Overview

overview

10

Static

static

3

01567b40cb...54.exe

windows10-2004-x64

10

1e3157fc3d...98.exe

windows10-2004-x64

10

1f3e03ca7b...0b.exe

windows10-2004-x64

10

2754139a84...f3.exe

windows10-2004-x64

10

27bb9fb2c4...23.exe

windows10-2004-x64

10

3303790f7c...90.exe

windows10-2004-x64

10

3a221e425a...c4.exe

windows10-2004-x64

10

3d524b1122...ac.exe

windows10-2004-x64

10

5d2993b3c1...f9.exe

windows10-2004-x64

10

6fd17debf9...60.exe

windows10-2004-x64

10

75392ef3c6...af.exe

windows10-2004-x64

10

79920d9e9c...88.exe

windows10-2004-x64

10

a7a12f0dc9...84.exe

windows10-2004-x64

10

b0d808b1dd...eb.exe

windows10-2004-x64

10

b12350798c...bd.exe

windows10-2004-x64

10

e267ce7005...a3.exe

windows10-2004-x64

10

ec317a24ef...a3.exe

windows10-2004-x64

10

f0dcb286ed...32.exe

windows10-2004-x64

10

fb618de176...19.exe

windows10-2004-x64

10

fe8bcd4eb9...20.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r.zip

  • Size

    11.9MB

  • Sample

    240523-vjydpaaa49

  • MD5

    91e1672af1ddcdfbed7c993eaf0fa764

  • SHA1

    9419e82364259b910659a50df6634c91fe522360

  • SHA256

    1aa612c673e0e8506776c3b8740894f0947bb33bd7b5f22dc14212289801a024

  • SHA512

    4fb51fac7ad2a7ff807297eefa971494a433edd21d89e7f1cd2fec1154a4dff878e2213db24d3d22ae645e850f6c2b1f6cb9aedac40fc6aa4ac8211f4d9e22fd

  • SSDEEP

    196608:i/aCEyPnwF0tZQSDK+/7I2xOtEdO6LdynlEeKtI3nLKSXmJ1aNm6:iAhkhQ2UtENsaeK6bCaN/

Score
10/10
healermysticredlinesmokeloaderbubenfrantgigantjokeslutyrvashaviradbackdoordropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Extracted

Family

redline

Botnet

jokes

C2

77.91.124.82:19071

Attributes
  • auth_value

    fb7b36b70ae30fb2b72f789037350cdb

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

vasha

C2

77.91.124.82:19071

Attributes
  • auth_value

    42fc61786274daca54d589b85a2c1954

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes
  • auth_value

    c62fa04aa45f5b78f62d2c21fcbefdec

Extracted

Family

redline

Botnet

frant

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Targets

    • Target

      01567b40cb3e924a51cbabc35a519f509543064c72cf4079446d7ffeeac19c54

    • Size

      662KB

    • MD5

      13100505f9688c1c91f93a58863d205c

    • SHA1

      0548ed9abfeee7127fa3d0c4968ccdd72c618b17

    • SHA256

      01567b40cb3e924a51cbabc35a519f509543064c72cf4079446d7ffeeac19c54

    • SHA512

      3bb4e21e179cccc6edb49230ad41679dc307d0c42f294bb6f229da731457c4b7dc908175677e3c41b76e1d51a47f6ed8d0cdf62ba35eb005b6778df038fea7ed

    • SSDEEP

      12288:MMrWy907H3UGXCjqvR7gRizYrqlY/4cDarMZcKWKdFjZE1OA:ayEHE4CjqvpMpyMFWKdM0A

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798

    • Size

      991KB

    • MD5

      be582c12844f5f5dddd1d613957799da

    • SHA1

      74dade2c7e5ac082f6942497e78608a33610af0a

    • SHA256

      1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798

    • SHA512

      233eba01255605cf18bf64cfea8b100758f615b6506f80de2aff7c4047ec2e5fd3487eae04cfbe00f796d8cf2c8b7c8c98b2187a54b2bf756c6103bd8eedffd0

