Overview

overview

10

Static

static

3

2ae72cafa8...de.exe

windows10-2004-x64

10

2d225565e0...be.exe

windows10-2004-x64

10

5f94dabf69...6d.exe

windows10-2004-x64

10

65296f4680...95.exe

windows7-x64

3

65296f4680...95.exe

windows10-2004-x64

10

7618ddb9e4...07.exe

windows10-2004-x64

10

8865ec3f94...5a.exe

windows10-2004-x64

10

8d796a364d...e4.exe

windows10-2004-x64

10

aabdc92d30...96.exe

windows10-2004-x64

10

bae99364dc...55.exe

windows10-2004-x64

10

cc35c0b2bc...24.exe

windows10-2004-x64

10

d63c4114c3...86.exe

windows10-2004-x64

10

d65bb810cc...a7.exe

windows10-2004-x64

10

d764830962...c8.exe

windows10-2004-x64

10

d9124df1a4...d1.exe

windows10-2004-x64

10

e1564be8f1...ad.exe

windows10-2004-x64

10

e7ee230707...d5.exe

windows10-2004-x64

10

e8a7f5f2b3...4b.exe

windows10-2004-x64

10

e8bf7b5c22...96.exe

windows10-2004-x64

10

eb214d5f58...c6.exe

windows10-2004-x64

10

edacb614f4...95.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r.zip

  • Size

    15.6MB

  • Sample

    240523-v6sfysaf8w

  • MD5

    eab96a3d7adec4f1fd1e48d28f9e9636

  • SHA1

    f785f0b3872ec4fca8772c13c8dc5d1dd9ad759d

  • SHA256

    a44d7397ca2486a37cfbc6cd473037b204a5fe4678303dd2f187c814c85f25db

  • SHA512

    95156b3f44925b6e35cfc4d07d8aabbbe20813bf378bedc0939486ff71f5e3e31cfc8e314ba34bf4425356827b89a0903d8f2ff3392f9dd55241cc6f2d7ccf19

  • SSDEEP

    393216:FkY/eXAVn4TjlQOEnePNw9BsaO6AHtXtxp7K:FtWXAVUyMPO9+aL4tRK

Score
10/10
amadeyhealermysticredline572808892088c8bbdaf753fb0fb8gigantkendokukishlutyrmaxikmonernowaramontrushviraddiscoverydropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

nowa

C2

77.91.124.49:19073

Attributes
  • auth_value

    6bc6b0617aa32bcd971aef4a2cf49647

Extracted

Family

redline

Botnet

trush

C2

77.91.124.82:19071

Attributes
  • auth_value

    c13814867cde8193679cd0cad2d774be

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

daf753

C2

http://77.91.68.78

Attributes
  • install_dir

    cb378487cf

  • install_file

    legota.exe

  • strings_key

    f3785cbeef2013b6724eed349fd316ba

  • url_paths

    /help/index.php

rc4.plain

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Extracted

Family

amadey

Version

3.86

Botnet

88c8bb

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

maxik

C2

77.91.124.156:19071

Attributes
  • auth_value

    a7714e1bc167c67e3fc8f9e368352269

Extracted

Family

redline

Botnet

kendo

C2

77.91.124.82:19071

Attributes
  • auth_value

    5a22a881561d49941415902859b51f14

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

ramon

C2

77.91.124.82:19071

Attributes
  • auth_value

    3197576965d9513f115338c233015b40

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes
  • auth_value

    a94cd9e01643e1945b296c28a2f28707

Extracted

Family

redline

Botnet

5728088920

C2

https://pastebin.com/raw/NgsUAPya

Targets

    • Target

      2ae72cafa8f21759370b4609f21d845fbedad29052bfdacb21408b021b7ef6de

    • Size

      312KB

    • MD5

      41798ee0cf926c8d9b6e2b8a5cf52b66

    • SHA1

      c778cf3a3cb8d8736065dab99230129589712f5e

    • SHA256

      2ae72cafa8f21759370b4609f21d845fbedad29052bfdacb21408b021b7ef6de

    • SHA512

      80c77a4da07fd7be8cf489d88556a537443b761b57acbe65a2bbcd6f56795213c0bf7de21543a01678f322604e5753ece01f57b00da98cb85630ad734a7e778a

    • SSDEEP

      6144:KTy+bnr+Pp0yN90QE97yJXm/9giavC1OlG3KoBsdFeOjjpcVhPbE:1MrHy903W69g9x83KwsmOjjpcVhPA

