Overview

overview

10

Static

static

3

0d301494f1...b9.exe

windows10-2004-x64

10

17123cde24...76.exe

windows10-2004-x64

10

3513e5a1be...0b.exe

windows10-2004-x64

10

3548eb3ee0...c3.exe

windows10-2004-x64

10

37bb007e1a...b5.exe

windows10-2004-x64

10

3b8019115c...d8.exe

windows10-2004-x64

10

3ba16fdd2a...8a.exe

windows10-2004-x64

10

3c47d4d72a...e8.exe

windows10-2004-x64

10

5598d9028e...fd.exe

windows7-x64

10

5598d9028e...fd.exe

windows10-2004-x64

10

5d95f47641...f4.exe

windows10-2004-x64

10

61d857a524...a5.exe

windows10-2004-x64

10

64f004d4a2...36.exe

windows10-2004-x64

10

7787b07a17...49.exe

windows10-2004-x64

10

7cc3996906...7e.exe

windows10-2004-x64

10

825d0619a8...ce.exe

windows10-2004-x64

10

9e6f3fd3f7...c2.exe

windows10-2004-x64

10

a49c96afc3...92.exe

windows10-2004-x64

10

e2945d600c...9e.exe

windows10-2004-x64

10

eb8cedd00b...3b.exe

windows10-2004-x64

10

f9bdee7f3d...5b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    12.5MB

  • Sample

    240523-t6l4hahc9x

  • MD5

    e4bd60cdb10b2ff64d5c0cf7502f822b

  • SHA1

    834f915acd430c73892ef034f26a9f75d04a81aa

  • SHA256

    4ce71244da4dd5d9b0b7535c6b62aebf516adc87a36195170af93efa3a630b9f

  • SHA512

    ae8a9f87900f7b5c3caf267bb295fccf26238ed87955c28867be418f12459ee15de416d91addb304cd52b8e6213c4d951d30230b4c802e4991cb8f7824264b44

  • SSDEEP

    393216:YJaKhV6K5Omb+4l9DpPmooWGoVPSxluAUdRfD5/07:Y0K52iLoAV6xQBM7

Score
10/10
amadeyhealermysticredlinesmokeloader88c8bbfrantgigantjokeslutyrmagiaviradbackdoordropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Extracted

Family

redline

Botnet

magia

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Extracted

Family

amadey

Version

3.86

Botnet

88c8bb

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

jokes

C2

77.91.124.82:19071

Attributes
  • auth_value

    fb7b36b70ae30fb2b72f789037350cdb

Extracted

Family

redline

Botnet

frant

C2

77.91.124.55:19071

Targets

    • Target

      0d301494f1fd79496a102de54faf16772306d560cc125b858d5e57a6e12787b9

    • Size

      769KB

    • MD5

      9a6f01b6a183cc8030ef109090bc930c

    • SHA1

      989b8ebfddb6be08af8c05d125cc52307f5ccfd5

    • SHA256

      0d301494f1fd79496a102de54faf16772306d560cc125b858d5e57a6e12787b9

    • SHA512

      e6c73d0b9d8dd8799193de423d2bd02dfbaea092292c3db80939479dbd85e6254985e0190e755c0a4abdf56cacc3f18dcac9c78052738dbb597a6517f29013b5

    • SSDEEP

      12288:OMr0y90poZ86/f/VGQhOtInLrYkBWu372tumlxJFRw+O4burEqhjP7Fy:6yOMnkQgenHYkBWuLWvw2ur9Z74

    Score
    10/10
    healerredlineviraddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      17123cde248bf04440dd66e0818e707111a27baaf0a0f8b46803653840d0f776

    • Size

      598KB

    • MD5

      746ccb0a7421cb80e3a7a4bb3d11c266

    • SHA1

      695061caa785833506535476e784d53a79f2b9cb

    • SHA256

      17123cde248bf04440dd66e0818e707111a27baaf0a0f8b46803653840d0f776

    • SHA512

      169a0e4cf0c4ca17e479c595494add7326f647d06944c8e5c29eff0ce267a3cd18154f1bbb56f59297a03d9efc87c156a147f842d8fcdc6b4efde4a0bcab298d

