General
-
Target
e19e97a334ecb39058fd976080222a46cc2159e34c85df371a9eaf0088ee80eb
-
Size
12.2MB
-
Sample
240523-mta25sde5s
-
MD5
d51ffa5f570871197294fb76da72efd3
-
SHA1
075b92bfe0590899b9331ad3bd20fd3a0364e992
-
SHA256
e19e97a334ecb39058fd976080222a46cc2159e34c85df371a9eaf0088ee80eb
-
SHA512
5abac019dc5601dfffec6f0d7ae360213a581b4678ddd95ec44aef3eb2ce58745f11d803c95bbac09f1b609023538d61210478ec5b213d3a5647a312ba2342ab
-
SSDEEP
393216:QVsfWzXApUXf/3Z1Dxz3/he/Wh8dQtEDPpY:x+wpUXPV/8/WmDRY
Malware Config
Extracted
redline
kinza
77.91.124.86:19084
Extracted
redline
7001210066
https://pastebin.com/raw/NgsUAPya
Extracted
redline
5195552529
https://pastebin.com/raw/NgsUAPya
Extracted
amadey
3.87
59b440
http://77.91.68.18
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
-
url_paths
/nice/index.php
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Extracted
redline
5637482599
https://pastebin.com/raw/NgsUAPya
Extracted
redline
kukish
77.91.124.55:19071
Extracted
stealc
Targets
-
-
Target
0bbde9df8818bd31a5563ee46a1512cc0d05c5d11e8469ef5c7ec394bb8ed020
-
Size
1.5MB
-
MD5
c8300b6950b7d72d3b59a352609e3c56
-
SHA1
972cf57fe17290050684f2f291d866aacd7d2c54
-
SHA256
0bbde9df8818bd31a5563ee46a1512cc0d05c5d11e8469ef5c7ec394bb8ed020
-
SHA512
5605a80e79c4926c3c72bc1aebd3b4065268cf66dbdc911c2f5413fdabecbb7c2fa372782b407270ab1d2fcbdc80180dcd546d273a4f914ed59bf3bca83055a1
-
SSDEEP
24576:Ay8LugT4ZToAo074txPEcwbOHXJ0OyqGqBven4ZMbtxppZRvCII:H8L7T4JoAqtxCSZPFG8vHZWPVv
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
14381f89f8b411cd75bc72635e73d8b296854b0c9775f80c2fec874a6761d562
-
Size
653KB
-
MD5
0bbb9c4f3aec16c989bc0ae674f2fdd7
-
SHA1
f4cb9ea6f447375dbb447888aae37951bd45437c
-
SHA256
14381f89f8b411cd75bc72635e73d8b296854b0c9775f80c2fec874a6761d562
-
SHA512
b6569ab53a12d66f9e80c9e1b41856037bd5f3f0bc3b8dc03329f62e4927e92c5793fa8bab3bb0a8f77a802f29dee68d5d1ee578129e9d60904fe5a47de09344
-
SSDEEP
12288:IMr2y90xBxqhIcmgPpOfTqogw/8s0lw8TRGXDJHN1fEuWD:eym8PcXcTRGzREuWD
Score10/10-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
1c09c6faad1ede18216df88b9d359543df5caacf810175b5e245e3e775b6b9a0
-
Size
355KB
-
MD5
cdfa7c2a908819279534467811670643
-
SHA1
11ff7ed5218c9eeec2f073aeabd553b193fda606
-
SHA256
1c09c6faad1ede18216df88b9d359543df5caacf810175b5e245e3e775b6b9a0
-
SHA512
3a9c72ee86ba39c90dba7309b11b1ac600eb48ef500373e5ac4251f1d662db68d87a02283f916a5f3598c4d1e73a8cfa49b52b3dbbe1219dc51f9a127f437ea0
-
SSDEEP
6144:ZSuze0A9T1ApHSIZplkkWvWUfKQCqD2I2vrkIA0EPka6IjYbPD6up:ZTze0A95kkfxfR1DID+Iliup
Score10/10-
Detect Vidar Stealer
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
1c8308039aad5dc9c98b1f72592672a2e272eb9b9a30430eeacea161036df416
-
Size
283KB
-
MD5
79c65c0cfa7f533c3a5a79278c41d404
-
SHA1
a937f79708943750d91b1049bc7368533bb0e691
-
SHA256
1c8308039aad5dc9c98b1f72592672a2e272eb9b9a30430eeacea161036df416
