Overview

overview

10

Static

static

3

0d17733c30...5d.exe

windows10-2004-x64

10

12afd6aace...a7.exe

windows10-2004-x64

10

1a9919325d...ce.exe

windows10-2004-x64

10

1b565f7ed3...1d.exe

windows10-2004-x64

10

2c58ee5805...6e.exe

windows10-2004-x64

10

33598ea86e...12.exe

windows10-2004-x64

10

4e5d421522...cb.exe

windows10-2004-x64

10

4ff3477e4f...b7.exe

windows10-2004-x64

10

6ee2a56c58...f5.exe

windows10-2004-x64

10

803bdeb4bc...3b.exe

windows10-2004-x64

10

82c26e730c...f6.exe

windows10-2004-x64

10

92d5779e2c...c1.exe

windows10-2004-x64

10

b0845c677f...61.exe

windows10-2004-x64

10

b82c1f093a...b3.exe

windows10-2004-x64

10

c52f1aa452...c1.exe

windows10-2004-x64

10

c7bf16d19a...5c.exe

windows10-2004-x64

10

d85805160c...b3.exe

windows10-2004-x64

10

e4e49b8568...6d.exe

windows10-2004-x64

10

e5ef76e6dd...ba.exe

windows10-2004-x64

10

fac8fce7e3...0e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r.zip

  • Size

    13.9MB

  • Sample

    240523-vn5cssab42

  • MD5

    456c3546fe75990842ac29c0bfc4ea57

  • SHA1

    55d159e0b2c3824a9502eb6974a91d862690a528

  • SHA256

    5e831beab1114ac9acd665a6dc93e4478c72f9985bcae804c34864e3b6ee4705

  • SHA512

    b18c969f684a7059f2ffb625ffd1375b508c30fb2ffa7aa056d9234d0f28ae455aadaf216b2dde98f2dcd14533e6c5fbf61bdc8a1203be78ef486ea22030ea32

  • SSDEEP

    196608:6vp10MXI5ZmXZtfsRpU7tgxG7rdawD7hLBLQQyVgRE+FUBQkHmsjQCm0xelcqfTl:6/ju8n0IicFD9LqGiQklECm0xCRrK1k

Score
10/10
healermysticredlinesmokeloaderfrantgigantjokeslutyrmonerviradbackdoordropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

jokes

C2

77.91.124.82:19071

Attributes
  • auth_value

    fb7b36b70ae30fb2b72f789037350cdb

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes
  • auth_value

    a94cd9e01643e1945b296c28a2f28707

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

frant

C2

77.91.124.55:19071

Targets

    • Target

      0d17733c3019d71570f413fb2cf93247ef44984d57c0d378e5853597b1efcc5d

    • Size

      769KB

    • MD5

      47b821a1e8276b20bd60053bf3fafda6

    • SHA1

      94125bdec51a0d41a1320061bad65a0d0c906100

    • SHA256

      0d17733c3019d71570f413fb2cf93247ef44984d57c0d378e5853597b1efcc5d

    • SHA512

      dc2bbe4eb7672a757425e5b47a6541cfc02c5f4c64f20654e57cba7a8fba2ec68c831e8cd084065373c3be1c72cae842f91ce43ed7a15eaf2b9ee2951ed462e7

    • SSDEEP

      12288:2Mrjy90hZu5CgHTvbqC3tSvwJYu+Oxxitk7DzpT/ir04gyJEL5BziITzRQ0lg:ty8ZHyzqGiwTitk7Dt6r049ELHH5QOg

    Score
    10/10
    healerredlineviraddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7

    • Size

      747KB

    • MD5

      34d77e8b622d28f48bd184ef3c91df85

    • SHA1

      d60559183722c9fe5dfed24eb8203bf54bfdb405

    • SHA256

      12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7

    • SHA512

      19ea6bdb290b283d8c3d23cd5ebea3295c8182fcbf4d4da3f086a91fb1ed98955d1e2ee9ae90ccfa0aad3b0871aced16f1a3130a6b37a7576d41f44133bb8ffc