    • SSDEEP

      12288:uMrYy906un5B6oTeRNKHPWbOc12l/7DMcSwKCNYhh+ZPmvXzamDCKpsS4bo:myeB6oTebsRU2wCU+F0WYCKpqo

    Score
    10/10
    mysticevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b

    • Size

      632KB

    • MD5

      8ea60cfcbddf1b7448d201f4556c7a20

    • SHA1

      d1ecb779d9b7a916c627c143646b17f8332ae03b

    • SHA256

      3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b

    • SHA512

      589bbb1c61d27b82897d7b20246b7dc436b349e849157cd49b4dfc3aecf4917c04ae2a5bb5346c03532585b02e332a840f42f675002ee2fbf27df50dcbfe8cbc

    • SSDEEP

      12288:NMr0y90D2sd8jFNudzpwt4gelVvENE1CL3hErv1AP9:ZyycqZimXKE1CNEL1AP9

    Score
    10/10
    mysticredlinejokesinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3

    • Size

      746KB

    • MD5

      0f8508d9978491f6d3a929d927921ede

    • SHA1

      719fff86d85f89b1880351d7f4f63be966154074

    • SHA256

      3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3

    • SHA512

      a85485e8770ab2ceed8eb5a25112f3822d48c756afa8063834f3c32f3d7c75a5e468cd2adb8da5c0dbd83657040f858bc545889c065e93c9701814a65b180aa0

    • SSDEEP

      12288:dMrly90S1AJyflj4NMT1PloI8MoV9u8PzwTLjZ:QyhAk9jJ1PlRP5ekfZ

    Score
    10/10
    mysticredlinefrantevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      37bb007e1a7b802fb160d31d43e6ee29920fb53b1d37beda1c042d893778cab5

    • Size

      555KB

    • MD5

      87a1d0af4685f78fd81e98a65bfd5230

    • SHA1

      10a9b837e575b7cf043c1d7701f49ac5261e386c

    • SHA256

      37bb007e1a7b802fb160d31d43e6ee29920fb53b1d37beda1c042d893778cab5

    • SHA512

      a406492fcf0a39d9d536ed2aff82eba7b7336728b5df8d1b83fd71f500c560a1253889ec96175017ce5bca02b89b536210720b664f18c26d1d44105a42fb45d7

    • SSDEEP

      12288:nMryy90QSz/Fi0ZQMEI1yMQHbnRa+bPYvBTJBu8rGyFb:1yb47CU0HbRFjYNXb

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      3b8019115c4ceca7cbcfddbb6bbe680cac9c8811275a16616d40ff294ceb6ed8

    • Size

      696KB

    • MD5

      27879b73babd965386e6ea971cd0c265

    • SHA1

      af275d236ac0898858ae954208d4731e10e6cc0c

    • SHA256

      3b8019115c4ceca7cbcfddbb6bbe680cac9c8811275a16616d40ff294ceb6ed8

    • SHA512

      2c885e48b4c553cc50d7f917dc54e9fbd8ee3cdd8c1f30bbce4c5af0a07e5e96d03e28aee3143b6dc6b28950ed03222d7fcb7dc5c1893eaaea6039103881e8b3

    • SSDEEP

      12288:bMrjy9099lSqc8ni531abDD7za10HlrdMvY112w7JQcVIfGQWsCDDm:Uyg9Iq3i53g40Hvus7mcVIvfCPm

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a

    • Size

      1.2MB

    • MD5

      8baab3511bf3a99728edaba28284cd3c

    • SHA1

      b935a0b20f20e0f296f67fec1e2aa1c57d9eda09

    • SHA256

      3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a

    • SHA512

      0ac0e6eedb7d6db2f1c383f74d8fcb32829ab7446025670905caf2ceb95bd089fc21e95aa8f00b37c29815c0fc49fbbcad3b9774633d1cffc9dc7ccf57b20b8d