    Score
    10/10
    redlinenowainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe

    • Size

      731KB

    • MD5

      77d27efd5c42bfed4fbc15af6461b04f

    • SHA1

      1d8e3d0bb2e1560257ddfca9cbf1d92de7722c2c

    • SHA256

      2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe

    • SHA512

      68a474f4021be855e74d8bf6c8e45b3d64480964a7ae2f3a559fd859988ccfd6f322cb94e7a0f9a4f8e49faa0bbc8a9c79fb774562b585e5cf010127f3fc42d9

    • SSDEEP

      12288:VMrRy909oJomjcs/4c7SDjZCjqEP9ylQSbY5dJJ9Hd+FwPCHMnY:8yhbcsgc744q+QlMdJJ9db2

    Score
    10/10
    healerredlineramondropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d

    • Size

      1.2MB

    • MD5

      afec0a32010542d6eef2c43f978d401b

    • SHA1

      a0024019ef66f21995cbc6957c32fcfde507a951

    • SHA256

      5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d

    • SHA512

      e005ddcb3b276dcf635ae96423f6d78b86bfe06febba57f3cb9fba0fc31f11002e9c20a1ae02e5c2bf6129cd08fa95f02c7c3db8608888b57aff802f57256d63

    • SSDEEP

      24576:PyerYcveCuhO4DWmHJKjEZmmU4r+De38aPD/dLvJJXOMdJ:a4JvzeWmHJKA08rfsqFvJvd

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      65296f468099ebcd60c98ae5a6f7f005a227427a05eda0790e32e2f0c0061d95

    • Size

      332KB

    • MD5

      7309fca9a6af6decce73c4243a826af5

    • SHA1

      4567ebd86d7c877db55588520569c8b23ddc9ac0

    • SHA256

      65296f468099ebcd60c98ae5a6f7f005a227427a05eda0790e32e2f0c0061d95

    • SHA512

      312d47fc63601fde26ccc563c3a3999528f9ef19d75a63b91be38d45e4ad77302fd31593bdccd25aa8bdc6e915e6de820c1b1914c0d0be249ffcfa160e73272f

    • SSDEEP

      6144:K+v1KlJPEF7c4i/93KJ7JN7Zi8A0GbkthVuP90EjKjrOjL7:oPEF7g4JO8AVk7VuFZWrOj

    Score
    10/10
    redline5728088920discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral4behavioral5

    • Target

      7618ddb9e4a4f8eb9facccaca5f824467c35a2b211a133dc5f4f30148b77b907

    • Size

      272KB

    • MD5

      37f45e7cc0fd688aa2cb32a549382d90

    • SHA1

      c614ff464123a61ebe7c78f22dae2109b30be772

    • SHA256

      7618ddb9e4a4f8eb9facccaca5f824467c35a2b211a133dc5f4f30148b77b907

    • SHA512

      9c63e2f401ce2bded0f7f21d4cad2959cec78863ea007b9b92112633659938fc8f404a2fa07c88d7fd6e76645d0acb627914f34b1a36fc93e652cff67dc9b925

    • SSDEEP

      6144:KMy+bnr+ip0yN90QEEdTwoe7P0PF+BR4OjfARI/S:0MrWy902w9L0iR4usUS

    Score
    10/10
    mysticredlinemonerinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      8865ec3f949ea2778d72427ba8f147c8a4182420bdfdbe11b0a8b53c48b0a95a

    • Size

      472KB

    • MD5

      d6c77aee19125bf471f8b1eb16909cb7

    • SHA1

      0abf3936ab48bba8059d076900ef8c23f9015429

    • SHA256

      8865ec3f949ea2778d72427ba8f147c8a4182420bdfdbe11b0a8b53c48b0a95a

    • SHA512

      88c00e5c2ea2c6157eb31d1b6cd38576760d17538554b948cdb7b24386dea01d6fd2c8e76a508e69e9b6cb76d0cbae8810837d2af5d69b753d03906b9be399db

    • SSDEEP

      12288:sMrcy901CrIPDjItm3uqFGxQx/p03gPZrteZ:4y3rIPDjuXqFGxQx/p1PfeZ

    Score
    10/10
    healerredlinemonerdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      8d796a364d2a62b12d9a28d63b8503f41de8f9257083f87c02feecdb89c729e4

