Overview

overview

10

Static

static

3

0a827f3afc...35.exe

windows10-2004-x64

10

18184ff5db...7a.exe

windows10-2004-x64

10

36b2548e8c...4f.exe

windows10-2004-x64

10

4105a1b5cd...10.exe

windows10-2004-x64

10

5c5167b5fa...58.exe

windows10-2004-x64

10

63e6b5c830...f8.exe

windows10-2004-x64

10

6c30cb0079...67.exe

windows7-x64

10

6c30cb0079...67.exe

windows10-2004-x64

10

6e83c409a5...45.exe

windows10-2004-x64

10

77f90e3384...ff.exe

windows10-2004-x64

10

78bd5cf504...7c.exe

windows10-2004-x64

10

7ce62a9574...e1.exe

windows10-2004-x64

10

7d2d45b593...66.exe

windows10-2004-x64

10

7d9b9686db...9b.exe

windows10-2004-x64

10

864fdfc64c...f0.exe

windows10-2004-x64

10

9607b0ce5d...c6.exe

windows10-2004-x64

10

aa524ac0a8...07.exe

windows10-2004-x64

10

b6f332f02a...85.exe

windows10-2004-x64

10

cfebef463c...dc.exe

windows10-2004-x64

10

d0feb2ba6d...72.exe

windows10-2004-x64

10

df0b96135e...51.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r1.zip

  • Size

    17.0MB

  • Sample

    240523-vz8vcsad8w

  • MD5

    d358b5a809808348019b5c6c662d7a0b

  • SHA1

    341f061b2bdcf51fec4e2edcd786026b0b528449

  • SHA256

    c35b2a353f3f737fd5d522bda8150c7fe11a4c4773ad1702d174b480462784c6

  • SHA512

    856daad348c3d679a3ad6e006756772ad0b4b18ddc569324b35c4bd67dd9a9e68ae378a60df9752dda0ed72465f5964bd356ad04a6f297bf510418d1203b9496

  • SSDEEP

    393216:0DjFwR9whXnArkdWr4Yo4LU0FHZS0lv+aHV3m+0HfyNyoSTXZp3:k2sXnArXfLU0F5S0LV3m/Xp3

Score
10/10
amadeyhealermysticredlinesmokeloaderdaf753fb0fb8frantgigantlutyrmagiamonernariktrushviradbackdoordropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes
  • auth_value

    a94cd9e01643e1945b296c28a2f28707

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

frant

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

magia

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Extracted

Family

redline

Botnet

narik

C2

77.91.124.82:19071

Attributes
  • auth_value

    07924f5ef90576eb64faea857b8ba3e5

Extracted

Family

redline

Botnet

trush

C2

77.91.124.82:19071

Attributes
  • auth_value

    c13814867cde8193679cd0cad2d774be

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

daf753

C2

http://77.91.68.78

Attributes
  • install_dir

    cb378487cf

  • install_file

    legota.exe

  • strings_key

    f3785cbeef2013b6724eed349fd316ba

  • url_paths

    /help/index.php

rc4.plain

Targets

    • Target

      0a827f3afc0645954dd24f12c87e59035cad5723414cfb4b9933e600faf4ae35

    • Size

      472KB

    • MD5

      6ff1a455bee02fd15858c1e9324655a1

    • SHA1

      eabc36878fa2c646c59a88e4184601acfb8ef904

    • SHA256

      0a827f3afc0645954dd24f12c87e59035cad5723414cfb4b9933e600faf4ae35

    • SHA512

      56cc3ba67e4c84eb4ae885b06f96ea0894d22aa4af2c9cda8debfde8b02a21410da0add2d64bff488616675f55808dca64d683a965c965f712b51032aebc7fad

    • SSDEEP

      12288:iMrNy90xixQ21JflwuqdlE5ntM2LcjqeicCWCCVX2:3ylQ2vqcFtM2IqcC2A

    Score
    10/10
    healerredlinemonerdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      18184ff5db7555b2c7baf1a87aa4d5046c77710bee4b4f39e6a131f30f418f7a