    • SSDEEP

      24576:3y9ILra17CLHayHuMfvmkZOgEopve3fN2o78WXgzCkB6:C9ky7CLRHuMfvmKHpvkV2lkIZB

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      3c47d4d72a38e9bc6761e47d9e0e51429f2c67ffdd939c07a664efe29c9cd5e8

    • Size

      884KB

    • MD5

      aee5889d7a6e3bb9b8e7d8989b2b4bdd

    • SHA1

      12567494309369bb902bf4d13f66a6c57ff6149d

    • SHA256

      3c47d4d72a38e9bc6761e47d9e0e51429f2c67ffdd939c07a664efe29c9cd5e8

    • SHA512

      2e85c20244c3a51c762076fedcacb87c32af1702da61c1db00889736781c64eaaf03dc44dd9f6219155886bf899a90f17db1ee49ef29c6b035f4b1d5dc6f316c

    • SSDEEP

      24576:Yya3DjTupxvL1Y8/4+oT0NHxlU7ppd0dm:fa3DjTup5e8g30ofk

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd

    • Size

      459KB

    • MD5

      c71d4dd80ac8735935cb38cd6a88f63c

    • SHA1

      f5184d6ea3c45ddf32c88100add62f6967ffc760

    • SHA256

      5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd

    • SHA512

      633872b337c98d3b9851d5661fa821962f378c7eafcf10cdfb9128c71cb6ab9511ebbdee3acf5ea4ecffb42a2996c6e29f9c6ceba31b71156ec82246b41b03a0

    • SSDEEP

      6144:gfDhrbDPM4jjdpvIN8fp7z5BAOQwbTaJTZeOY23bE4Z40BOkj/OM5/QjC0X:gfDRDPjjb/+aaRx3b9Z7BOkj2MtQjbX

    Score
    10/10
    redlinemagiainfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      5d95f476419d3a3135715f2eed0aa6de69b130436772d29100fd7870a2c450f4

    • Size

      696KB

    • MD5

      0f62f896edf7c0f7b0eacc881f7feceb

    • SHA1

      cb193fb660821253e53576b87a73ad66826ebf4d

    • SHA256

      5d95f476419d3a3135715f2eed0aa6de69b130436772d29100fd7870a2c450f4

    • SHA512

      0f178a9db103b9edef4ef7f52b0ca300afd5b176efb7128b26e0bc3c1b40228ccf0b169d7f5bcfe6c9da142e309bfa7531326268a99283f135128f861f572403

    • SSDEEP

      12288:OMrmy909zxhmrLQJOidPaabXD7zz1PHlrdMKF102w7qmFMpTBybonpn+fC:My+zKrLw7PnBPHvT67qmyltz

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      61d857a52459b5cf9779c58c6ee28d8e2760da3fe873785eb0afcffa6b0680a5

    • Size

      662KB

    • MD5

      f13e775f414cc1ea88e79547d7f96311

    • SHA1

      7bbcb6619cdd75734924bacc47c033e9fff787d8

    • SHA256

      61d857a52459b5cf9779c58c6ee28d8e2760da3fe873785eb0afcffa6b0680a5

    • SHA512

      b52cdca41d7279155917d0fca1ba4f7b155d2003fd7fff17dd1114828bedac186f870b01a7b77ad284d04e2b92bb46d6f89b1a7ed828fd9aaa395bca78ac2f7b

    • SSDEEP

      12288:5MrQy90o19a0tahJoYcAzDQzhl1fBdoRorFVxx9PqEZ/8fISb8bgChvMnGLGQMVI:5y/NojoYcAfQzhtmReFlphSb8bhvMGlZ

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      64f004d4a260338ba4eea50516df52087bab791fd6eb50d0b4eb189e6e13bb36