    • Size

      1.2MB

    • MD5

      df37a77942e209ffd551ccbd8a891298

    • SHA1

      fdfdc4f2d1a99d36ec9094966b13b9d7f363e64b

    • SHA256

      8d796a364d2a62b12d9a28d63b8503f41de8f9257083f87c02feecdb89c729e4

    • SHA512

      2d38aacd910db9858c6c5209cdfd373257a9ad9bec99bb442cb9e6107b5c05f1407d19d7f6ec0938c495e69e199dd918aff1eb72f59abc5d2c2a58737c749ce6

    • SSDEEP

      24576:VyNl1Y8BGfhfMJ4tpDzfS7+JmYXd4EgielWg:wNlW8GZfxjfKBwJD

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      aabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96

    • Size

      884KB

    • MD5

      b76e5bb2b2bcb1c45f4732bae27648ce

    • SHA1

      582205cbe1ef05c525c49d762bf9d0138d2fabd9

    • SHA256

      aabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96

    • SHA512

      b5df9d18ba2fd30ba47211d12d0dce5b79663415b4f67aca0faa27314ecadf9d573bb32d16f767408efe4c906890b8d240abdd415826ff5ec95d519708d01284

    • SSDEEP

      12288:1Mrpy90gle5LilXuWCqZmTn3/Q+O0MiAbc9ntk45+9Egioas4zo/:UypldtpUTn3/Q+HZtN5+992k/

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      bae99364dcd24884412ebf95baa476884b86666b0891ad8f7c642d1e72901855

    • Size

      1.3MB

    • MD5

      7529bdfa5dbc18c1f73f6606e98b4e9b

    • SHA1

      a1523edacc0dc68672d5b912f6f8b41b2001efd1

    • SHA256

      bae99364dcd24884412ebf95baa476884b86666b0891ad8f7c642d1e72901855

    • SHA512

      3efa3ad436d23115d1affb20d5d73700bae8279dc173bfa33fbf59a18486592d8eac38308409ea061f4715c273511ebb1975297f32d7e889a2582adcda11557b

    • SSDEEP

      24576:aysk1sNnbCUxNG+VA/YgX/4vmG5BvPTDS63rPUEQ/WLcJP:hsk1sNbPxNHy/YC5UvPHBrJQ/M

    Score
    10/10
    amadeyhealermysticredlinedaf753fb0fb8trushdropperevasioninfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      cc35c0b2bc4afaa3e56d0b585ddf1928790ef237331a245ad0eb919b4e8c2524

    • Size

      1.2MB

    • MD5

      3393509c6d5b05efe89878eb3fb3013c

    • SHA1

      1175b7a8c3a888e248fbf4d411e6e4f0c6542c1b

    • SHA256

      cc35c0b2bc4afaa3e56d0b585ddf1928790ef237331a245ad0eb919b4e8c2524

    • SHA512

      55ae1e3a88cd346e7152acd04d8ffdaaac70ed786e72b2851a8e7850d230f16fb976925a0e32ff886fe3b57b8c9032c1aea92fe2e869e92326b5fd67d7e0f445

    • SSDEEP

      24576:RynSsXBtQ8o6btYGpIUdyvEf8ItfpQ5SmbimdzOG:ESsXBtRo65pI2g+8ItERdS

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      d63c4114c36e73dd975c0cc4a3dc67316e090266f64cd492ec17a7dabcdbe686

    • Size

      396KB

    • MD5

      e7d5f8175739a99197745f7d356e9f03

    • SHA1

      85e5e78ec7d4751ed9e445e6792d3d2535d98f73

    • SHA256

      d63c4114c36e73dd975c0cc4a3dc67316e090266f64cd492ec17a7dabcdbe686

    • SHA512

      c26a167ebbcbc8f512bda727eaf50c4053125749e756009f61295d654249241713e024d3f6fa3fa9d7fdc9fb0b1df1212a765ab528b64a05cd77648b6c5c6c25

    • SSDEEP

      6144:KGy+bnr+Fp0yN90QEukMJOlJbl/txy9ebMWv/i0OWRTlsgf3VwWxg/tA0FRVz1hL:GMrNy90s9JOn5qO7DxRGEFr6ZhEjfbO

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      d65bb810ccd243a6f5edda6c97b9e2e03e46b6306aca9415c3ae84a27a61a7a7

    • Size

      1.3MB

    • MD5

      0c51767548ed6965b9d3ccb2ba84cde1

    • SHA1

      000014edd0e804ddb4bd99aebb086efc76ac5a03

    • SHA256

      d65bb810ccd243a6f5edda6c97b9e2e03e46b6306aca9415c3ae84a27a61a7a7

    • SHA512

      6d1695dd7859f54b6126544650421367b741330212068673402d9f971587ac27a9e9c721934decea3e4f7ebf9f8c6d43b123a2e12c6f7727b40f3d1575c76ba0