-
SHA512
f0c8ede0c6e1f70ab05974180b78f12009f55c6a9253dcc0ee265dfb0ee559c72618b3836a5269ac395e857c925c8df7152ff46ce89928c2495b84c0431e0c0b
-
SSDEEP
6144:nCKGnw0IEvke47l6DItq03FXZ2LOBq1aKfuglUZrvYUyPAkl:nmnwlEkddVXZHZKfuBvYU+l
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d
-
Size
657KB
-
MD5
e5378c7aa769f854c35881601795a469
-
SHA1
432909c18905de39981e27c964001c5b4a6cffdf
-
SHA256
1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d
-
SHA512
b7139f53ba8edd52293f4c6c0bf8920a67cbe9ab0288d7d651c44174a91d6a303966690471790e1db8a392540fa6b17a63533355ed7ebf7c48252632638d4019
-
SSDEEP
12288:JMr4y90+oZ51RZwEqDEd5lrMeAj5RWQRYJ7w6orKSKLzaRUT:Ryy5bnqYdrMH7WQj6on2aRUT
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
234b8aa95903dd65d6bf32c7efe25bae41ba8582db1a5693afbd14a22bc6d4d8
-
Size
2.1MB
-
MD5
a77e48d4b1f511147e76c6854a361ecf
-
SHA1
40823dd023bf7bbdc4d8c3ade4c7139eef242427
-
SHA256
234b8aa95903dd65d6bf32c7efe25bae41ba8582db1a5693afbd14a22bc6d4d8
-
SHA512
f3fbe5ccd0d93664e10336a8ecbaf557facf36a9d51bf128809ba7c8b114dbf2a79df196c7d66956e1d8da2a925196f09e4fa5430598aa3a9ac9a88e68cd492e
-
SSDEEP
49152:mOPB3/Eedafc5Dg6N/OudBJCMpLqvGKymvemc7Fc+XLMbE4uh9b:lZ3se8kegJjl7j7F/X99
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
410e72302dee0862e82d58671c8a130371c31bc22e8fb1bdd2afad927b1716e8
-
Size
265KB
-
MD5
ad98e1aeaa299bdb2621db119060b32d
-
SHA1
77ab9d8e907f7745b9acf9f193ca59bdee47ac7c
-
SHA256
410e72302dee0862e82d58671c8a130371c31bc22e8fb1bdd2afad927b1716e8
-
SHA512
52a6eeba774bd755282bd7d465945288a8270d1dc1b8ec2734c1fdac90a681df8c0585fae38f54e466ffe822b670098e2c9efdfdfb1ab4669e47032f920b54a7
-
SSDEEP
6144:PZrHgDcXDXO5TGgwAEQSFQD9zqiL07Sowa6up:PZHgDcCqFQDRxoBw/up
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
4431aa7413f5833360f953b5d26f7cceefeb1dfd20705856a7c02d106943048c
-
Size
265KB
-
MD5
e1476c92f1281ba69cabef1c7c9bb1cd
-
SHA1
81c5c47061f07e9723d71aa4489bfea039959a08
-
SHA256
4431aa7413f5833360f953b5d26f7cceefeb1dfd20705856a7c02d106943048c
-
SHA512
8e9faac4b123c5ca518f773ae24a5b1013376863645524b55ed5b44bc2a005f7fb4c266d2ff1a29c1ac64ee135b5714ef98d4c34786a9c4765bbc4c3426bdc46
-
SSDEEP
6144:3ZrHgDcXDXO5TGgwkOlqDJL0DVG03ahms6up:3ZHgDcBsNaVzq8Zup
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5
-
Size
540KB
-
MD5
3a43d1c96176e1bcf74d3c2263044759
-
SHA1
9107fc9c7479bf1c4ddeffc52518583917603b95
-
SHA256
68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5
-
SHA512
74197247630636db39089573b49beb6daecef1834e9b4c69e7a7a560e3f7f0a8e3ab3fa591c6a4baaed4d397173c4b8e686daccd923482575ed90bdc582849f3
-
SSDEEP
12288:cMrsy90R6ibrrpOS4kHIMBz9NMdgCOKoRF2ePk5:wyZibxOS44IaTCYJ+
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
812ce70322ec6814a763ebe1e04731ab416e10201580d509b133509ad1ebcb27
-
Size
829KB
-
MD5
f9d1f262e72cc1b9b7e814dbdcc929cb
