cRbTQ

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      abd0fa453ed59d06e5c3d6cbafe873f404a47cab8f3c4bcd545fdfa7491ff4b8

    • Size

      1.5MB

    • MD5

      090c442ab1c3527cff4f2f6ecf5ff0ee

    • SHA1

      b13d5874fdf1f09157903266f073595f3f963ed8

    • SHA256

      abd0fa453ed59d06e5c3d6cbafe873f404a47cab8f3c4bcd545fdfa7491ff4b8

    • SHA512

      a8c7cb90924db8e02d9e318706b8de9473fd1d0d90cf5aa2b6bc7f010267d1d16a837bda18ca2be90fa4b615a928b8ad6ef81c7973e3e7919dc79b19709c2720

    • SSDEEP

      24576:4yP5FFcI1Vh7epXc+McyzpMXAVF18geTZ/hoFM4ewM269QDTExGMsP71:/P58IJ4rMcMiXAVoIFMI/C+IxG

    Score
    10/10
    amadeymysticredlinesmokeloader04d170gromebackdoorevasioninfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      b28f0b13221fc5aaa297029cc7c28a22c5b5dfe8aa6626036342ae0b862d8838

    • Size

      761KB

    • MD5

      b2dcabdfbf8b456e5d150752dcba2f53

    • SHA1

      debe493dcb0e8abf0d6a4ede1ba178e5b0d8480f

    • SHA256

      b28f0b13221fc5aaa297029cc7c28a22c5b5dfe8aa6626036342ae0b862d8838

    • SHA512

      cedb134c0df27cd1a8e3736aa7f69fd9ea4241e250d87e7d8c978fa0e0c73d7c2e88cd021532bfdae6337b14d007331d6eaac3bdf18b0eef632ef24dfc15a165

    • SSDEEP

      12288:wMrHy90cZo8wMkIK5vUBkYMH/v5+up8vhe8OPKQa6CDD4KQ2/XVu08zEQw5AI9cM:nynxb1K58qKE8vjPQa6I7fKA9cFu3

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      d89a0550853b7067190a4816c540a6838fc7703bf9df0665fc491c92feb72adf

    • Size

      1.5MB

    • MD5

      e0838331cb44293a79942554f0e84be8

    • SHA1

      3337c90644f3abd2097d4f64605500f902e7c1e5

    • SHA256

      d89a0550853b7067190a4816c540a6838fc7703bf9df0665fc491c92feb72adf

    • SHA512

      d66c8e738b7a8a6115fe2973778380aab22f7f57f5365c2e8a4f3de5205ab09f42ea6a0f33eb91414bed617e568bdbbe4cda1ececf437c1e2f45d03cce64d991

    • SSDEEP

      24576:EyUZ5lFEBJT1rKp9725NozE/LY0is+KPwqih27rCy/ZkEJXqgJiqUTLw4OCTbsDf:TC5PEBJT1rK+5NozEDYvdh23hkeTiJ/D

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc

    • Size

      269KB

    • MD5

      7ec5ca4d34f4e800463edf4efb264e9f

    • SHA1

      ff0a96b1b3e5f28a9fd9a288c5f6f65e1b1f26fa

    • SHA256

      db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc

    • SHA512

      419570d3ff5e58ef4d2fceaeb9ea2135d5b6e9835cc74bdedd0e9690fe7f5182db53fd5a0aad174ad2a8dd7a3a8bbd83e925fdae522cff8b89977818a04eab3d

    • SSDEEP

      3072:bQTHC0ctZI6461YHBe6Itf1/iTY6ce6pn++RcNLkBHgDK6gpRnUuEeAg0FujDFzP:bQFctlMQMY6Vo++E0R6gFAOp9Z+g35

