amadey | 4ce71244da4dd5d9b0b7535c6b62aebf516adc87a36195170af93efa3a630b9f

Sharing

General

Target

r.zip
Size

12.5MB
Sample

240523-m76qzadh9x
MD5

e4bd60cdb10b2ff64d5c0cf7502f822b
SHA1

834f915acd430c73892ef034f26a9f75d04a81aa
SHA256

4ce71244da4dd5d9b0b7535c6b62aebf516adc87a36195170af93efa3a630b9f
SHA512

ae8a9f87900f7b5c3caf267bb295fccf26238ed87955c28867be418f12459ee15de416d91addb304cd52b8e6213c4d951d30230b4c802e4991cb8f7824264b44
SSDEEP

393216:YJaKhV6K5Omb+4l9DpPmooWGoVPSxluAUdRfD5/07:Y0K52iLoAV6xQBM7

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Extracted

Family

redline

Botnet

magia

77.91.124.55:19071

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Extracted

Family

amadey

Version

3.86

Botnet

88c8bb

http://77.91.68.61

Attributes

install_dir
925e7e99c5
install_file
pdates.exe
strings_key
ada76b8b0e1f6892ee93c20ab8946117
url_paths
/rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

jokes

77.91.124.82:19071

Attributes

auth_value
fb7b36b70ae30fb2b72f789037350cdb

Extracted

Family

redline

Botnet

frant

77.91.124.55:19071

Targets

- Target
  
  0d301494f1fd79496a102de54faf16772306d560cc125b858d5e57a6e12787b9
- Size
  
  769KB
- MD5
  
  9a6f01b6a183cc8030ef109090bc930c
- SHA1
  
  989b8ebfddb6be08af8c05d125cc52307f5ccfd5
- SHA256
  
  0d301494f1fd79496a102de54faf16772306d560cc125b858d5e57a6e12787b9
- SHA512
  
  e6c73d0b9d8dd8799193de423d2bd02dfbaea092292c3db80939479dbd85e6254985e0190e755c0a4abdf56cacc3f18dcac9c78052738dbb597a6517f29013b5
- SSDEEP
  
  12288:OMr0y90poZ86/f/VGQhOtInLrYkBWu372tumlxJFRw+O4burEqhjP7Fy:6yOMnkQgenHYkBWuLWvw2ur9Z74
Score

10^/10

healer redline virad dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  17123cde248bf04440dd66e0818e707111a27baaf0a0f8b46803653840d0f776
- Size
  
  598KB
- MD5
  
  746ccb0a7421cb80e3a7a4bb3d11c266
- SHA1
  
  695061caa785833506535476e784d53a79f2b9cb
- SHA256
  
  17123cde248bf04440dd66e0818e707111a27baaf0a0f8b46803653840d0f776
- SHA512
  
  169a0e4cf0c4ca17e479c595494add7326f647d06944c8e5c29eff0ce267a3cd18154f1bbb56f59297a03d9efc87c156a147f842d8fcdc6b4efde4a0bcab298d
- SSDEEP
  
  12288:uMrYy906un5B6oTeRNKHPWbOc12l/7DMcSwKCNYhh+ZPmvXzamDCKpsS4bo:myeB6oTebsRU2wCU+F0WYCKpqo
Score

10^/10

mystic evasion persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b
- Size
  
  632KB
- MD5
  
  8ea60cfcbddf1b7448d201f4556c7a20
- SHA1
  
  d1ecb779d9b7a916c627c143646b17f8332ae03b
- SHA256
  
  3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b
- SHA512
  
  589bbb1c61d27b82897d7b20246b7dc436b349e849157cd49b4dfc3aecf4917c04ae2a5bb5346c03532585b02e332a840f42f675002ee2fbf27df50dcbfe8cbc
- SSDEEP
  
  12288:NMr0y90D2sd8jFNudzpwt4gelVvENE1CL3hErv1AP9:ZyycqZimXKE1CNEL1AP9
Score

10^/10

mystic redline jokes infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral3
- Target
  
  3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3
- Size
  
  746KB
- MD5
  
  0f8508d9978491f6d3a929d927921ede
- SHA1
  
  719fff86d85f89b1880351d7f4f63be966154074
- SHA256
  
  3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3
- SHA512
  
  a85485e8770ab2ceed8eb5a25112f3822d48c756afa8063834f3c32f3d7c75a5e468cd2adb8da5c0dbd83657040f858bc545889c065e93c9701814a65b180aa0
- SSDEEP
  
  12288:dMrly90S1AJyflj4NMT1PloI8MoV9u8PzwTLjZ:QyhAk9jJ1PlRP5ekfZ
Score

10^/10

mystic redline frant evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral4
- Target
  