    • SSDEEP

      24576:pyuRmIEimkREuj6PmXXXmemqY++LKGoq+h:cu9h0uj6WHmegYGoq+

    Score
    10/10
    mysticredlinesmokeloaderfrantbackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b

    • Size

      1.2MB

    • MD5

      b81cd3142a789eca2228e02e2a31229c

    • SHA1

      6673628188e3aaa5cc5e3a0fd20cd472a85f237f

    • SHA256

      1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b

    • SHA512

      1b8855f6be99ade9f5d34a9bc69ba574a77957f397cd5015958eea3508e485934c1092aefebdf012b5671570c7fff8b0056b3325b56d0392abc55581599bb19c

    • SSDEEP

      24576:tyg79ARUhCAlCegO5Q+wvF36AFIVjtftkIKVHXKT+w:Ik9ARmwOqjF36N/Nri

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3

    • Size

      488KB

    • MD5

      b4456f54d46a916c787fee11c2735e5e

    • SHA1

      3386c3cc568dd8a18630c83d0290a291ba4d4768

    • SHA256

      2754139a8485fbf1b2e0b164393e54175366ed15e96929b58676edf2271759f3

    • SHA512

      d89d7cc89c1cdc5c3c57cc88ed1703debdd71c8dbfe54f88969e7c9d779e4b63b69dbf920da74d6ea25026a26eacd5366898a14a9a68f0b82aaf68cd89450d89

    • SSDEEP

      12288:6MrMy90Ra4LuBX9x408STlV23wI0wosCZa:Sy1hX9eSL2AI0hsCZa

    Score
    10/10
    healerredlineviraddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      27bb9fb2c486b6d1b245b9d1a80523ce3a661b3d9eb71a8772747a0cc4a12223

    • Size

      662KB

    • MD5

      550d6c9a76a063cdea263f9e44040e91

    • SHA1

      54d122af56e4d6fb09862bf03336e41dc57600be

    • SHA256

      27bb9fb2c486b6d1b245b9d1a80523ce3a661b3d9eb71a8772747a0cc4a12223

    • SHA512

      3cb8554906ee1cfd43b426d557594665fd661c8299719c077e12a18747b86f5a74b867751d7e1c9ece13cf9b2f548b0ef4e25018f56144db24b3236c06acc19d

    • SSDEEP

      12288:3MrUy909SFjJjwVZca4uMJNe4++YO5704Y69JRwfvSAvbno:LyeSFWV6a4rDXW6dwiAvs

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      3303790f7ca29df0e39764e876baec5513b2ca1cc3ffeed56f9fc006a9eaec90

    • Size

      493KB

    • MD5

      eae83c8fc8b81895b7ac50e11704d42f

    • SHA1

      89739814fbd5a39670511e0e77c7d84087a470e7

    • SHA256

      3303790f7ca29df0e39764e876baec5513b2ca1cc3ffeed56f9fc006a9eaec90

    • SHA512

      b2b7f4247624a031f4d41ab4b30081c312c56b8fd06d5d8a43fb5a2f62951ef12032e46ff379111e65831d61965be372d93e6528dfbde35b05ed718ed2857115

    • SSDEEP

      12288:mMryy90YqoqNqfSJX4/KlfAgmlP8/ADHSB87:oy6oKZo/KlE84TSi7

    Score
    10/10
    healerredlineviraddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      3a221e425a7f8509a077d01514feaf49038631122b838d94a6d08c5d6d8812c4

    • Size

      884KB

    • MD5

      ab4c5993b5744021c0489c4e5d3accd4

    • SHA1

      13038a7ad4c10c2e02ed0e82983bb2dd28f22a91

    • SHA256

      3a221e425a7f8509a077d01514feaf49038631122b838d94a6d08c5d6d8812c4

    • SHA512

      5f5fd4a8eae176832623523338118e3b35cd7e8c39ebc08b45759c490c3caed0cd1d27560901ddbef8e83d4bac4bfdd90ae5ce3749ee3d02198a9587ddb50ba6

    • SSDEEP

      12288:QMr7y90Fsivbbfy07EL0Btjpi/R+nOliMW9iWinBP3g/eNMYUcUIFyVWwk/fD:7yeHDb6Q9i/R+h79/0Bvlmaj