    Score
    10/10
    smokeloaderbackdoortrojan
    behavioral18behavioral19

    • Target

      e00e311d4566f8b67392f945545d0e1ea579af2fa76c416042196eea3ca75753

    • Size

      1.5MB

    • MD5

      7964cb5a97e62e57f61be66176a87389

    • SHA1

      1c334b41b699bd6252712e511f7304c081dce0fa

    • SHA256

      e00e311d4566f8b67392f945545d0e1ea579af2fa76c416042196eea3ca75753

    • SHA512

      5391152d80f48d68120f3a37018e764eca765db51766b5d7067927447fe915983e297b01da9fb9eb873a3e041d8f025c87396375ef4c49ca06c7c9364d6a8fd0

    • SSDEEP

      24576:qyp47I/ToqZ/x8ezGGzzGuosA5Kfx1XZ5MgOVRjS5GECHcPB5KYPEyqfrm2fgNJ2:xp48z/u6jGu2Ap1XZ5LKTEAcPWYcyef8

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      e0990290e38dc94b3c6a8bd8d028c230706f11717bdc17beb40d9a73dcfb2628

    • Size

      761KB

    • MD5

      06138684c4b8c192821da39e5acca07a

    • SHA1

      e58549604d1d468fea175b8db2482018af6a7372

    • SHA256

      e0990290e38dc94b3c6a8bd8d028c230706f11717bdc17beb40d9a73dcfb2628

    • SHA512

      17c066953b74e0e7b5d284a2fe25cc2d7cc490104432b6c9da0dbbdd0f6be99b3d8338ad042828382ca09acd2156db1ec988feeab9ac2b25dc3496468ae93de1

    • SSDEEP

      12288:GMrgy90DKILFwj2MGzpceuIBL3yUXyL5xfekP8zp6BltXY7LiELUWZxykBSG7:Wy/o4fGzuetB7dXydVeg89Ko7cQykoO

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral21

    • Target

      fedbb32d49ceadba3f4f54639ae2d48c963ae6599b439f9922f20fc96716e84c

    • Size

      1.2MB

    • MD5

      76094730492ea88d8299d508bf86a603

    • SHA1

      4f10b858908e81198486c5489cf4ba3c3ee6006f

    • SHA256

      fedbb32d49ceadba3f4f54639ae2d48c963ae6599b439f9922f20fc96716e84c

    • SHA512

      3aa8fca996bf4e116426e2cc961e19c26925a6c5546ab8f04b088939b6ee9992ebcebe7fa691cb75c5644de478a8fa78ca1191c8d33c5e7302cc02b4c3a8e46a

    • SSDEEP

      24576:Dy31TXXKWNRn6cKMGelRndJzjO1O0k2WGtwSHo:WxnKWNR6jO61OT2WGt5H

    Score
    10/10
    healermysticredlinedartskendodropperevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral22

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

4
T1053

Persistence

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Boot or Logon Autostart Execution

18
T1547

Registry Run Keys / Startup Folder

18
T1547.001

Scheduled Task/Job

4
T1053

Privilege Escalation

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Boot or Logon Autostart Execution

18
T1547

Registry Run Keys / Startup Folder

18
T1547.001

Scheduled Task/Job

4
T1053

Defense Evasion

Modify Registry

23
T1112

Impair Defenses

5
T1562

Disable or Modify Tools

5
T1562.001

Credential Access

Discovery

Query Registry

11
T1012

Peripheral Device Discovery

4
T1120

System Information Discovery

14
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

mysticredlinesmokeloadersuperabackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral2

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral3

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral4

amadeymysticredline59b440mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral5

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral6

amadeymysticredline59b440mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral7

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral8

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral9

mysticredlinesmokeloaderplostbackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral10

redlinedartsinfostealer
Score
10/10

behavioral11

redlinedartsinfostealer
Score
10/10

behavioral12

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral13

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral14

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral15

amadeymysticredlinesmokeloader04d170gromebackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral16

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral17

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral18

smokeloaderbackdoortrojan
Score
10/10

behavioral19

smokeloaderbackdoortrojan
Score
10/10

behavioral20

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral21

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral22

healermysticredlinedartskendodropperevasioninfostealerpersistencestealertrojan
Score
10/10