    • SSDEEP

      12288:bMrMy90zXi2rhvtabiPHBZjT9CFcJGNUJh7gvztpRxxMg4kASa:7yELfBR9CgYuMtpFMg4LZ

    Score
    10/10
    mysticredlinefrantevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce

    • Size

      649KB

    • MD5

      7897dce0ec3212cd7eecbda6398e6b13

    • SHA1

      428468b73988ef217d1651c7fa3106fcdc733f68

    • SHA256

      1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce

    • SHA512

      404eab7e914bafe2ee9a7f5e2c342888ead440e7791cca278ee2fd44fed1a7b81abffb5d68e3df8edc72e8d66640d36212e45ebf3060be86044b964bd94c109a

    • SSDEEP

      12288:OMrhy90ogYfURQidiOadxA//doAunUg8Y8oJ1ZTGme7TjPhrzMV:3yfgYf2QidiOM0/mA6LX5GVLhrzMV

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      1b565f7ed39bcb3768a8d15009e2ee03870984f6900010642cd696ee9c5efc1d

    • Size

      658KB

    • MD5

      9fe44f8f66e8c285d022d74989629cfa

    • SHA1

      c54ea90ee09577e198354aee1c8ef1e2ffeaddee

    • SHA256

      1b565f7ed39bcb3768a8d15009e2ee03870984f6900010642cd696ee9c5efc1d

    • SHA512

      df870280de60a3387ac188d17b496f5ab16b8b151fb97499165d7ae1d2af59beaa93bec5936c6dd31179ea3e7bc8a42a2a45471df6c1d1bd722742d98d27baae

    • SSDEEP

      12288:dMrMy90K4zuhOnbcMcmoBoUk4Ic11QCeguckH+IRCUmWwZT:JyXfPMcmoV9X1yCegw+IZwl

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      2c58ee580588f3af770bfbe1f4b90e3f3abc1db0635b5db9df6dc396c7e7666e

    • Size

      821KB

    • MD5

      29c245665d7ec2a067b0efba9761203a

    • SHA1

      21bfecc123a349c6447b2bbaf54f2921015957b2

    • SHA256

      2c58ee580588f3af770bfbe1f4b90e3f3abc1db0635b5db9df6dc396c7e7666e

    • SHA512

      e57f8ba651b21143633b3e5390ef585ba8a91ea58913a426de90c34005a9c2970177232c8d95855f362b894defc774f7c488bff4338b9e44c9187fc0a0e9ea39

    • SSDEEP

      12288:+MrWy90INQR+nv0/sxkpOOw2mBwsMydNYrr2sLxpjNAtydm4bGjYbDD0iCeFr:YyjEvHneFjkjtd5RbfEeF

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      33598ea86e5fb6e4703678ac412886ef6b59161a6c845c900d25dda182afa112

    • Size

      676KB

    • MD5

      6ea43c8e5b1d3b17b6d2d71d0bd0cdec

    • SHA1

      5a6f7a99bc6a9840aa31451dafcd144ec3cc489d

    • SHA256

      33598ea86e5fb6e4703678ac412886ef6b59161a6c845c900d25dda182afa112

    • SHA512

      db8a7808792a78cb89a0b6242716716c41b2308689044217a61566d60c3dd46321084fd6bb0de4e6b18b407dfefb4fa9f4bf0579b8b8ce7447998a43b851c21e

    • SSDEEP

      12288:aMrry90cgmNkHi8m+nZ/82eM3keLcDriiD6b9RXLKZ6MpXg:lybgmNkHi8mMZ02eM3sD6HXm9Vg

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      4e5d421522773b4acede9491200eb6a0479ef03a8892230b81ba0d0ed10d98cb

    • Size

      272KB

    • MD5

      b377b3cf4944e110382a96968449d034

    • SHA1

      e38952501c935164ef7ef9c2fb33341936db56bb

    • SHA256

      4e5d421522773b4acede9491200eb6a0479ef03a8892230b81ba0d0ed10d98cb

    • SHA512

      b645b3690772419b94de5d2cc2910c415700f2ce2e0a7718b3db7d0c02513f9ea21309aef959dc263c6c2ff3b0937e20eaca1d32560ae22165382d44f91a0153