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      3d524b1122044bd6d028d191fe5fdb789d1a25e2c110fa4da0fc49ae0f970cac

    • Size

      313KB

    • MD5

      e89494e3d4ef96cd08fcbe2993ca8af8

    • SHA1

      31605254987bc7afbba573536c1792129c29d33e

    • SHA256

      3d524b1122044bd6d028d191fe5fdb789d1a25e2c110fa4da0fc49ae0f970cac

    • SHA512

      68d689b9343292fe90a4a8481cbc5b667b38d2a8866dd5fd0bcd8ba229839a29cfd88a491eae8a1f7a4139d08ed661310c4759f929faa7cb703eb40a0cc9ecfa

    • SSDEEP

      6144:KEy+bnr+Zp0yN90QE+H5qdPcf3zdighcv6YSt9IfM5+P:EMrFy90y58GtS0rYP

    Score
    10/10
    healerredlineviraddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      5d2993b3c14eb3f833d52e4874f37ee17b3eeb5d75594bb31700eeb723ec95f9

    • Size

      452KB

    • MD5

      39526e106dbda09d8e555a0ff20f30d0

    • SHA1

      a91b8cf366ff6fb255556160147aca84a2531ec8

    • SHA256

      5d2993b3c14eb3f833d52e4874f37ee17b3eeb5d75594bb31700eeb723ec95f9

    • SHA512

      ecabf935ad68fa4ff5a0791092d34f356850dec9c893f3f22c0c443353cec50aecf12a9957f4951d3f32c5362541a4a1dd87c90c6d81573cd9ab6baf84d9aca1

    • SSDEEP

      12288:fMrsy906un5B6oTqaKjD7Lh1SsmrdMZ71c2w7F:LySB6oTsPSs2Uo7F

    Score
    10/10
    mysticevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      6fd17debf93c6b9c9099ea8145bbb5ed0620fd59fc7ef7a3fe60decb9a2f2260

    • Size

      271KB

    • MD5

      ff2aeb042bcd4a78ad38c3a8b8b52663

    • SHA1

      9d792ac5d0197e75d2d3a447fe09c6ef9b6844d9

    • SHA256

      6fd17debf93c6b9c9099ea8145bbb5ed0620fd59fc7ef7a3fe60decb9a2f2260

    • SHA512

      49b5794c2919c707b0aaff299db25b1ec67fcda710283605dda2987289002b6197bfabb8be218349050d361a39f504a8a6123bbb186e7abbe5dc95bb2826773b

    • SSDEEP

      6144:KSy+bnr+jp0yN90QEgd3Y9nG/kYihMT3xKr:yMrby90Gdo9nGqMzIr

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      75392ef3c6b89b32827d4060efcb3c6f7495a869fddbe8fa01cc45a2e79a06af

    • Size

      266KB

    • MD5

      83daa5d688932115aab97aede1f2bb9e

    • SHA1

      acff1c0b6b0c27bb9719251f3cdba86d2ba57d07

    • SHA256

      75392ef3c6b89b32827d4060efcb3c6f7495a869fddbe8fa01cc45a2e79a06af

    • SHA512

      be24d19634c86c8d77ebc058247d038f5a4e4838ce5d958ad625976955163a32d24223cc4ae1f91aa27749b85db3bdfc12722e09dfcdba98d917737b5aae2b63

    • SSDEEP

      6144:K2y+bnr+Xp0yN90QEIvJHOu20NhVm1YtONyS43i:KMrry906vJuuvNPm+t8ySN

    Score
    10/10
    healerredlinejokesdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      79920d9e9cb9d0d34dea9a437201a5436392c8af727314332ebf8e3e0f45a588

    • Size

      649KB

    • MD5

      2917f39014ba3a0e8e686ef68abf591b

    • SHA1

      fa2cce397304267efc3adf4fad5de282666f0382

    • SHA256

      79920d9e9cb9d0d34dea9a437201a5436392c8af727314332ebf8e3e0f45a588

    • SHA512

      02c83b5db0933a1041bb09417bfbfac7184bdf7ab9431a131758d7f10c6592ab7422f2761c0a6c60279786bb13c5c4aded52f0767cf40e6efb14b20abbad229b