-
SHA1
214d0685f60ef65b733722f3677ba255059f16d1
-
SHA256
812ce70322ec6814a763ebe1e04731ab416e10201580d509b133509ad1ebcb27
-
SHA512
7f2be6d8d4bf3d7f848c8b06c239428c8dfe3160686a66ff1ede13f9c834cbcf1c84db2d1dd02a12bea4586247ddfe605fcc956022ea12f3bf11e55ea7b3240d
-
SSDEEP
12288:8MrGy90Mc6HGhgK/eguSNyEGXOTw4bFvzyyEXy5pkboFeVT00Fh6cWNrKIva:ayV3mhgOJwx+1bohX0YoOT00D6xNr0
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
88a3f8285d7ffaf9af9229ede24a8f6e39be8a28dd9c981808b05c11aece8bab
-
Size
1.5MB
-
MD5
51dc5e34d011caff999a1f9ee1549a4a
-
SHA1
f8cf9142d4e52a2f35ce87202cc95c71016dcf6f
-
SHA256
88a3f8285d7ffaf9af9229ede24a8f6e39be8a28dd9c981808b05c11aece8bab
-
SHA512
f0986389d9aa09199f4ba6a1088a304df62b2d52c7a1c8e17f927fab92d31fdce3fe2c76d633d82c7a09dbda2653ac5d5e15314a89c8f1835c312127aca22c76
-
SSDEEP
24576:aywkbZuL+gpeuXhFjOtq6wl5OupT6bwD1pih875p/o6s25fdizMKpfGAyRIC72R1:hwq0TLhZOtfwl5Ehop1Bq0SvlwOf
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
90fdeaf3f05a7aeef335002874bfb485026c1a161854698d5277269287138ba8
-
Size
265KB
-
MD5
3488879b7d10be344e1d119b32d8eecd
-
SHA1
a985ab2696c352d4dec0007be9318c559f88a7e4
-
SHA256
90fdeaf3f05a7aeef335002874bfb485026c1a161854698d5277269287138ba8
-
SHA512
d162cd4b491418256a81e183384d5f62bae58c9d32e069d548e684b692a19a1a0098096f9df96e59132fa437402df7bd883eba9df809609151bebf5fb6c1a810
-
SSDEEP
6144:SZrHgDcXDXO5TGMwSNJfL4RcMaFD8xg9H6up:SZHgDcoJf8Rc78g9aup
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
9d92aedf9d3d83efd8e1d100f6dcbfc358fb8b26adeb6e51769c0e756d95b09d
-
Size
265KB
-
MD5
88519b82141f0f7181ffac8bd68286c2
-
SHA1
e3034195b63516e1a09280e7c17f5f0b491c5a43
-
SHA256
9d92aedf9d3d83efd8e1d100f6dcbfc358fb8b26adeb6e51769c0e756d95b09d
-
SHA512
3010c358660acad653ae98067616036f378f1717b460fb1ddfc6589d05cc3eb8dc47958a9556244f2eb94a879d5b68c8367ec2d3b789c8d260b6e6aceba88922
-
SSDEEP
6144:ehTHgDcXDXO5TGuCPT/DYbi55VYs+6up:e5HgDcF/Us5Vup
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
9ff2fb6bb8d4c7395ec24382b3b06db1e89b1ac0e5ceaebaba03805cbaa21532
-
Size
811KB
-
MD5
95bdeb1476bbb614f7818a9e76912f8e
-
SHA1
6b95e427cfc909ac45ed15f502ef049f45de7eab
-
SHA256
9ff2fb6bb8d4c7395ec24382b3b06db1e89b1ac0e5ceaebaba03805cbaa21532
-
SHA512
310cab4dce865db053ec15dad15633b156829344e4e3732dd38ec22becabf36595d5844617a5784d2bec0f47fa6feb2eb74a9d579026ebf3e0196fe8054fbabc
-
SSDEEP
24576:/ycDe2gqMKKCblNlTUTjmCmSFF/07G9V:KyjgMKQDlT0mCM7G9
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
ac4e2e3d9de1b4a0639391f365147200e1175cbe0c399b62625a5fe2ff4acedd
-
Size
332KB
-
MD5
cb661257b6cdb5d97486a5fac28137bf
-
SHA1
0aa1d498d167cafc9c33bf357cde53587f888448
-
SHA256
ac4e2e3d9de1b4a0639391f365147200e1175cbe0c399b62625a5fe2ff4acedd
-
SHA512
bc0ad93c696e589bffd872619ced375f5ddc17a1499963cf160aceed9e3fd7e7c2768dbfc525b06e1bcf18af0fec036a28815eec137317dcbe5c41a6535908ba