    • Size

      271KB

    • MD5

      4ad462c2955d05dcddb69f4ca8d8b504

    • SHA1

      fce5d821b79e9c448664c694e12661d73819e46a

    • SHA256

      64f004d4a260338ba4eea50516df52087bab791fd6eb50d0b4eb189e6e13bb36

    • SHA512

      fc96ff0c391a66600703ef957ca9d1a9e4b126b3a001e12e8c9f40ae363a5a8c473899ed8a929edb9268e23aa342284d80abeab64b3340ac3b655943331d3624

    • SSDEEP

      6144:Kwy+bnr+rp0yN90QEyd3Y9nR/kYbFXoUzciEQtRv8:UMrPy90Ido9nR5F/zcStRv8

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      7787b07a1719f5524402ec7cf71fb92a7177ee85b0a424e2b97f619ba2b32e49

    • Size

      662KB

    • MD5

      e26f2e8ea56b980e5f02ef404d34d67f

    • SHA1

      ed2bb5bd36fd1d41d3f5212859f8500a83655459

    • SHA256

      7787b07a1719f5524402ec7cf71fb92a7177ee85b0a424e2b97f619ba2b32e49

    • SHA512

      7eb822186d7569ace7f013cdb773c959110c22793f50f15295ae953fa97d5119fe8301966bf725cac5efa6279951d3c6714376d8068648ddc06dc98a0a0fa387

    • SSDEEP

      12288:MMrQy90VfuDBn/pbAhnEO8XO1adjxEhg0maYNCApdR7NCGB:syKuDBn/5JXYKiOVaYNCApdRIGB

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      7cc399690625fe51c1b469f7e049782a493baa3a1ef701d932c57888bd5d237e

    • Size

      640KB

    • MD5

      45232eeafc041f4392d43ff89aa99465

    • SHA1

      1ed7227336f31558c8c6b1be8c5a50bde622ad36

    • SHA256

      7cc399690625fe51c1b469f7e049782a493baa3a1ef701d932c57888bd5d237e

    • SHA512

      35873d313709d05b382afc8659f54b6631388cbc1e5b9b1c65eeec961c396fbb9afa6c8f1a429c1f217d96ea042a6bb67c74aa18e49eeedc3b09360c3d21af91

    • SSDEEP

      12288:oMrUy90Mxu2w9HDNHaPLLPNvbGB8IAxwhTNc9XeX9:MyXMx6PLLPNjGB8vYTNrN

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce

    • Size

      1.2MB

    • MD5

      af9935a5730feb37c4978612c4edf672

    • SHA1

      372775e1dd875989d6a340045c4751b3a8240daa

    • SHA256

      825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce

    • SHA512

      37a5cd9dd4ad956c4de847584d414c7025fba4bcefcf55745df352674a911d58f7dcdf24caee628a71efd9878dc5c387d1c45f34246032fe939cfa809e47261f

    • SSDEEP

      24576:iy8cCiOZdnMRXmt+VyAxtnrPo+DzCfo336ABzS0fe+T6TqciV:JEMIt0zrQWv6A1P6mci

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      9e6f3fd3f785137a445cbe56ff06c292a6df24180f53811fc86132a2bd4859c2

    • Size

      234KB

    • MD5

      2dfe4d2812a48ddbf22392cc3a90970b

    • SHA1

      4f1b63d32b90a492f98673c94646a42a6e853ac6

    • SHA256

      9e6f3fd3f785137a445cbe56ff06c292a6df24180f53811fc86132a2bd4859c2

    • SHA512

      8b30e6f60dc809e9411dd14439766ec61da1ce41170a987c6c917abfe8df3985d8d6870672b38e72c10317e178e032fdc94f1f36bc4c48cc79938ae9d7c9b6da

    • SSDEEP

      3072:KBy+bnr+O1H5GWp1icKAArDZz4N9GhbkrNEk1E6D5dMOt7WQqwuoFoX:KBy+bnr+Ap0yN90QENzDQqwS