  37bb007e1a7b802fb160d31d43e6ee29920fb53b1d37beda1c042d893778cab5
- Size
  
  555KB
- MD5
  
  87a1d0af4685f78fd81e98a65bfd5230
- SHA1
  
  10a9b837e575b7cf043c1d7701f49ac5261e386c
- SHA256
  
  37bb007e1a7b802fb160d31d43e6ee29920fb53b1d37beda1c042d893778cab5
- SHA512
  
  a406492fcf0a39d9d536ed2aff82eba7b7336728b5df8d1b83fd71f500c560a1253889ec96175017ce5bca02b89b536210720b664f18c26d1d44105a42fb45d7
- SSDEEP
  
  12288:nMryy90QSz/Fi0ZQMEI1yMQHbnRa+bPYvBTJBu8rGyFb:1yb47CU0HbRFjYNXb
Score

10^/10

mystic redline virad infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral5
- Target
  
  3b8019115c4ceca7cbcfddbb6bbe680cac9c8811275a16616d40ff294ceb6ed8
- Size
  
  696KB
- MD5
  
  27879b73babd965386e6ea971cd0c265
- SHA1
  
  af275d236ac0898858ae954208d4731e10e6cc0c
- SHA256
  
  3b8019115c4ceca7cbcfddbb6bbe680cac9c8811275a16616d40ff294ceb6ed8
- SHA512
  
  2c885e48b4c553cc50d7f917dc54e9fbd8ee3cdd8c1f30bbce4c5af0a07e5e96d03e28aee3143b6dc6b28950ed03222d7fcb7dc5c1893eaaea6039103881e8b3
- SSDEEP
  
  12288:bMrjy9099lSqc8ni531abDD7za10HlrdMvY112w7JQcVIfGQWsCDDm:Uyg9Iq3i53g40Hvus7mcVIvfCPm
Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral6
- Target
  
  3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a
- Size
  
  1.2MB
- MD5
  
  8baab3511bf3a99728edaba28284cd3c
- SHA1
  
  b935a0b20f20e0f296f67fec1e2aa1c57d9eda09
- SHA256
  
  3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a
- SHA512
  
  0ac0e6eedb7d6db2f1c383f74d8fcb32829ab7446025670905caf2ceb95bd089fc21e95aa8f00b37c29815c0fc49fbbcad3b9774633d1cffc9dc7ccf57b20b8d
- SSDEEP
  
  24576:3y9ILra17CLHayHuMfvmkZOgEopve3fN2o78WXgzCkB6:C9ky7CLRHuMfvmKHpvkV2lkIZB
Score

10^/10

mystic redline lutyr infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral7
- Target
  
  3c47d4d72a38e9bc6761e47d9e0e51429f2c67ffdd939c07a664efe29c9cd5e8
- Size
  
  884KB
- MD5
  
  aee5889d7a6e3bb9b8e7d8989b2b4bdd
- SHA1
  
  12567494309369bb902bf4d13f66a6c57ff6149d
- SHA256
  
  3c47d4d72a38e9bc6761e47d9e0e51429f2c67ffdd939c07a664efe29c9cd5e8
- SHA512
  
  2e85c20244c3a51c762076fedcacb87c32af1702da61c1db00889736781c64eaaf03dc44dd9f6219155886bf899a90f17db1ee49ef29c6b035f4b1d5dc6f316c
- SSDEEP
  
  24576:Yya3DjTupxvL1Y8/4+oT0NHxlU7ppd0dm:fa3DjTup5e8g30ofk
Score

10^/10

mystic redline gigant infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral8
- Target
  
  5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd
- Size
  
  459KB
- MD5
  
  c71d4dd80ac8735935cb38cd6a88f63c
- SHA1
  
  f5184d6ea3c45ddf32c88100add62f6967ffc760
- SHA256
  
  5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd
- SHA512
  
  633872b337c98d3b9851d5661fa821962f378c7eafcf10cdfb9128c71cb6ab9511ebbdee3acf5ea4ecffb42a2996c6e29f9c6ceba31b71156ec82246b41b03a0
- SSDEEP
  
  6144:gfDhrbDPM4jjdpvIN8fp7z5BAOQwbTaJTZeOY23bE4Z40BOkj/OM5/QjC0X:gfDRDPjjb/+aaRx3b9Z7BOkj2MtQjbX
Score

10^/10

redline magia infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  5d95f476419d3a3135715f2eed0aa6de69b130436772d29100fd7870a2c450f4
- Size
  
  696KB
- MD5
  
  0f62f896edf7c0f7b0eacc881f7feceb
- SHA1
  
  cb193fb660821253e53576b87a73ad66826ebf4d
- SHA256
  
  5d95f476419d3a3135715f2eed0aa6de69b130436772d29100fd7870a2c450f4
- SHA512
  
  0f178a9db103b9edef4ef7f52b0ca300afd5b176efb7128b26e0bc3c1b40228ccf0b169d7f5bcfe6c9da142e309bfa7531326268a99283f135128f861f572403
- SSDEEP
  