-
SSDEEP
6144:L+v9KlBPEF7c4i/93KJ7JN7Zi5Aep/BtGVe7wk9c9DRv:1PEF7g4Ju5pthkkGl
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
b62483116d18fcce423634c2d593e9a4337f6e491ba99627ad7d7030d97546b6
-
Size
642KB
-
MD5
4b28b510d24ff62495814bd03cd127dd
-
SHA1
7b1886b629f47dfead2a7cc7fc86d741786ff51e
-
SHA256
b62483116d18fcce423634c2d593e9a4337f6e491ba99627ad7d7030d97546b6
-
SHA512
aad6de7433c9a68f6f8cc12566796fa5159d1345ee5d7d459cad671844e0fb138e22cc057e9ab4c6922c8dfefef5573f5d7a4b51a433461fc1659a12fb9cf88c
-
SSDEEP
12288:/Mrey90Ly/P4XcjJ3RbQpARnGwLgIljsS4/tNfg8nApf0jh:lyhwoJRbQ2dGOlj94/Dg8M0t
Score10/10-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
c901122f0065d9da89857ec8341cf2ffba9fd5fd9ac4717e138a6b96c776b070
-
Size
756KB
-
MD5
4ef3c5ba8894158b3f0101b9512780c7
-
SHA1
777a91e9ab90e77abc4dfef4a88eb3100ddb8a3e
-
SHA256
c901122f0065d9da89857ec8341cf2ffba9fd5fd9ac4717e138a6b96c776b070
-
SHA512
406bed536404945e076c2cf46961ab6a2992f369e2cf6e2d010eb09ae92edcd190db68416dc0c20d3fe5a3482c8133b86b72374d17384f902ee53d87c21ce4f7
-
SSDEEP
12288:xMrwy90Tj5ffrOfwsAJ+s6DMeL6h0AY0FOCHhhdZweQfq4iee1Tvax:Ryi4Is7sTeL6h/Y23BXZwxfe2x
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
cfda8adb7597e205b205c916dd913856ad96e83acc3a76ec0ca6f85b8cb33c7f
-
Size
668KB
-
MD5
4cd9f4a51d4222f674cc44432ae8509c
-
SHA1
bf4548f30db9b5eac81fce9e0d693f7bc5b484ac
-
SHA256
cfda8adb7597e205b205c916dd913856ad96e83acc3a76ec0ca6f85b8cb33c7f
-
SHA512
e36834e17fda3fbe45ca15b149b35940f7719dc10d7406d24e06be35ffe4c0613742eafb4f61d6120aff8d128d9fd5a759cf41ec5655e3508a47b0e4f4e4516f
-
SSDEEP
12288:nMrty90KXqjPUic360qc6NxeFLAYjiSs06d+JcSeCg8ammGlVoOb11:iyd4Mqdc886jd+Hg8aU/L1
Score10/10-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
dfe8591c80d0895e6a0ba6ab5324840b06b4acfdc0570bbc6eea97239314ef49
-
Size
376KB
-
MD5
6b31ed5900fe7f56e0ac67e52701b02a
-
SHA1
2f0f6453921a2e1fcd4201bec3ec8f219dcfd96d
-
SHA256
dfe8591c80d0895e6a0ba6ab5324840b06b4acfdc0570bbc6eea97239314ef49
-
SHA512
b6542081374cbf12d82b74898ca8f761a530e0f016c1602607b8d3a15c8582cf56948c05289d29bddd44feabea82d948f977ac9520baac0f4d32cfe987bbe369
-
SSDEEP
6144:K1y+bnr+Jp0yN90QEgCVzy7tYdT/2MK1peUg2/RRQIt19gkrb9ICPaKE3zkEc:vMrty902oz0tYwfjg2/R6It/fEzkB
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
f5659ff4e2e2c4f553f6a9f59f406907a29545e4ca9d61810be718d9619a8dff
-
Size
409KB
-
MD5
528c55db5f8cbf3442a3729e685d9f0d
-
SHA1
ba7ed8fcf8e39667743f812d9c5fa1d82d025f26
-
SHA256
f5659ff4e2e2c4f553f6a9f59f406907a29545e4ca9d61810be718d9619a8dff
-
SHA512
12c8b016e7b6ca2d357d2fc770ea72fdb195dce19357ec9acdc44fcfd5cd808474a88eef2c7ef39c93a468ddbddf371993d02c43175ea4546086ca4863751221
-
SSDEEP
6144:Kry+bnr+Vp0yN90QEXnD5+uPpwDYJAQEf2vFn8wRVVl/DFLblDH/:9Mrhy90j+Mof2J8wP3FVDf
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1