    • SSDEEP

      6144:Kay+bnr+4p0yN90QEZd3Y9nO/kYSyZWBCpeUcmOpmL:2Mr8y90Tdo9nOvkCFq6

    Score
    10/10
    mysticredlinemonerinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7

    • Size

      272KB

    • MD5

      879e06303a2636b4c3b88503f6cd952d

    • SHA1

      8b78f4c17f8dffb2228370cd0b529fa815938848

    • SHA256

      4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7

    • SHA512

      37322096ded08c4fc7caba304546f228af2046e166bd128107a12de4dad5bf2734470fec537df33b32e2d03cf656444ab383fb64b211e96dcec938d9ceadb95f

    • SSDEEP

      6144:KVy+bnr+gp0yN90QEvd3Y9nO/kYADFwomNsRjq1jGjg:PMrMy90Vdo9nOqDFwomNi4jGjg

    Score
    10/10
    mysticredlinemonerinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      6ee2a56c58d7b91b6debe8aed2285fcef3c3e50613fe3c8b6f7d5a94968b59f5

    • Size

      991KB

    • MD5

      6ef947676fa334d38379a2fda493b8a5

    • SHA1

      4ee6dcca6bbf609046e66bc82040246ae7c0250f

    • SHA256

      6ee2a56c58d7b91b6debe8aed2285fcef3c3e50613fe3c8b6f7d5a94968b59f5

    • SHA512

      2ec1e0e21e461c621a933476897e0bba7d635e6509f32bf0afd614fd37b0dfe76c2595b165fcb29954358a3a25b9ddb151e0d8e4e28ec8c2f638d55ce594e185

    • SSDEEP

      24576:SyMWu2HJLjK0CSP55myltVEu0v/ciz7dh:5E2HljCi55fFEu0v0k

    Score
    10/10
    mysticredlinesmokeloaderfrantbackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b

    • Size

      1.0MB

    • MD5

      8ca2811ee4fae71a570298ebc6efcbac

    • SHA1

      475da0caa3e4b5931344c9a739c46513edbe0830

    • SHA256

      803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b

    • SHA512

      6e7925228aaf4175a3c7f1e33131fdbcec9cdd9f40408933e7e607e0d6557ce92905ffe6dd90f6b73aaa38b1e769ad2966aacb375f2c660a4f7842dc5e013621

    • SSDEEP

      24576:zyOWwfDsWJGoB1u5p+PTFRk6FLVwtfbk63KdXt01:GoiauTgFRkEQX3Gm

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      82c26e730c449cb8fa3b24eb4cad396dfb875eecd3ee1ccbb1d8fe29530d3ef6

    • Size

      1.2MB

    • MD5

      55cdd95fc367cdccba3cf9a83bb8676e

    • SHA1

      8ded20c3a09f0ebf77a6412e07b088f478a5b61c

    • SHA256

      82c26e730c449cb8fa3b24eb4cad396dfb875eecd3ee1ccbb1d8fe29530d3ef6

    • SHA512

      528acc8bcd165996bb7fdc3429c933f94cd9b8f8565df5bf54a331519241efac28938ed6b066938b94fac46dd71affd424b2ec225466675dae91778ce47d3caf

    • SSDEEP

      24576:gyd1h+cgcAt/V3DklK4IxQzHTV8XP3sWlHRUGJoK+oYMNyK:n5gr3QoLxQN0P8WxUzWN

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      92d5779e2c52f5941931dde42396f724a8986970826adad853ad885da3caccc1

    • Size

      266KB

    • MD5

      92b109b60e7e409e768386150758814f

    • SHA1

      199d17111133687ceb174167c8162e04b9ff6a4c

    • SHA256

      92d5779e2c52f5941931dde42396f724a8986970826adad853ad885da3caccc1

    • SHA512

      19f721fdbf6f3bdb6eed738f1470b21e64781aed40f96fd754930bd0c757067c2ee9618a131fe85e3bde3f582018aab39df6c94a7b1f4b3ecf81b17982f392f4