    Score
    10/10
    amadeyhealer88c8bbdropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92

    • Size

      879KB

    • MD5

      7a5928cb075392ea164a53fdd5b3afd0

    • SHA1

      2f29f7ea3d22abe93dcbe754afd698abff05bede

    • SHA256

      a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92

    • SHA512

      fef6e2d27d5bee66733ca4aad9115e3117f85d6d7e2f9c82cd9b41e1e0a63d8be04155931c06dcb556e6612ab675e135fc580c09d21e0f08820ff0173878dd26

    • SSDEEP

      12288:DMroy90mBIeotMtXS+V3ROZtmWy0jZlcQyuTSWN/4zhr+Dn2h8iDFobRhjin:zylDiI3RLWN/6Jin25DGbRdin

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e

    • Size

      560KB

    • MD5

      e33cdbc5e331ebac127457d9f86cc333

    • SHA1

      e68a3a2e09be0b07c15a393d85dde5c60a470f83

    • SHA256

      e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e

    • SHA512

      e2749e074ad8c94569a8e235d93afadd9cccea987846cf21c2884ffafd7b67636f40eae5fd2776b347deaf0d18d0265813751118f4d27897337fbb40264cfe80

    • SSDEEP

      12288:wMrWy90a5klj6cFrzDnDi/w1rbChP+xqaQJk4Uy:2y7uocxu/wBChP+vQJkby

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      eb8cedd00b7ab240f275eb4069c500fbebe244ecae84cca8f1700815583b7f3b

    • Size

      884KB

    • MD5

      a2acde444a301a3c84598b3fb8c6c4da

    • SHA1

      cadafcf1e96bac636ff9d5da45cc79b62864aa0f

    • SHA256

      eb8cedd00b7ab240f275eb4069c500fbebe244ecae84cca8f1700815583b7f3b

    • SHA512

      9242447c31e6be528f2fa050f18aa607428e49d2b572cd797adbf43f38dced96c5ca16fd6b0581b17fc0a9406199e481faa99150cb9e646578672561bf00285f

    • SSDEEP

      12288:fMr/y90MTkylNO613IvNm1n3Or+tJYiF/ZvpP1A8Q27IOS9HHMAd:gyndU61D1n3Or+XBZJ1A897PS9HsAd

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b

    • Size

      632KB

    • MD5

      d08c8cb40ccb8a4d4ed7085f0fcac3e5

    • SHA1

      2475d4395f39cbc5a9937537078fe78bca37248b

    • SHA256

      f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b

    • SHA512

      fafa3c5059b04bded85ac86a46c1dfdcbc2e7c781d573248e5e7008d6e5a751eeb4764244cc8aa0d76a59adf21fa8837e8c8a8f195d835674866d22039097cf3

    • SSDEEP

      12288:4MrZy90XTnuGCUTLvPQdsFfPay8HC7UZTcsCJ+53D//Uw94d6Yqlrf8eCSXT:ByCHx/XQ0fPa67UVcDJ+53L/Uw94d2lj

    Score
    10/10
    mysticredlinejokesinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral21

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

6
T1543

Windows Service

6
T1543.003

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

6
T1543

Windows Service

6
T1543.003

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

30
T1112

Impair Defenses

11
T1562

Disable or Modify Tools

11
T1562.001

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

healerredlineviraddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

mysticevasionpersistencestealertrojan
Score
10/10

behavioral3

mysticredlinejokesinfostealerpersistencestealer
Score
10/10

behavioral4

mysticredlinefrantevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral5

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral6

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral7

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral8

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral9

redlinemagiainfostealer
Score
10/10

behavioral10

redlinemagiainfostealer
Score
10/10

behavioral11

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral12

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral13

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral14

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral15

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral16

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral17

amadeyhealer88c8bbdropperevasionpersistencetrojan
Score
10/10

behavioral18

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral19

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral20

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral21

mysticredlinejokesinfostealerpersistencestealer
Score
10/10