    • SSDEEP

      12288:yMrny90yN98tmrgjStMHu3JdoVNR0y5LQpZ77BL3UOfajJw5T8/:dyp8GcaMO3JmVDU77l3laq5w/

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      a7a12f0dc9dc407d29a66722468c4b9454da42b9263e9602b9919c5ae6104684

    • Size

      627KB

    • MD5

      36e91b40e20a163ac286b11ebfce0012

    • SHA1

      4e9e67d22c5aa447c866960759aafd13587d4888

    • SHA256

      a7a12f0dc9dc407d29a66722468c4b9454da42b9263e9602b9919c5ae6104684

    • SHA512

      0b47ebc5b49c00554f1b1cb395176b7f49ee902ed019dcd6256b07db760931d668d729ac1a4d43086b745205dd2e45167ead2aadb584845858769f51aad2c630

    • SSDEEP

      12288:qMriy90sni1MRJb5Vxc4sSz0w1eOuUN7X4W6ugUXwkP+/Nw4j9hxW8GwBheOdx3x:0yMkJHrsSIwEOuUNiugUXwkaNwM9hk8v

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      b0d808b1dd08c984f7606f4b339e130b91813e728fdf49bb361e421666de7feb

    • Size

      324KB

    • MD5

      5131d28e276833de5aa55e178e6f4e42

    • SHA1

      548839ad6802c0d916624e7742b7fbd0aa20409d

    • SHA256

      b0d808b1dd08c984f7606f4b339e130b91813e728fdf49bb361e421666de7feb

    • SHA512

      d8388a0b929adc320a5e16e6cf30e239dafb89d30f26d19fd6baae46259d5175742bf0cdd089b1118d628b3203bc23fe378489f4bbb134ab3aa3617775f9b08e

    • SSDEEP

      6144:KMy+bnr+op0yN90QEGWh18/ChgSJkT0rVo/dioAuagXgzrcY8:MMrEy90g2186vk4BK39ZQvcY8

    Score
    10/10
    healerredlinevashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      b12350798c654ae949a005844c65ef16d136ad08598227c8041fe8bb48e6dcbd

    • Size

      465KB

    • MD5

      5c67808b656205321897724516b25c6a

    • SHA1

      3e940a5fea71a3c510eabaebfc346b6cede331f8

    • SHA256

      b12350798c654ae949a005844c65ef16d136ad08598227c8041fe8bb48e6dcbd

    • SHA512

      656aa047c084f5b81903ee4ef2e8e87c0d557218fefd4c84e9e2aecffba9a7147a89a97b5f954e24dd07643749ea63c04ae4c326baa1298e7d0a635c44a0c8c7

    • SSDEEP

      12288:YMrOy90fn0NKjKQhHA1SFyw64y2DTM+q4:WyPoK4gm64y200

    Score
    10/10
    healerredlinebubendropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      e267ce7005abcc25524e9395554aeb50630246fae2d26c6832285538cac766a3

    • Size

      657KB

    • MD5

      4ca1ea735e9998270a86f8053fc38e42

    • SHA1

      1d72eb587bb77853daf9b6a186debcd515d207cd

    • SHA256

      e267ce7005abcc25524e9395554aeb50630246fae2d26c6832285538cac766a3

    • SHA512

      1cb1f727a9a9d16e684aa60e9834b42da72327d2a767955fe37f8511ecac8ecc6e100a5eb3e1e7c8891dc6e309d7ad223cfb86f5e221bd0baad1a16fb8b4438f

    • SSDEEP

      12288:nMrmy90laJQJdJOMY3QrBPBT0odoug0bHAYxCf/EligsQiY:RyBCfJOMYWBPB7muVbgYxCDY

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      ec317a24ef2ba5bee688aaad8667b8e438ce19cc1b84eb2972099c8e95eebba3