    • SSDEEP

      6144:KIy+bnr+xp0yN90QE2Y3j+u6lkZh77lmNst3OnIpQP0HEbiqMx:MMr5y90d3j+u6lkj7lmmlqIpJHEGqMx

    Score
    10/10
    healerredlinejokesdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      b0845c677fbb6f6769b22ee306bf30e9c9d49caa3bfd274fceb91e91bd6ee061

    • Size

      631KB

    • MD5

      02a6385cadccaae01686ff068e1019e7

    • SHA1

      409d5af29477ee6436c37917b567ae4e10fad5c0

    • SHA256

      b0845c677fbb6f6769b22ee306bf30e9c9d49caa3bfd274fceb91e91bd6ee061

    • SHA512

      744b153ddf945f75399e44bbdce8a3cfc3b1af8050a9e667c503b705adc609db8db79603300c46bcdf6afa6b6a4b47a475b16cc57f7af0df78294d3732de7bcc

    • SSDEEP

      12288:YMrVy90ob0MnsCU2toDypXWVm218sXdx2gVQDOM/b+w:dyPogZqDy1WHP3VQDOMz3

    Score
    10/10
    mysticredlinejokesinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      b82c1f093a07f8365a76b180a16ceba720e598167e3d606f93fedc39de6692b3

    • Size

      662KB

    • MD5

      441dbfe6cff970ac7fd9fcb546cf25fd

    • SHA1

      ba15aa518bd0ca2cedb40ad34d6666ffd3140189

    • SHA256

      b82c1f093a07f8365a76b180a16ceba720e598167e3d606f93fedc39de6692b3

    • SHA512

      ffb290650d09bb84d4b26714900bf634946f2d59ee58d34a9cb0b0f7de60ad668c98051ff7a7525af783c66f9da2fcdc4f15d28235bddcbb9d4e115a060d209c

    • SSDEEP

      12288:3Mr7y90IDiZtPnBBH6pHM61eiSEmXrMf6DxqfSKZ8rUqwHHaUVHCA+6z:gyXDin8TSEm7Mf6Dxv9U5HjHCA3z

    Score
    10/10
    mysticredlinemonerinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1

    • Size

      1.2MB

    • MD5

      ffe7a227d672738c32a358a57cec260a

    • SHA1

      510db6cee62d02c4c7c9dad24943bd3f750d7f93

    • SHA256

      c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1

    • SHA512

      5080a0d9e79b757d9892e672291f0124d852fda2be1305f26cebd6c8e1df7c9aeb03a1e76709980aa0c07542f6ba0f2249a1a859bf31d8060bb20635375b598a

    • SSDEEP

      24576:AyrJFM73gR6RI52yQFjnzwgLS/+wkc+Qv+hUbW5:HNFM70El0gLS+PQ5W

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      c7bf16d19af53ce0e356ff0a03ca5f2bf14034d9e265c438dc88513cd09cf55c

    • Size

      1.2MB

    • MD5

      dc9b74f110010f383b089951fffa25a6

    • SHA1

      64b60b766c56ceef8caeb825d984a3a1fee901aa

    • SHA256

      c7bf16d19af53ce0e356ff0a03ca5f2bf14034d9e265c438dc88513cd09cf55c

    • SHA512

      6e00b0e9c0451d9aad2715074ebb18a2000b62dca1846cfcbb2d6bb8a372ad97a6f0bb2f51fce43e97f977b7e70876e58133acd2c3fa4f62717c91bbd042ba33

    • SSDEEP

      24576:0yPClHm/RqsNjI8rN9OvEDOLRlb/3K1WRQIGMH2RVTecm+XRbvU:DKlG8sN9nC9NlbfKa1H2zJX9

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      d85805160cf3294fe4b79968f7cee19fdaf73c0a9ed5ab8fffa11fa7fd3bddb3

    • Size

      271KB

    • MD5

      3365ae14e21dd529bf5f2da0b58d4de7

    • SHA1

      acd8613b430a252cc8ebdd937f6563a2c8ae638b

    • SHA256

      d85805160cf3294fe4b79968f7cee19fdaf73c0a9ed5ab8fffa11fa7fd3bddb3

    • SHA512

      0ea07e2bcd6b72c92f3323aca76b27d11005ef67211dd2a6836251ea9fc71b9ab04c0ceea0669354797a48a066c5cb43be0dbe3cab209a4303b4d64bce27eb3f

    • SSDEEP

      6144:KPy+bnr+op0yN90QEqd3Y9nl/kYFod56xg7w8+:pMrAy90Edo9nlcd9W

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      e4e49b8568937c43bba5621fcfe9e3762efb9c4078b3287603ef249c522d126d

    • Size

      884KB

    • MD5

      1f64d4e95e750972b6ca8da2ca7f200e

    • SHA1

      095a309f4b1051dfd077467f53898401614dd5e8

    • SHA256

      e4e49b8568937c43bba5621fcfe9e3762efb9c4078b3287603ef249c522d126d

    • SHA512

      024e0f80fbdfd0c55b1ffdb782454dbfd5be9facb112fb0bc11c154a227b99a4d9ee512a17e899c58caf7227a4220b464cc4587e694e02675844cdbb5fb071de

    • SSDEEP

      12288:sMrZy90kiPcGG6NV0d9/E+x6diexj8ZEoubki62Cd2Y8QJS3B8s6v:dyLGGq0d9/E+Rw8ZEoubki6dLPS3DO

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      e5ef76e6dd861b064544fe5f0400d8d476e07d29a56f78d564dd2a73252e39ba

    • Size

      555KB

    • MD5

      ea43b1e59f0160ff70286c6aea7da9c1

    • SHA1

      009ea9a8840d10aec2489e2ffe070cb7b983f3c5

    • SHA256

      e5ef76e6dd861b064544fe5f0400d8d476e07d29a56f78d564dd2a73252e39ba

    • SHA512

      42b0a9438daa925b6e635966e96907eebbceb37f4aafa5e0efeaccf1b8f4baa48b454b8a884a2ad941f442ed48cfe7c324054355160218ab3cb4326c5fd11bf7

    • SSDEEP

      12288:nMrIy90dqDOSINkCQvCLFF7d8OII9tPcS7phJHa3:HypDmNkCK2pRd9tP7BHa3

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      fac8fce7e33f863be353a7bbf44a4fc673ab60a051fa66cebe5511a000ee1a0e

    • Size

      1.2MB

    • MD5

      3dd8f6854fef67699626058ab40d3f31

    • SHA1

      063567df515ff47d7ee1dbc5152aefe9024a6e8e

    • SHA256

      fac8fce7e33f863be353a7bbf44a4fc673ab60a051fa66cebe5511a000ee1a0e

    • SHA512

      07679ffa6bcea79843d49525a079197b87aa2f9b531a19a72356da9e98516501a21f0aae1c848dc7875e37255c5ec2865ac44a71435e1d3e51b146689d7d60a1

    • SSDEEP

      24576:CyUq8WjMVqJf2oLszWLQ023zwJ16iiGwWeN3AikgMLpl4OxQa:pJjMVEf2FWM023zwncWeN3xA74+

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Privilege Escalation

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Defense Evasion

Modify Registry

27
T1112

Impair Defenses

7
T1562

Disable or Modify Tools

7
T1562.001

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

healerredlineviraddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

mysticredlinefrantevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral3

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral4

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral5

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral6

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral7

mysticredlinemonerinfostealerpersistencestealer
Score
10/10

behavioral8

mysticredlinemonerinfostealerpersistencestealer
Score
10/10

behavioral9

mysticredlinesmokeloaderfrantbackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral10

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral11

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral12

healerredlinejokesdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

mysticredlinejokesinfostealerpersistencestealer
Score
10/10

behavioral14

mysticredlinemonerinfostealerpersistencestealer
Score
10/10

behavioral15

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral16

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral17

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral18

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral19

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral20

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10