    • SSDEEP

      24576:uyiIDMKCYrzNfqjQXkOikMzAm4vtksKlet5XJzNtaIIcc52ig45Kx1I+B:9iIDMKFrJfqcXkOTMsmInUeXJ2IVigg9

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      d76483096202fb3172705ac386f325854d2d6409275d9bbde9e10e329832b2c8

    • Size

      769KB

    • MD5

      4f98b84064e02998c0704c24e4cdf335

    • SHA1

      eb839525ab5e8a2b57ca801780b7c4cf82022bd2

    • SHA256

      d76483096202fb3172705ac386f325854d2d6409275d9bbde9e10e329832b2c8

    • SHA512

      49d8501731a4409071d3d691b7d4fadbb636fa51e1ef4bf3e61d02190f75651eb8cd5a930b716d1cffd8bb883cee60e29d5c6409fca305644d679172878f6d2d

    • SSDEEP

      24576:/yO0MJVj1CUPrHUtQSXXSxbWg0MUyK+o90z:KHM31xr0tQSyZWQUH

    Score
    10/10
    healerredlineviraddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      d9124df1a48c55317dd58c4ab328c969efa7a2d673ba2134c19648e01de841d1

    • Size

      390KB

    • MD5

      3af121030f860f8cdb00df0f76d33eee

    • SHA1

      d08b4343f323e65e7276951b6234b00b63b61fc1

    • SHA256

      d9124df1a48c55317dd58c4ab328c969efa7a2d673ba2134c19648e01de841d1

    • SHA512

      cd358c9c9fe57e9849d6180c324b05ee2a8d62feae2cfac7a80afb3661ae1a7d5d880095cdd35b50a6567d613506ffc78eb5455ae6d95f009cfa1637a118e1b9

    • SSDEEP

      6144:Kdy+bnr+Sp0yN90QEmyvzJ8b9UCTqnV1lS+yyMmmLrMZjWAuGGDPR8I:rMrey90B8b2xVTS+FzWVfRh

    Score
    10/10
    amadeyhealerredline88c8bbmaxikdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      e1564be8f124041c0c125d9557c302f4631504d0048e1c1f41b6abfb473ebbad

    • Size

      928KB

    • MD5

      5f7d972246ac7b99d22559f422100798

    • SHA1

      2286717f0343e7d12dfba0f80f313678795fe5c3

    • SHA256

      e1564be8f124041c0c125d9557c302f4631504d0048e1c1f41b6abfb473ebbad

    • SHA512

      6f17fa1e7cea506c16e897600ce4f5e91df27a2682525e7ed49261a9bf0f1d283c1fbb0b8a095e57ca033bbc478591e863280baaa01f25791562fbd619d4363c

    • SSDEEP

      24576:vykpjd/S0hNVQ/3erayK6tvfsnpBzX1rGhdC9sc9j1L:66R/RNVW3eBlknptRGhdWf9j1

    Score
    10/10
    mysticredlinekendoinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      e7ee230707772fd1bd9dd07f526c692dfe119bca41b2113cadfcd511a5416cd5

    • Size

      1.2MB

    • MD5

      dbf8c4938f5d91edbe1397152cd798e4

    • SHA1

      1504a1c541e719d2ee3632f75eda67df89dd2d6c

    • SHA256

      e7ee230707772fd1bd9dd07f526c692dfe119bca41b2113cadfcd511a5416cd5

    • SHA512

      7517f63dfa3127e89db5a4bf65013112f3c25990349beae782ecc77b5d7a091c71866ad1e70832e50aead3259d7632b064d55b299fa0938de1e230ddb80a0c2d

    • SSDEEP

      24576:cyWfF+5tfwol4Y6uxAZNJTn8TH0SGujiVknqqIefUrobxH4g:Lu+51wit6uWNJM8ujrvffBxH4

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      e8a7f5f2b344eb468a91c59dbe8699a08d71f9b708a1134c8948cf194516594b

    • Size

      598KB

    • MD5

      f9305f8c01feede28b3af484efc7e885

    • SHA1

      c7c26d98b578f15ec3456bd76e5ba11ce8c9b5fc

    • SHA256

      e8a7f5f2b344eb468a91c59dbe8699a08d71f9b708a1134c8948cf194516594b

    • SHA512

      e6344b60223e82bcd52ae1635281e4494ff9fd1a7f95da0fd6bcc93463d7cd5c8bb9dfcabfde585906e26e401b1a76be00d799f5e21ce5281b988b5f6922cf35