    • Size

      662KB

    • MD5

      6980000f944887fce276684c7c66bb01

    • SHA1

      06f4e14cdb875469c215c71254463165c1b6eba5

    • SHA256

      ec317a24ef2ba5bee688aaad8667b8e438ce19cc1b84eb2972099c8e95eebba3

    • SHA512

      1ba6a235f6caee47200cd99aa3952b76dae9f5024e1349e2fcc0310ce8eed2eec495435e245535542d100dac69962517accec22e3f1893eee3889cc0520cf052

    • SSDEEP

      12288:WMruy90fRdPF1+2uJQbMt2mSXrYxZIEjxzIDAUZFAIVvyBWp/cRGEnXox:syEPPP8t2NeZVGbZFnVT/cU7

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      f0dcb286edd11d6940d1a6019389bb64a1dd0d5f45b9d086f976170c1c151532

    • Size

      632KB

    • MD5

      70cde4431c748a02ed9e6ed7ea19498f

    • SHA1

      cb0638996cea6fcf6830f09b0936d92629d8b8f8

    • SHA256

      f0dcb286edd11d6940d1a6019389bb64a1dd0d5f45b9d086f976170c1c151532

    • SHA512

      5115a25020d2c5ccc8595eddaeb7df9f3df85bbe04ffc9b3ef7a5699d07fe2c124ca7d31eb1a956c6deb306b980a5921131f341547d1bae58f2d641c1a4fe06e

    • SSDEEP

      12288:2Mrvy90AJpi54h/bwTz8z0fyx+3BYkL53D6QhpkNdITaYdom8r2vgZWZri:JyDJceb4AIfyxS+YywTGmRkEi

    Score
    10/10
    mysticredlinejokesinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      fb618de176f20e02e8f9667fd9ce9737e7d541243fbb879127b2f1728ea15019

    • Size

      649KB

    • MD5

      8f5a80f4aee9459c4c228b1efcf8dc0d

    • SHA1

      dfc8371c59dac97dd00bff885bee72003807d1dc

    • SHA256

      fb618de176f20e02e8f9667fd9ce9737e7d541243fbb879127b2f1728ea15019

    • SHA512

      88e2ec8d299fe08f773045259a378cf776382fd56e989fdc8ddb5113327aa15b8c4b88c1d15b31a8d42530e366412d34e98e8a5cd106310cdd4abb24b8bcb324

    • SSDEEP

      12288:wMrzy90UAJ0lQk/aDACA0ZuFHmci4roooSdZH+k4FvbKSoggLB1PUNcO:Ty4D8a830cFzrlXdZek4FdNgLB1cl

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      fe8bcd4eb9f9d50df43b88607e258c6ee1911bf0d1e6c2d4c67dd6a260684820

    • Size

      1.6MB

    • MD5

      a2298690a5e88cedce3ecba10e3bc84f

    • SHA1

      801ceb0094c01b732486d8948ecdff9c745f0013

    • SHA256

      fe8bcd4eb9f9d50df43b88607e258c6ee1911bf0d1e6c2d4c67dd6a260684820

    • SHA512

      debb36a3933475d4d51ffcb2e7f8ca3adbdb7c441119c641119e095332ccfb758393478f733e1decb6c95835f0b3698bd1e274c8ee869205bd06fe7fd1bbdc7f

    • SSDEEP

      24576:8y7oLYEudNUYC+j0M/mTmfSrIAhUaSaiKpAOcBsIxnKLaOboUZ0PP+f:rMLYdd5j34mf8UNaicAOGt3O8UaX

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Create or Modify System Process

8
T1543

Windows Service

8
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Create or Modify System Process

8
T1543

Windows Service

8
T1543.003

Defense Evasion

Modify Registry

30
T1112

Impair Defenses

10
T1562

Disable or Modify Tools

10
T1562.001

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral2

mysticredlinesmokeloaderfrantbackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral3

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral4

healerredlineviraddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral6

healerredlineviraddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral8

healerredlineviraddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

mysticevasionpersistencestealertrojan
Score
10/10

behavioral10

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral11

healerredlinejokesdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral13

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral14

healerredlinevashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

healerredlinebubendropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral17

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral18

mysticredlinejokesinfostealerpersistencestealer
Score
10/10

behavioral19

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral20

mysticredlinegigantinfostealerpersistencestealer
Score
10/10