Overview

overview

10

Static

static

3

0a7a53ccfc...4d.exe

windows10-2004-x64

10

15fd14ba21...b7.exe

windows10-2004-x64

10

1ded3ef8a6...eb.exe

windows10-2004-x64

10

211c4e6a11...13.exe

windows10-2004-x64

10

2143b79ffb...90.exe

windows10-2004-x64

10

262bcbb295...79.exe

windows10-2004-x64

10

2db3eb661b...10.exe

windows10-2004-x64

10

38f672e7cb...04.exe

windows10-2004-x64

10

3a8f22ea92...1f.exe

windows10-2004-x64

10

4ad2507250...50.exe

windows10-2004-x64

10

4d264f872f...4d.exe

windows10-2004-x64

10

5dcad04e9c...98.exe

windows10-2004-x64

10

838e53197e...9e.exe

windows10-2004-x64

10

9fb3613b82...eb.exe

windows10-2004-x64

10

ada5308889...6d.exe

windows10-2004-x64

10

b7edb218fe...67.exe

windows10-2004-x64

10

c7a8b128f1...e0.exe

windows7-x64

10

c7a8b128f1...e0.exe

windows10-2004-x64

10

d0c2f16d85...04.exe

windows10-2004-x64

10

d686e13696...c7.exe

windows10-2004-x64

10

f2cce909ec...10.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r1.zip

  • Size

    13.3MB

  • Sample

    240523-vpp99saa9t

  • MD5

    03233f3783491a6a112feef15983ea8f

  • SHA1

    8a04ff6af51a6b8c50157644d8c5064ec8f962a7

  • SHA256

    176abc5d4c53fc1397a77e15c4028591fc335ce9464a700eddd56742d55dd10d

  • SHA512

    795e8156b122348c037f5dd77c4e33fab4d739455dec9e0517aefecbfaf36fc8a451003cdab6602d7929cd4b5ec411f3b56d3b37d5421073e03e5df177a3d530

  • SSDEEP

    393216:GUb+VyUAZMXEL4p0jyEZ7Thwv2pm98e37:YAZypPEZ72vRqe37

Score
10/10
amadeyhealermysticredline04d170bubengigantkukishlareklutyrmagiaviraddropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes
  • auth_value

    c62fa04aa45f5b78f62d2c21fcbefdec

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

magia

C2

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

Botnet

04d170

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

larek

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Extracted

Family

mystic

C2

http://5.42.92.211/

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Targets

    • Target

      0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d

    • Size

      1.1MB

    • MD5

      7cd7a01c2f80541e608d5d23296eb636

    • SHA1

      b37ab77e3fabfa5c6b2ae1da51e4a8b9b109a667

    • SHA256

      0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d

    • SHA512

      9a3a3020ca964ba97cbe51c3fed6f7e20db50279b065d38969044fdf7b1ea211cd666704f02d93cd5759e64c024422a021207006c887d9b965f8f33314098c22

    • SSDEEP

      24576:7y5At6OE2X7xTSNsnb7OAoSLsjhCNHOen5QG7J0PvZftv:u5vOECWNaboE0E5QG7J0PD

    Score
    10/10
    healerredlinebubendropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      15fd14ba215a3a52dd8119cc0a0383f0cac34dab2c608f1481d6dac8a34084b7

    • Size

      662KB

    • MD5

      79bbc0fb3cff6f6d43592e01aa84b316

    • SHA1

      57b7c1381104fae85ef7b0ce4e6b2aee20875847

    • SHA256

      15fd14ba215a3a52dd8119cc0a0383f0cac34dab2c608f1481d6dac8a34084b7

    • SHA512

      82e20aee065c822400a5bb02e2b92fddd746a64d4ac97b5da91b1d9783f1533844288bbc8443bf09acbfd5fb4a536b6742e855baa09f8356a3e2019d9f12a676

    • SSDEEP

      12288:2MrYy90RFBZ+zIa/4HenwehiEEzs/e6QnQ1s4WJqEo:aySo4enth0o/kn6s44qEo

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      1ded3ef8a66199255bccbc48246fb511b05dd362acee6fc379d36afee68aa1eb

    • Size

      1.2MB

    • MD5

      2fbb7ec96e3f72fa4114d9106e9169e6

    • SHA1

      c3235479063bea76bcc981179d53b6c1194e9c55

    • SHA256

      1ded3ef8a66199255bccbc48246fb511b05dd362acee6fc379d36afee68aa1eb

    • SHA512

      751a6ec4be6814efa1bd7788407560480e3ec2193a6012b51089f9cd67a93923c648a82c03b833a7ea173b681f052c4631733cbc1bdbad9591a80609b54712af

    • SSDEEP

      24576:HyeejGI189ls1fFRnxfDjr/CHy1CgsJr0ffRIz3v5MXBSDbcaprG:SekGI189ls1fvFr/CS1C3r0ffRIdMRSt

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      211c4e6a11f15bd767da6f104c223571e677d598cba947fc6ecc736fb041af13

    • Size

      1.1MB

    • MD5

      266bb0ae217b73bd31772124f6f22efd

    • SHA1

      cebe40031cea519b909a8444a7532abef4d28e39

    • SHA256

      211c4e6a11f15bd767da6f104c223571e677d598cba947fc6ecc736fb041af13

    • SHA512

      b5cc735192135d2834a5fc909225367d8f56246f1796e1224708836aafd352a24a2f6c18a749280a86d2d0775cdd710b798cfd88038691fd6cde01648dc93bb5

    • SSDEEP

      24576:PyXu6/RkKmvArt28Ju2ElLB859EPY4XY1vR2Ud56FUhcZavLURjx:aBGoZ26fUer15eUhcuLC

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      2143b79ffb1f51097ecfe2735d76fc401ff83d0bcaf0fd826616f6d9d198fb90

    • Size

      884KB

    • MD5

      5a711b648693d550f5392c789ba15673

    • SHA1

      f1708783f04e9bbf1564cd3742ebafb6daa150fc

    • SHA256

      2143b79ffb1f51097ecfe2735d76fc401ff83d0bcaf0fd826616f6d9d198fb90

    • SHA512

      1767e351663c1d2efff89c69d1519d5dfac99fea37abf16b58547ec8169df7564b36af359633aa650470eb32466fe4dc4da58990c2a08cfd4b49b70d20633afa

    • SSDEEP

      12288:DMrhy901daca+83cqHpVFIaslw/4+eoJiOcjpWoleMWoNBOXYTT7YMFem0DdcT+:myI43Hpf2w/4+KLdikcgHYa0ZcT+

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      262bcbb295c2330c7e75858027b884202657e03c12f0537ccae57764c7e90779

    • Size

      1.0MB

    • MD5

      9d4c21e55871a79578ab62468bbce86c

    • SHA1

      04324ce234dbeb79f9dc92d6fdafd3aa1e6a38cb

    • SHA256

      262bcbb295c2330c7e75858027b884202657e03c12f0537ccae57764c7e90779

    • SHA512

      b63e0f6ddbec19cde69a412b532fb31b639da5764cc7af14c9b0e08f98eaec83b58ddfe4a4fd8b9da9ca7ee248201d005356d869518953944c58f4a9ff833d0d

    • SSDEEP

      24576:lyg54E9eWBaCmQjQf5t+dbpoDi7bDrptJT4:AcwnC5QGx7HrT

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      2db3eb661bd1960f4f027053512a24f0c61f26c7314d49ff0114cec48de8d110

    • Size

      884KB

    • MD5

      f954b567abd4771ac70491fe60ddd7a1

    • SHA1

      86baa24fba2a84a36bae41f051ace13d396871ce

    • SHA256

      2db3eb661bd1960f4f027053512a24f0c61f26c7314d49ff0114cec48de8d110

    • SHA512

      574d028305fabf2235d91275ecc812668e03a929eef14fe2822bfe8df7d9023e35abd5512c303a067da94cddb0b3270f681b8c80d1a18972e7d5c0fbd493cab7

    • SSDEEP

      12288:CMr7y90OoybmDsIwO11dd+owj/W+g+mniRp4CarfhZhbquNVLpNjAOLX5fZX1S6d:Byf5Oijj/W+gS+5Zhb1Z/pfR1P

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      38f672e7cba986b4d9af3c51220a9df7a2a858c8744e2594475ff11d2cd80504

    • Size

      585KB

    • MD5

      eb8c6a30c565e85b4f99969ed75caaf7

    • SHA1

      a54a173fa9b32936b276a8f097b6282dd5fdaae3

    • SHA256

      38f672e7cba986b4d9af3c51220a9df7a2a858c8744e2594475ff11d2cd80504

    • SHA512

      42da14144ff1deadbae8d17d8388ddc44aa35e2a1d290fb8d300bc4d20233d316d4694e0e368c1ec08a89dd47290fd709d6928db0e1c7a4a06fb9ddd4ed14101

    • SSDEEP

      12288:9MrNy90FTcFVVcz437oRAjVFIucRC8zhOQwl0Dyy:Iym4Vcm7oRAjHERC8tFwliyy

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f

    • Size

      768KB

    • MD5

      31e9f3737fd3f934ce46d6c2099e5243

    • SHA1

      54e992452c1e7e0d068d22090541c8eea71049b3

    • SHA256

      3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f

    • SHA512

      634108bfebf5b3c2f868df51d0e13bbf1ae539863e29b410a139dcc12376380d1decdcec21406cc73943a5011ea49544bdeda74665ac557dc59ba4091a4f1991

    • SSDEEP

      12288:6MrVy90aRBe0s3hBIVTjySblJVsRTWFEHY8cOWtgC+a:fyNRrqBAT2TWFEHY89FC+a

    Score
    10/10
    healerredlineviraddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50

    • Size

      271KB

    • MD5

      ba78821a6f2c5c4158fea6a6a4c0c427

    • SHA1

      a4f2b37c174c9fc479d688c043256734f3cc19b3

    • SHA256

      4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50

    • SHA512

      2c7d660f57336357c6e73b6e53183c784e779b9cc87e44f614b2af18b862847cde6abddd004d5fb5daa820204b5e3e189a31a3f21a7b8a63eafc6d2d2488f624

    • SSDEEP

      6144:K2y+bnr+Bp0yN90QExd3Y9n1/kY4cswkcjV8:uMrly90/do9n19D5V8

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      4d264f872fb903372cc6951f97478ade2ed4cea3c43c1ac9c7b62d645b0d804d

    • Size

      555KB

    • MD5

      d5b30a90542911576b7a5abdfbc9a18d

    • SHA1

      7b249e8fe9a27ccc36f91bcf3bb99b82e7bd55e1

    • SHA256

      4d264f872fb903372cc6951f97478ade2ed4cea3c43c1ac9c7b62d645b0d804d

    • SHA512

      5370714ff505c9397f20a6096525e5405cc86f491821b4ac70550f25434b00299f6f4559d52a7c9c96c8af22e96df4d5b599dc73f4f8271838a243fdb35b0981

    • SSDEEP

      12288:jMrDy900n9doqngAn/2J8wLU2ulOoT/V:gy/9mqgA+JtAlOoh

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498

    • Size

      662KB

    • MD5

      c248e1517a6179b7acc3b20cce371cc0

    • SHA1

      9d6252a7582d36357c043ea0be48d909897c851a

    • SHA256

      5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498

    • SHA512

      64795b3eab9cbe155153ff569f7281f3ebe55838d2c59a5491628d859f9e7fb725d3ccd377d5ec0b18499b029d9fd9d0227532b7ad3bfb2e1fe413b135132846

    • SSDEEP

      12288:mMr0y90pS7BgRbtp98YeWbSfz7dw32LBsDImm6RZvLfF2syFhvx27shDTI/:2yqSCRzSXfzRwsBsDIoRZT4syFhThTI/

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      838e53197e2b7417e755d1062885d43a64760f6d02f778afd7cca835a5a99d9e

    • Size

      320KB

    • MD5

      21ce59e90abf825b105a522f3cd1fa1d

    • SHA1

      9ce4e89534083ff434777f8bcc18e482748eded1

    • SHA256

      838e53197e2b7417e755d1062885d43a64760f6d02f778afd7cca835a5a99d9e

    • SHA512

      4faab91eb3b222d1112b1117cab29fe63b7fbe16213eae4d7f50a0c9c7a7f1acd283a1a29c260be5d7b337e6335d8ced841d1d31cbaf64c0bf2c91458b025380

    • SSDEEP

      6144:KEy+bnr+7p0yN90QE8RmYCYBRKO5hmP+DCt0rSGloXTwyZs:EMrXy90OkPYKfGZnoZa

    Score
    10/10
    healerredlineviraddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      9fb3613b8287cadb1f1a45c550f5b98f012dcc95bb947f3b8b3d68303b6bc3eb

    • Size

      599KB

    • MD5

      197e867035f6a1eee8b6b2a0d3c19804

    • SHA1

      f981fb4379333ba6c95ab8cc689c502a7c285ce8

    • SHA256

      9fb3613b8287cadb1f1a45c550f5b98f012dcc95bb947f3b8b3d68303b6bc3eb

    • SHA512

      379eeb4d090b0bbd013c231cfae16ba78ae3f0d2941e48158178865f8ca637a2f5948b3b18cb8519470fb398a93b4830e7531328bcef14d1ca62c3a792b07ab9

    • SSDEEP

      12288:bMrby90Uun5B6oTMSX5u3QnPsRGFQO1WqeeNJ5yil2iyDlArWhhiTX:QyqB6oTM6U3hREYqBNx/yDlsES

    Score
    10/10
    mysticevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      ada5308889c1e0686823a15717a0ebb9de3bbf2d5e47447e5a340ce70ef33f6d

    • Size

      1.6MB

    • MD5

      5e713e98cdb9d4b0c9ed7afbc3299142

    • SHA1

      826c184cec78577030a84973d2abb9df13e1581c

    • SHA256

      ada5308889c1e0686823a15717a0ebb9de3bbf2d5e47447e5a340ce70ef33f6d

    • SHA512

      660597cd472c30d52b072fbb04938788c64e2af8d77466e933df65dc4e60c0ce222d64ba27fb7d13ca58d81842e272c3a991049c725b6e4ed74d658e93acd168

    • SSDEEP

      24576:SynVFJ+dWSyd+G7YmDo3fvmWQAXBvkNiMNbEDgAw8GUdPjhspubgavjYkHZv7P:5nvJh/+GK32g+hbEDlwihsp8p0k5z

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867

    • Size

      769KB

    • MD5

      c8963418e0ba703c180db37e66a4babc

    • SHA1

      1f0a035883f81dd6dd193e1a631c2ec7531b9c94

    • SHA256

      b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867

    • SHA512

      ac977b73200c79e3e7b1e8778d357b3f191bb0fd38e914a1f196b8ac9efb16abb6a21d1dd3abfa801f36002afcb7e29e8e158352436bbdae56810389347b7788

    • SSDEEP

      24576:NyX5m44V68ZM4J/xordNEv6fn4f6EXvC4Iy:oXSnJ/yBNAmnGL/C

    Score
    10/10
    healerredlineviraddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0

    • Size

      459KB

    • MD5

      616b135f7044939bf0221b31f55318d4

    • SHA1

      1fbf9dcb0fbff73c5de099bf37551a7504b5160e

    • SHA256

      c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0

    • SHA512

      06f90184928f58264418270487a6d0fdfc79d7c9c8b294c0d9f0f80a26e09e2e4d62b8973f2b81bd59066e39f783b7d2f3cbe8e3388e305365f6c57f952fe034

    • SSDEEP

      6144:vfEhUbDPM4jjdpvIN8fp7z5BAOLaozbmA1jn2JQB48FK1MD0X:vfEEDPjjb/1tNneQB48BQX

    Score
    10/10
    redlinemagiainfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04

    • Size

      306KB

    • MD5

      ec6af98de3dd9a3fadfe95b861b2160e

    • SHA1

      a34ee5b67a3e3169c5de23624f348783f46954f9

    • SHA256

      d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04

    • SHA512

      3bf37e1410c921e2a061e779d2b6e9464847341387d53c1d44d9151a6e2637f5cdce3c10591c8997e4ee08f2619db299dfb8d90fcf53fd6b66496c13652b9886

    • SSDEEP

      6144:Khy+bnr+mp0yN90QEbWq96aGBAIVPXdXlDVdIIrHq+Nu9Mq7KJ:DMrCy90pj0/BACZuIrK+NQc

    Score
    10/10
    amadeyredline04d170larekinfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      d686e13696bd68f852ead6d9f363bc3da451cda82485f639727be0ee38b8dac7

    • Size

      452KB

    • MD5

      14e7b4eec5a799caba4f0e16a28eff2e

    • SHA1

      9b3e52e73c155b297141c7b54fac82026a7de874

    • SHA256

      d686e13696bd68f852ead6d9f363bc3da451cda82485f639727be0ee38b8dac7

    • SHA512

      c2e95a5a13f99b204e0d928447786afa0ea44e2ba30b25378779c4cef6630513aa2cfdb7528292da5ff90d27ff6d960e8a48b69112995e1a2dc50fed163c81af

    • SSDEEP

      12288:IMrxy907un5B6oTqaKfe627API0hNa+XI:5yzB6oTEe627V0hN4

    Score
    10/10
    mysticevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10

    • Size

      271KB

    • MD5

      14785244df56dafbcba731e754f337b7

    • SHA1

      fa1b26096b380b30ffb942684daa38d27c32121c

    • SHA256

      f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10

    • SHA512

      37d93d6d187e2566b2a1554351642405020a3d6c8687fd0c7f93ba7dedf0a88c0164aa27cc330fb746f77faed0684133c5b39ab971404748c9172bd9d68cdffd

    • SSDEEP

      6144:Kiy+bnr+kp0yN90QE1d3Y9nv/kYJknL1PxMba4:aMroy90vdo9nvQZE

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral21

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

6
T1543

Windows Service

6
T1543.003

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

6
T1543

Windows Service

6
T1543.003

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

27
T1112

Impair Defenses

8
T1562

Disable or Modify Tools

8
T1562.001

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

healerredlinebubendropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral3

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral4

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral5

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral6

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral7

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral8

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral9

healerredlineviraddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral11

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral12

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral13

healerredlineviraddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

mysticevasionpersistencestealertrojan
Score
10/10

behavioral15

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral16

healerredlineviraddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

redlinemagiainfostealer
Score
10/10

behavioral18

redlinemagiainfostealer
Score
10/10

behavioral19

amadeyredline04d170larekinfostealerpersistencetrojan
Score
10/10

behavioral20

mysticevasionpersistencestealertrojan
Score
10/10

behavioral21

mysticredlineviradinfostealerpersistencestealer
Score
10/10