  12288:OMrmy909zxhmrLQJOidPaabXD7zz1PHlrdMKF102w7qmFMpTBybonpn+fC:My+zKrLw7PnBPHvT67qmyltz
Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral11
- Target
  
  61d857a52459b5cf9779c58c6ee28d8e2760da3fe873785eb0afcffa6b0680a5
- Size
  
  662KB
- MD5
  
  f13e775f414cc1ea88e79547d7f96311
- SHA1
  
  7bbcb6619cdd75734924bacc47c033e9fff787d8
- SHA256
  
  61d857a52459b5cf9779c58c6ee28d8e2760da3fe873785eb0afcffa6b0680a5
- SHA512
  
  b52cdca41d7279155917d0fca1ba4f7b155d2003fd7fff17dd1114828bedac186f870b01a7b77ad284d04e2b92bb46d6f89b1a7ed828fd9aaa395bca78ac2f7b
- SSDEEP
  
  12288:5MrQy90o19a0tahJoYcAzDQzhl1fBdoRorFVxx9PqEZ/8fISb8bgChvMnGLGQMVI:5y/NojoYcAfQzhtmReFlphSb8bhvMGlZ
Score

10^/10

mystic redline virad infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral12
- Target
  
  64f004d4a260338ba4eea50516df52087bab791fd6eb50d0b4eb189e6e13bb36
- Size
  
  271KB
- MD5
  
  4ad462c2955d05dcddb69f4ca8d8b504
- SHA1
  
  fce5d821b79e9c448664c694e12661d73819e46a
- SHA256
  
  64f004d4a260338ba4eea50516df52087bab791fd6eb50d0b4eb189e6e13bb36
- SHA512
  
  fc96ff0c391a66600703ef957ca9d1a9e4b126b3a001e12e8c9f40ae363a5a8c473899ed8a929edb9268e23aa342284d80abeab64b3340ac3b655943331d3624
- SSDEEP
  
  6144:Kwy+bnr+rp0yN90QEyd3Y9nR/kYbFXoUzciEQtRv8:UMrPy90Ido9nR5F/zcStRv8
Score

10^/10

mystic redline virad infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral13
- Target
  
  7787b07a1719f5524402ec7cf71fb92a7177ee85b0a424e2b97f619ba2b32e49
- Size
  
  662KB
- MD5
  
  e26f2e8ea56b980e5f02ef404d34d67f
- SHA1
  
  ed2bb5bd36fd1d41d3f5212859f8500a83655459
- SHA256
  
  7787b07a1719f5524402ec7cf71fb92a7177ee85b0a424e2b97f619ba2b32e49
- SHA512
  
  7eb822186d7569ace7f013cdb773c959110c22793f50f15295ae953fa97d5119fe8301966bf725cac5efa6279951d3c6714376d8068648ddc06dc98a0a0fa387
- SSDEEP
  
  12288:MMrQy90VfuDBn/pbAhnEO8XO1adjxEhg0maYNCApdR7NCGB:syKuDBn/5JXYKiOVaYNCApdRIGB
Score

10^/10

mystic redline virad infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral14
- Target
  
  7cc399690625fe51c1b469f7e049782a493baa3a1ef701d932c57888bd5d237e
- Size
  
  640KB
- MD5
  
  45232eeafc041f4392d43ff89aa99465
- SHA1
  
  1ed7227336f31558c8c6b1be8c5a50bde622ad36
- SHA256
  
  7cc399690625fe51c1b469f7e049782a493baa3a1ef701d932c57888bd5d237e
- SHA512
  
  35873d313709d05b382afc8659f54b6631388cbc1e5b9b1c65eeec961c396fbb9afa6c8f1a429c1f217d96ea042a6bb67c74aa18e49eeedc3b09360c3d21af91
- SSDEEP
  
  12288:oMrUy90Mxu2w9HDNHaPLLPNvbGB8IAxwhTNc9XeX9:MyXMx6PLLPNjGB8vYTNrN
Score

10^/10

mystic redline lutyr infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral15
- Target
  
  825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce
- Size
  
  1.2MB
- MD5
  
  af9935a5730feb37c4978612c4edf672
- SHA1
  
  372775e1dd875989d6a340045c4751b3a8240daa
- SHA256
  
  825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce
- SHA512
  
  37a5cd9dd4ad956c4de847584d414c7025fba4bcefcf55745df352674a911d58f7dcdf24caee628a71efd9878dc5c387d1c45f34246032fe939cfa809e47261f
- SSDEEP
  
  24576:iy8cCiOZdnMRXmt+VyAxtnrPo+DzCfo336ABzS0fe+T6TqciV:JEMIt0zrQWv6A1P6mci
Score