    • SSDEEP

      12288:oMruy905un5B6oTfvVlCHP43ZdnjvNlPSKgZdv85uhzfjA:2ybB6oTfNlfpBjvNYjUuhg

    Score
    10/10
    mysticevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      e8bf7b5c22a787af15a42638894b8f1eccc3320134f42f09939f4932df0cc796

    • Size

      1.2MB

    • MD5

      ed974ae3de86c69a6f5c807463948ccb

    • SHA1

      769f8bd5816eed350070769627d06525f76f12f8

    • SHA256

      e8bf7b5c22a787af15a42638894b8f1eccc3320134f42f09939f4932df0cc796

    • SHA512

      36e359c4e8003aa0cb67c86c9726672746d9f8183e8dc02a8d66f6c3368a9d395c04e381c5d1c2c51bdc6f7264dfb29e6736513c1538717218e2c4eef37a5708

    • SSDEEP

      24576:fyeUyRGbDVQC1PTwuV1ceIL7iVJp81sv7xl5of92:qouCCtTwuV1e7ibplCf

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      eb214d5f5806ec4617c2b7cde5e3a5beb5a3c254a391dee7605decfe13174bc6

    • Size

      272KB

    • MD5

      b85a6355f3e5fd26b8f3113ddbcab738

    • SHA1

      8684ff2b793ce7a85240e2046af07140ccb1c490

    • SHA256

      eb214d5f5806ec4617c2b7cde5e3a5beb5a3c254a391dee7605decfe13174bc6

    • SHA512

      bfe328c86534b147900f19b04744a039d90799a2cdeaf2b40ce0ba77ab471030b49d0829bff1fb3735032a6945834a901efd56530a98fa5e0b7e0f4c28a094a3

    • SSDEEP

      6144:KMy+bnr+ep0yN90QEzd3Y9nn/kYbc6DekZzxR3+tjF:4MrGy90tdo9nnrDekTR2F

    Score
    10/10
    mysticredlinemonerinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      edacb614f4d4ad4a3dd9e9d5ad37ba56d1e7d49ddad0b14ca3ce632b0a820f95

    • Size

      1.7MB

    • MD5

      88f98b925e9d4ae94d234ad54e3504dd

    • SHA1

      bff0cc91d6c961a3894f16f2577da501c3cea8db

    • SHA256

      edacb614f4d4ad4a3dd9e9d5ad37ba56d1e7d49ddad0b14ca3ce632b0a820f95

    • SHA512

      4f87a4643cdd29b02a9521a0e40f8e856cba671bdec0bf73ba990cb462eff82b59ffa7e6256c126b4862851783edf2b346e0f77c2c163f26847a59944e4f0889

    • SSDEEP

      24576:PyOK+y3nec7jkb3FHoXlXfyvUSBD3QiCt1M9udFzT5Fbdz/n6cniPecd4gGMOG:ar+y3neoje1IBCjq3M0Pp/n6ctc4

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral21

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

2
T1053

Persistence

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Create or Modify System Process

6
T1543

Windows Service

6
T1543.003

Scheduled Task/Job

2
T1053

Privilege Escalation

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Create or Modify System Process

6
T1543

Windows Service

6
T1543.003

Scheduled Task/Job

2
T1053

Defense Evasion

Modify Registry

27
T1112

Impair Defenses

8
T1562

Disable or Modify Tools

8
T1562.001

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

redlinenowainfostealerpersistence
Score
10/10

behavioral2

healerredlineramondropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral4

Score
3/10

behavioral5

redline5728088920discoveryinfostealer
Score
10/10

behavioral6

mysticredlinemonerinfostealerpersistencestealer
Score
10/10

behavioral7

healerredlinemonerdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral9

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral10

amadeyhealermysticredlinedaf753fb0fb8trushdropperevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral11

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral12

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral13

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral14

healerredlineviraddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

amadeyhealerredline88c8bbmaxikdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

mysticredlinekendoinfostealerpersistencestealer
Score
10/10

behavioral17

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral18

mysticevasionpersistencestealertrojan
Score
10/10

behavioral19

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral20

mysticredlinemonerinfostealerpersistencestealer
Score
10/10

behavioral21

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10