    • Size

      662KB

    • MD5

      efc79a98fc61f6d6dfabe4bf64ccbf8c

    • SHA1

      8137dafbb384db53eff033229998945166ac5fa8

    • SHA256

      18184ff5db7555b2c7baf1a87aa4d5046c77710bee4b4f39e6a131f30f418f7a

    • SHA512

      717247ab59c19296e11c16545bae54067a3a30c46e0c118cc690fd79fd98bcd8401b206ced16417ac09a65090eaf726a61b44612cf8f8a322517591621f5974f

    • SSDEEP

      12288:EMr6y90bevLolfDpBvr6dqaxMGdo/0JMFSLt1T8muh5bgOz+/eCEdJdar:Gy3Lopj6dqKMGm/iMILtyV5bgOzqPari

    Score
    10/10
    mysticredlineviradinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      36b2548e8cff694e8667d04ab33d149c6e8bc4cad4bc4adc501ac7c1189f6c4f

    • Size

      696KB

    • MD5

      60a06b357591f715a801b79c5b32967a

    • SHA1

      5dd59fe5078e07bac523f417ff4b99df60df684a

    • SHA256

      36b2548e8cff694e8667d04ab33d149c6e8bc4cad4bc4adc501ac7c1189f6c4f

    • SHA512

      0b0c2da8a778fbdd211ebddef16aa59f39fdfe5f3b460d065a7e6ca0d8988b18d7ff0d6a5b3f97367e239a85cee2ac89ac6733026ed0f5df2bd2ca235b8730ba

    • SSDEEP

      12288:rMrty90OK5hhGOKyXEEGFQabDD7zd1pHlrdMz6172w7XQcVIfGQWsCDDM:eyIPxPNGFNLpHv247AcVIvfCPM

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810

    • Size

      1.0MB

    • MD5

      61d4845e02006e934527cd4703e90b07

    • SHA1

      0b22149b814404ca6f23a55db2b0fd4f03e9f7ee

    • SHA256

      4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810

    • SHA512

      47d1517c5e537e90df2ef1c11193992cc7da9e242dc2cc2238643abffc1f92a63fb9cde89658f80633dd20174dbae2e9eca48947ab573b40f49012320aa8e888

    • SSDEEP

      24576:xyCEn0G0jYadh62kOcE++vHldKAzUvk43i6OhqbT:kCEn0JjthByoHLNAvSjqb

    Score
    10/10
    mysticredlinenarikevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58

    • Size

      1.2MB

    • MD5

      34bd88866a21f46e8aac88ce27ece869

    • SHA1

      9c55dc3e1bd014ca0b856b6ab8639b5a8bffeb3b

    • SHA256

      5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58

    • SHA512

      b6089180dfc0936be3e17868ef1d815d1cc5d6f8f346a1840649d8c4ec3d21a3a4a073f49ba444cf5a5211caf87a510f1221576799fe2ffa3a22e1d19d251e5f

    • SSDEEP

      24576:9ybWjicQBao2bo3GEq+0mABw8DuA1m+2NysFED8pvxtvs6x81lqa9kb3:YWicQBP2M3Ga0xBFCA4iW/v/61lH9k

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      63e6b5c83075ac978e67dd3e333b3a73cf6c4d1c644a3e8975acdc6fb9c7c1f8

    • Size

      1.2MB

    • MD5

      919b359a73a034bd1742a3846ce1332d

    • SHA1

      e82d56a9aeeb2b8a4568b7bd86d94f8ad4565e13

    • SHA256

      63e6b5c83075ac978e67dd3e333b3a73cf6c4d1c644a3e8975acdc6fb9c7c1f8

    • SHA512

      c5893022d530cfa36dbd8b7eb7aa45655caaee99f64bc456dfa0d8147e5d09afd49835804f4287e7cdb0b64a5850010b78e34c9f0ca0d36c19c4bbc677878f2a

    • SSDEEP

      24576:9y2CyMEv4qZAina4sIgXajxFCv0RuSR8Ghl3GSKc5yDIEGAMT:Y2CyMQ5lgSxFJRuNcG45yDIEtM

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467

    • Size

      378KB

    • MD5

      99cbd861f83a58b6f9e44032d4809098

    • SHA1

      a3830e857406f1fb963bf090a46daaf88b06e27e

    • SHA256

      6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467

    • SHA512

      6b4088070017f838f07115d3aca431447ad78f001bedb26637b1bdd14e312d246d986fb35bbdbf39a7c8cb0d38ffb11773814264dec3ba06f2b6ca444c8505d6

    • SSDEEP

      6144:f49SP92pCryG4kfjSGwEi56AOLGFIramMeulPZbsrww0D:f49Q2wryNSoF8apeul1sED

    Score
    10/10
    mysticstealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      6e83c409a5141acfb33dd664684ab352c7d7ecdc7a01189c46cf229a14f9b645

    • Size

      1.3MB

    • MD5

      444fbed769b5f41a0e756e79b9d1e658

    • SHA1

      9aabf704f69cbbcc81b71999f7f9749c86a0d190

    • SHA256

      6e83c409a5141acfb33dd664684ab352c7d7ecdc7a01189c46cf229a14f9b645

    • SHA512

      8d27c05a1cff2bc98ddec672ae9fab1287f964277a112e2b6fe1087d8ac464c0e736115acadd27c1a6a783f38cef650d7bd63ec03d5dd85d3ce256bef1a5ee08

    • SSDEEP

      24576:ayaZk2ZUXVtE9VdwtoHP98FVHc/44mPoIeGTJu42BsoSG4:haZkJ6atyP+Fhr0YuptS

    Score
    10/10
    amadeyhealermysticredlinedaf753fb0fb8trushdropperevasioninfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      77f90e33849dda663fd4cda0660a634b060b4175b2e67325c1556e009c739dff

    • Size

      872KB

    • MD5

      b1f947438cac40f6b0065f67923c0bff

    • SHA1

      cde63592778ccb72ff7aa7db2a6e618ae6e13b3e

    • SHA256

      77f90e33849dda663fd4cda0660a634b060b4175b2e67325c1556e009c739dff

    • SHA512

      29da20916d718e65ee1de3051226775e33d55f02a76846dbf90135cabe8392590b2930fe600b6a88c50048f3bbc7582f89c3032728cd4c45e2373861d18018c7

    • SSDEEP

      24576:jyHNtE1bUNkHQwmMWdCeM65DQjXr91quAc:2HLuUNkHQwmKE6r

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      78bd5cf504a3577dc9d7f80114d8adafdd8f12cb7f983f8814a107da3aca917c

    • Size

      937KB

    • MD5

      a28659924b46bf84095e62a338b26aba

    • SHA1

      e439aad00b7f690784c2171f0585b5b3ddb05739

    • SHA256

      78bd5cf504a3577dc9d7f80114d8adafdd8f12cb7f983f8814a107da3aca917c

    • SHA512

      ddec630ff1d87ed5ef7cbde855d6df4061508875cad5c1d45195e4e63627aee184c5d8ba78415d25c399dbed074107a726e4b0020cc202e4a90333ce631b33d4

    • SSDEEP

      12288:jMryy90aFM01vEA4+L0KRbMPhcnJyFQJ9QMZMCGhAKbjISHSJXm/cHYj3u4U21ZG:hydpN1isbPQUxObfH6XV63u4px0

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      7ce62a9574ca774ba9c6234c75799fd5cb2c153c6f1e40a65e1bea1a9c2219e1

    • Size

      444KB

    • MD5

      62cb5abe1a7a14a455b7bcbde88afee6

    • SHA1

      5761fe51f10b934d99810fdd8d051f1a0b129aa8

    • SHA256

      7ce62a9574ca774ba9c6234c75799fd5cb2c153c6f1e40a65e1bea1a9c2219e1

    • SHA512

      59f36fd993e5ef000ac8c7bb8c87583a4d99385e8eec8438345c9b26c70ffcb050734c1770f4e6449370ab0a5ce5d77ac2cf42a52cfbf6751db261642c051ece

    • SSDEEP

      12288:FMrLy90YUdatcF1R4XJp2QzCPL9ZZID6MSkLyTnLh:+yx8atcF1Ry2OcxZOXjen1

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      7d2d45b5937ea290b091c8ccd70073bfedc220269f4ab6c1833823d1678ed166

    • Size

      598KB

    • MD5

      44d2059628937296edf7cf7ab9a0756b

    • SHA1

      b1d514de0cd2845331038cb4f3ba1d94957ce453

    • SHA256

      7d2d45b5937ea290b091c8ccd70073bfedc220269f4ab6c1833823d1678ed166

    • SHA512

      62d89487ffafac8c0c81beec67ffb131a854ff072844bb33cded80c36915c5f869e8abbca0f62968edfc8be0c3baf7a77dbac0895b6df07cc454c26edaedf4af

    • SSDEEP

      12288:OMrNy907un5B6oTC7L0t9WP+C5dGBIquDi4deB2pCIWCH/zfdyy:/yJB6oTEL0T++k0oy25yy

    Score
    10/10
    mysticevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      7d9b9686dbe7185e907f691f010b2ffdd754b22bfd13757340c6d287bc7e459b

    • Size

      632KB

    • MD5

      7c76b8ad44a15e0ef8a64d318ef72e67

    • SHA1

      af73ae5bd202d0433efb35312d024cda7516e3a2

    • SHA256

      7d9b9686dbe7185e907f691f010b2ffdd754b22bfd13757340c6d287bc7e459b

    • SHA512

      66704ea4e9297d136ae38e726956757d4be424d693afa657cefcda3c611dfa2073d39092317fb61c63e31112679ae5cee25ebeb7a3d2c8c54aced1c04b5dfb0c

    • SSDEEP

      12288:0Mr3y90j0USqlTi317bopPQy7m0v34EYrqVDjuo3wHIvWUOm7JIqH:7yeFlG31A3m0D3Vxw075H

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      864fdfc64cf28ad02bb956d55c2a2ce062a178c9a8ca6100f6534277ceedd3f0

    • Size

      748KB

    • MD5

      373acbf2f3d1e2fa28f3961311d1187e

    • SHA1

      60d6c0fb97f5673c96fe13b94e7eb446ae72bce4

    • SHA256

      864fdfc64cf28ad02bb956d55c2a2ce062a178c9a8ca6100f6534277ceedd3f0

    • SHA512

      1867a971cdf2238ec530a79a23530b7ebd6209ae2e2f64b9fdf6925199275f4586bbea177a25453c6b05d5961452ab702c3283149dff9c6c1368bf4f5d1f3b52

    • SSDEEP

      12288:iMrzy90aQ+AopvrmaEUEWnwXlhUxEBYjYejzaREccnzS+pqbXrM3K9MML9+5DMWr:ZyFQ+/TmJ+WlhUmBmaREr2+peXrM3hMI

    Score
    10/10
    mysticsmokeloaderbackdoorpersistencestealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      9607b0ce5da9cdaed4a53ccbe60fb0d4863b49ad237993d21e1b23a6674e97c6

    • Size

      1.8MB

    • MD5

      c9bac1cfce49a87f78ebc04b8cb3a223

    • SHA1

      1f4ecd7288d45a45080ca174a2fe3d94681a9012

    • SHA256

      9607b0ce5da9cdaed4a53ccbe60fb0d4863b49ad237993d21e1b23a6674e97c6

    • SHA512

      31b973cde45abc91f30ef2b9ced0a0c2c7872c390c435be73a963255567cd954e0761aabef5f3787775f6f638fd968b5b28e304ea42fb1b183969da67b296809

    • SSDEEP

      24576:NyStAmpAPZUWXV7hGw7pJwnavgTx4ARl3Xw89W/i1HUp1Cs887Fj5Ex/fcPh+bbJ:oSbQfZhLwavMVp9W8Uu/qPE5I+99xxj

    Score
    10/10
    mysticredlinesmokeloaderfrantbackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      aa524ac0a848432537ae785725900e93cb6140ebd8edeace3fe041dd64b93f07

    • Size

      1.2MB

    • MD5

      f82666906b563093e7d9151ae07c8201

    • SHA1

      f063119adddd1ebf6b9bc1034032e446195d936d

    • SHA256

      aa524ac0a848432537ae785725900e93cb6140ebd8edeace3fe041dd64b93f07

    • SHA512

      5ba83af323bf600485465ff2b23ea47b2c288f6a8d78353d7531d3c79589e24677a45b79c5278379c078c0add0dd81e44d7bb1250d9b1678ff1340dea3f06ded

    • SSDEEP

      24576:Byu8LIM5kNQegrBPVd4y0P6i5cW0tgsaeA9QVL6E3KpZx:0u1M5km9rHd4vPtZla32H

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      b6f332f02aabba8a420db82ac6b2a3566d6384471d7dae236759ded20f8dde85

    • Size

      1.3MB

    • MD5

      39f0a05d9cffc6b37a511894b059bc41

    • SHA1

      3824f46d185556377f522fa71219a8cffd91e1a6

    • SHA256

      b6f332f02aabba8a420db82ac6b2a3566d6384471d7dae236759ded20f8dde85

    • SHA512

      e636d7bd05c3dea755dbc513f16799cb8f4104d8650df8d887ae283d2ef2a0e23699b819f96abd70a58f5447b094f5a14e8456aa982cc01e96154231b280246c

    • SSDEEP

      24576:qyiD/od1RQ2QJvKWMY8INJwYVCTA+oYueiVPvZ11+7ebeyBDZ+yk1gaacvyZAhxG:xiL2RQ2QJv7bJsFoLnVPU7weyzuambqo

    Score
    10/10
    mysticredlinesmokeloadermagiabackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      cfebef463cdc3659ceb74203574f47da9a4378aab8633dc93e49ef6b8641bcdc

    • Size

      884KB

    • MD5

      e00423dabbb359e5616c2bffbd3ed241

    • SHA1

      75c0818bc02e99a46d4024010cdba5c25b96170f

    • SHA256

      cfebef463cdc3659ceb74203574f47da9a4378aab8633dc93e49ef6b8641bcdc

    • SHA512

      a18483c1910f9e8137468ab7427eb424445071296c1a313ea646f96bca4c091b1365f08d61fed65f82b1459b1d90e2006f6250773b946e3369e6df5174067256

    • SSDEEP

      24576:YyxczE3pCXXFoqw49z/s+YAhSTqUa+W2apq:fxcopCHFI49zkiUW2A

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      d0feb2ba6d8db360600c65c0a9ff51f8124b12ca9b415bbfdedf54b559a9c672

    • Size

      937KB

    • MD5

      9cb0d1e9df3d1720afc640d283626935

    • SHA1

      96c1c2a73af255b93ad71afa9765ee4a39399062

    • SHA256

      d0feb2ba6d8db360600c65c0a9ff51f8124b12ca9b415bbfdedf54b559a9c672

    • SHA512

      b25dd4d624fcf6a244e27a23fb116718e16d6de76da01fabf4204261b3583841df037f1775d2d068f7836fa71e5bebedb834cc46cf4be3f8a6667c017efe5922

    • SSDEEP

      24576:LyCaA28bWLsxVTbMV9/PI2flZUYwo9+KguBkflfO:+FxGQV9BfsuI

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      df0b96135e1607d766af3caf4942e58032580d533155a67061447124b2259851

    • Size

      884KB

    • MD5

      9da6ae0abd9c3a78664394854d47e298

    • SHA1

      9e0aa5c1f54a56f31406ad10558fb9cb921dbcf6

    • SHA256

      df0b96135e1607d766af3caf4942e58032580d533155a67061447124b2259851

    • SHA512

      16e466a37d1b953bad31d04164a6ab3622cd29b2e2ec27a522bcf688aa706eda232a4952e1bcb328c4fc52ef089a7ec2b91663baa45e9d4253800e620658086c

    • SSDEEP

      24576:byRu5r0YROgynnLwA5fIjaKPNQ3fF2VsIY4:OI5Q24nnEPpPcN2VS

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral21

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

healerredlinemonerdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

mysticredlineviradinfostealerpersistencestealer
Score
10/10

behavioral3

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral4

mysticredlinenarikevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral5

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral6

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral7

mysticstealer
Score
10/10

behavioral8

mysticstealer
Score
10/10

behavioral9

amadeyhealermysticredlinedaf753fb0fb8trushdropperevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral10

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral11

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral12

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral13

mysticevasionpersistencestealertrojan
Score
10/10

behavioral14

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral15

mysticsmokeloaderbackdoorpersistencestealertrojan
Score
10/10

behavioral16

mysticredlinesmokeloaderfrantbackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral17

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral18

mysticredlinesmokeloadermagiabackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral19

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral20

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral21

mysticredlinegigantinfostealerpersistencestealer
Score
10/10