10^/10

mystic redline gigant infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral16
- Target
  
  9e6f3fd3f785137a445cbe56ff06c292a6df24180f53811fc86132a2bd4859c2
- Size
  
  234KB
- MD5
  
  2dfe4d2812a48ddbf22392cc3a90970b
- SHA1
  
  4f1b63d32b90a492f98673c94646a42a6e853ac6
- SHA256
  
  9e6f3fd3f785137a445cbe56ff06c292a6df24180f53811fc86132a2bd4859c2
- SHA512
  
  8b30e6f60dc809e9411dd14439766ec61da1ce41170a987c6c917abfe8df3985d8d6870672b38e72c10317e178e032fdc94f1f36bc4c48cc79938ae9d7c9b6da
- SSDEEP
  
  3072:KBy+bnr+O1H5GWp1icKAArDZz4N9GhbkrNEk1E6D5dMOt7WQqwuoFoX:KBy+bnr+Ap0yN90QENzDQqwS
Score

10^/10

amadey healer 88c8bb dropper evasion persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral17
- Target
  
  a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92
- Size
  
  879KB
- MD5
  
  7a5928cb075392ea164a53fdd5b3afd0
- SHA1
  
  2f29f7ea3d22abe93dcbe754afd698abff05bede
- SHA256
  
  a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92
- SHA512
  
  fef6e2d27d5bee66733ca4aad9115e3117f85d6d7e2f9c82cd9b41e1e0a63d8be04155931c06dcb556e6612ab675e135fc580c09d21e0f08820ff0173878dd26
- SSDEEP
  
  12288:DMroy90mBIeotMtXS+V3ROZtmWy0jZlcQyuTSWN/4zhr+Dn2h8iDFobRhjin:zylDiI3RLWN/6Jin25DGbRdin
Score

10^/10

mystic redline lutyr infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral18
- Target
  
  e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e
- Size
  
  560KB
- MD5
  
  e33cdbc5e331ebac127457d9f86cc333
- SHA1
  
  e68a3a2e09be0b07c15a393d85dde5c60a470f83
- SHA256
  
  e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e
- SHA512
  
  e2749e074ad8c94569a8e235d93afadd9cccea987846cf21c2884ffafd7b67636f40eae5fd2776b347deaf0d18d0265813751118f4d27897337fbb40264cfe80
- SSDEEP
  
  12288:wMrWy90a5klj6cFrzDnDi/w1rbChP+xqaQJk4Uy:2y7uocxu/wBChP+vQJkby
Score

10^/10

mystic redline virad infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral19
- Target
  
  eb8cedd00b7ab240f275eb4069c500fbebe244ecae84cca8f1700815583b7f3b
- Size
  
  884KB
- MD5
  
  a2acde444a301a3c84598b3fb8c6c4da
- SHA1
  
  cadafcf1e96bac636ff9d5da45cc79b62864aa0f
- SHA256
  
  eb8cedd00b7ab240f275eb4069c500fbebe244ecae84cca8f1700815583b7f3b
- SHA512
  
  9242447c31e6be528f2fa050f18aa607428e49d2b572cd797adbf43f38dced96c5ca16fd6b0581b17fc0a9406199e481faa99150cb9e646578672561bf00285f
- SSDEEP
  
  12288:fMr/y90MTkylNO613IvNm1n3Or+tJYiF/ZvpP1A8Q27IOS9HHMAd:gyndU61D1n3Or+XBZJ1A897PS9HsAd
Score

10^/10

mystic redline gigant infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral20
- Target
  
  f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b
- Size
  
  632KB
- MD5
  
  d08c8cb40ccb8a4d4ed7085f0fcac3e5
- SHA1
  
  2475d4395f39cbc5a9937537078fe78bca37248b
- SHA256
  
  f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b
- SHA512
  
  fafa3c5059b04bded85ac86a46c1dfdcbc2e7c781d573248e5e7008d6e5a751eeb4764244cc8aa0d76a59adf21fa8837e8c8a8f195d835674866d22039097cf3
- SSDEEP
  
  12288:4MrZy90XTnuGCUTLvPQdsFfPay8HC7UZTcsCJ+53D//Uw94d6Yqlrf8eCSXT:ByCHx/XQ0fPa67UVcDJ+53L/Uw94d2lj
Score

10^/10

mystic redline jokes infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral21

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Modifies Windows Defender Real-time Protection settings

Mystic

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Detect Mystic stealer payload

Modifies Windows Defender Real-time Protection settings

Mystic

RedLine

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Detect Mystic stealer payload

Modifies Windows Defender Real-time Protection settings

Mystic

SmokeLoader

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

RedLine

RedLine payload

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Modifies Windows Defender Real-time Protection settings

Mystic

SmokeLoader

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext