amadey

Sharing

Copy URL

Twitter E-mail

General

Target

r1.zip
Size

17.0MB
Sample

240523-vz8vcsad8w
MD5

d358b5a809808348019b5c6c662d7a0b
SHA1

341f061b2bdcf51fec4e2edcd786026b0b528449
SHA256

c35b2a353f3f737fd5d522bda8150c7fe11a4c4773ad1702d174b480462784c6
SHA512

856daad348c3d679a3ad6e006756772ad0b4b18ddc569324b35c4bd67dd9a9e68ae378a60df9752dda0ed72465f5964bd356ad04a6f297bf510418d1203b9496
SSDEEP

393216:0DjFwR9whXnArkdWr4Yo4LU0FHZS0lv+aHV3m+0HfyNyoSTXZp3:k2sXnArXfLU0F5S0LV3m/Xp3

Malware Config

Extracted

Family

redline

Botnet

moner

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Extracted

Family

redline

Botnet

frant

77.91.124.55:19071

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Extracted

Family

redline

Botnet

magia

77.91.124.55:19071

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Extracted

Family

redline

Botnet

narik

77.91.124.82:19071

Attributes

auth_value
07924f5ef90576eb64faea857b8ba3e5

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

daf753

http://77.91.68.78

Attributes

install_dir
cb378487cf
install_file
legota.exe
strings_key
f3785cbeef2013b6724eed349fd316ba
url_paths
/help/index.php

rc4.plain

Targets

- Target
  
  0a827f3afc0645954dd24f12c87e59035cad5723414cfb4b9933e600faf4ae35
- Size
  
  472KB
- MD5
  
  6ff1a455bee02fd15858c1e9324655a1
- SHA1
  
  eabc36878fa2c646c59a88e4184601acfb8ef904
- SHA256
  
  0a827f3afc0645954dd24f12c87e59035cad5723414cfb4b9933e600faf4ae35
- SHA512
  
  56cc3ba67e4c84eb4ae885b06f96ea0894d22aa4af2c9cda8debfde8b02a21410da0add2d64bff488616675f55808dca64d683a965c965f712b51032aebc7fad
- SSDEEP
  
  12288:iMrNy90xixQ21JflwuqdlE5ntM2LcjqeicCWCCVX2:3ylQ2vqcFtM2IqcC2A
Score

10^/10

healer redline moner dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  18184ff5db7555b2c7baf1a87aa4d5046c77710bee4b4f39e6a131f30f418f7a
- Size
  
  662KB
- MD5
  
  efc79a98fc61f6d6dfabe4bf64ccbf8c
- SHA1
  
  8137dafbb384db53eff033229998945166ac5fa8
- SHA256
  
  18184ff5db7555b2c7baf1a87aa4d5046c77710bee4b4f39e6a131f30f418f7a
- SHA512
  
  717247ab59c19296e11c16545bae54067a3a30c46e0c118cc690fd79fd98bcd8401b206ced16417ac09a65090eaf726a61b44612cf8f8a322517591621f5974f
- SSDEEP
  
  12288:EMr6y90bevLolfDpBvr6dqaxMGdo/0JMFSLt1T8muh5bgOz+/eCEdJdar:Gy3Lopj6dqKMGm/iMILtyV5bgOzqPari
Score

10^/10

mystic redline virad infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral2
- Target
  
  36b2548e8cff694e8667d04ab33d149c6e8bc4cad4bc4adc501ac7c1189f6c4f
- Size
  
  696KB
- MD5
  
  60a06b357591f715a801b79c5b32967a
- SHA1
  
  5dd59fe5078e07bac523f417ff4b99df60df684a
- SHA256
  
  36b2548e8cff694e8667d04ab33d149c6e8bc4cad4bc4adc501ac7c1189f6c4f
- SHA512
  
  0b0c2da8a778fbdd211ebddef16aa59f39fdfe5f3b460d065a7e6ca0d8988b18d7ff0d6a5b3f97367e239a85cee2ac89ac6733026ed0f5df2bd2ca235b8730ba
- SSDEEP
  
  12288:rMrty90OK5hhGOKyXEEGFQabDD7zd1pHlrdMz6172w7XQcVIfGQWsCDDM:eyIPxPNGFNLpHv247AcVIvfCPM
Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3
- Target
  
  4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810
- Size
  
  1.0MB
- MD5
  
  61d4845e02006e934527cd4703e90b07
- SHA1
  
  0b22149b814404ca6f23a55db2b0fd4f03e9f7ee
- SHA256
  
  4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810
- SHA512
  
  47d1517c5e537e90df2ef1c11193992cc7da9e242dc2cc2238643abffc1f92a63fb9cde89658f80633dd20174dbae2e9eca48947ab573b40f49012320aa8e888
- SSDEEP
  
  24576:xyCEn0G0jYadh62kOcE++vHldKAzUvk43i6OhqbT:kCEn0JjthByoHLNAvSjqb
Score

10^/10

mystic redline narik evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral4
- Target
  
  5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58
- Size
  
  1.2MB
- MD5
  
  34bd88866a21f46e8aac88ce27ece869
- SHA1
  
  9c55dc3e1bd014ca0b856b6ab8639b5a8bffeb3b
- SHA256
  
  5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58
- SHA512
  
  b6089180dfc0936be3e17868ef1d815d1cc5d6f8f346a1840649d8c4ec3d21a3a4a073f49ba444cf5a5211caf87a510f1221576799fe2ffa3a22e1d19d251e5f
- SSDEEP
  
  24576:9ybWjicQBao2bo3GEq+0mABw8DuA1m+2NysFED8pvxtvs6x81lqa9kb3:YWicQBP2M3Ga0xBFCA4iW/v/61lH9k
Score

10^/10

mystic redline gigant infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral5
- Target
  
  63e6b5c83075ac978e67dd3e333b3a73cf6c4d1c644a3e8975acdc6fb9c7c1f8
- Size
  
  1.2MB
- MD5
  
  919b359a73a034bd1742a3846ce1332d
- SHA1
  
  e82d56a9aeeb2b8a4568b7bd86d94f8ad4565e13
- SHA256
  
  63e6b5c83075ac978e67dd3e333b3a73cf6c4d1c644a3e8975acdc6fb9c7c1f8
- SHA512
  
  c5893022d530cfa36dbd8b7eb7aa45655caaee99f64bc456dfa0d8147e5d09afd49835804f4287e7cdb0b64a5850010b78e34c9f0ca0d36c19c4bbc677878f2a
- SSDEEP
  
  24576:9y2CyMEv4qZAina4sIgXajxFCv0RuSR8Ghl3GSKc5yDIEGAMT:Y2CyMQ5lgSxFJRuNcG45yDIEtM
Score

10^/10

mystic redline gigant infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral6
- Target
  
  6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467
- Size
  
  378KB
- MD5
  
  99cbd861f83a58b6f9e44032d4809098
- SHA1
  
  a3830e857406f1fb963bf090a46daaf88b06e27e
- SHA256
  
  6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467
- SHA512
  
  6b4088070017f838f07115d3aca431447ad78f001bedb26637b1bdd14e312d246d986fb35bbdbf39a7c8cb0d38ffb11773814264dec3ba06f2b6ca444c8505d6
- SSDEEP
  
  6144:f49SP92pCryG4kfjSGwEi56AOLGFIramMeulPZbsrww0D:f49Q2wryNSoF8apeul1sED
Score

10^/10

mystic stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  6e83c409a5141acfb33dd664684ab352c7d7ecdc7a01189c46cf229a14f9b645
- Size
  
  1.3MB
- MD5
  
  444fbed769b5f41a0e756e79b9d1e658
- SHA1
  
  9aabf704f69cbbcc81b71999f7f9749c86a0d190
- SHA256
  
  6e83c409a5141acfb33dd664684ab352c7d7ecdc7a01189c46cf229a14f9b645
- SHA512
  
  8d27c05a1cff2bc98ddec672ae9fab1287f964277a112e2b6fe1087d8ac464c0e736115acadd27c1a6a783f38cef650d7bd63ec03d5dd85d3ce256bef1a5ee08
- SSDEEP
  
  24576:ayaZk2ZUXVtE9VdwtoHP98FVHc/44mPoIeGTJu42BsoSG4:haZkJ6atyP+Fhr0YuptS
Score

10^/10

amadey healer mystic redline daf753 fb0fb8 trush dropper evasion infostealer persistence stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Mystic stealer payload
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral9
- Target
  
  77f90e33849dda663fd4cda0660a634b060b4175b2e67325c1556e009c739dff
- Size
  
  872KB
- MD5
  
  b1f947438cac40f6b0065f67923c0bff
- SHA1
  
  cde63592778ccb72ff7aa7db2a6e618ae6e13b3e
- SHA256
  
  77f90e33849dda663fd4cda0660a634b060b4175b2e67325c1556e009c739dff
- SHA512
  
  29da20916d718e65ee1de3051226775e33d55f02a76846dbf90135cabe8392590b2930fe600b6a88c50048f3bbc7582f89c3032728cd4c45e2373861d18018c7
- SSDEEP
  
  24576:jyHNtE1bUNkHQwmMWdCeM65DQjXr91quAc:2HLuUNkHQwmKE6r
Score

10^/10

mystic redline lutyr infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral10
- Target
  
  78bd5cf504a3577dc9d7f80114d8adafdd8f12cb7f983f8814a107da3aca917c
- Size
  
  937KB
- MD5
  
  a28659924b46bf84095e62a338b26aba
- SHA1
  
  e439aad00b7f690784c2171f0585b5b3ddb05739
- SHA256
  
  78bd5cf504a3577dc9d7f80114d8adafdd8f12cb7f983f8814a107da3aca917c
- SHA512
  
  ddec630ff1d87ed5ef7cbde855d6df4061508875cad5c1d45195e4e63627aee184c5d8ba78415d25c399dbed074107a726e4b0020cc202e4a90333ce631b33d4
- SSDEEP
  
  12288:jMryy90aFM01vEA4+L0KRbMPhcnJyFQJ9QMZMCGhAKbjISHSJXm/cHYj3u4U21ZG:hydpN1isbPQUxObfH6XV63u4px0
Score

10^/10

mystic redline lutyr infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral11
- Target
  
  7ce62a9574ca774ba9c6234c75799fd5cb2c153c6f1e40a65e1bea1a9c2219e1
- Size
  
  444KB
- MD5
  
  62cb5abe1a7a14a455b7bcbde88afee6
- SHA1
  
  5761fe51f10b934d99810fdd8d051f1a0b129aa8
- SHA256
  
  7ce62a9574ca774ba9c6234c75799fd5cb2c153c6f1e40a65e1bea1a9c2219e1
- SHA512
  
  59f36fd993e5ef000ac8c7bb8c87583a4d99385e8eec8438345c9b26c70ffcb050734c1770f4e6449370ab0a5ce5d77ac2cf42a52cfbf6751db261642c051ece
- SSDEEP
  
  12288:FMrLy90YUdatcF1R4XJp2QzCPL9ZZID6MSkLyTnLh:+yx8atcF1Ry2OcxZOXjen1
Score

10^/10

mystic redline lutyr infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral12
- Target
  
  7d2d45b5937ea290b091c8ccd70073bfedc220269f4ab6c1833823d1678ed166
- Size
  
  598KB
- MD5
  
  44d2059628937296edf7cf7ab9a0756b
- SHA1
  
  b1d514de0cd2845331038cb4f3ba1d94957ce453
- SHA256
  
  7d2d45b5937ea290b091c8ccd70073bfedc220269f4ab6c1833823d1678ed166
- SHA512
  
  62d89487ffafac8c0c81beec67ffb131a854ff072844bb33cded80c36915c5f869e8abbca0f62968edfc8be0c3baf7a77dbac0895b6df07cc454c26edaedf4af
- SSDEEP
  
  12288:OMrNy907un5B6oTC7L0t9WP+C5dGBIquDi4deB2pCIWCH/zfdyy:/yJB6oTEL0T++k0oy25yy
Score

10^/10

mystic evasion persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral13
- Target
  
  7d9b9686dbe7185e907f691f010b2ffdd754b22bfd13757340c6d287bc7e459b
- Size
  
  632KB
- MD5
  
  7c76b8ad44a15e0ef8a64d318ef72e67
- SHA1
  
  af73ae5bd202d0433efb35312d024cda7516e3a2
- SHA256
  
  7d9b9686dbe7185e907f691f010b2ffdd754b22bfd13757340c6d287bc7e459b
- SHA512
  
  66704ea4e9297d136ae38e726956757d4be424d693afa657cefcda3c611dfa2073d39092317fb61c63e31112679ae5cee25ebeb7a3d2c8c54aced1c04b5dfb0c
- SSDEEP
  
  12288:0Mr3y90j0USqlTi317bopPQy7m0v34EYrqVDjuo3wHIvWUOm7JIqH:7yeFlG31A3m0D3Vxw075H
Score

10^/10

mystic redline lutyr infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral14
- Target
  
  864fdfc64cf28ad02bb956d55c2a2ce062a178c9a8ca6100f6534277ceedd3f0
- Size
  
  748KB
- MD5
  
  373acbf2f3d1e2fa28f3961311d1187e
- SHA1
  
  60d6c0fb97f5673c96fe13b94e7eb446ae72bce4
- SHA256
  
  864fdfc64cf28ad02bb956d55c2a2ce062a178c9a8ca6100f6534277ceedd3f0
- SHA512
  
  1867a971cdf2238ec530a79a23530b7ebd6209ae2e2f64b9fdf6925199275f4586bbea177a25453c6b05d5961452ab702c3283149dff9c6c1368bf4f5d1f3b52
- SSDEEP
  
  12288:iMrzy90aQ+AopvrmaEUEWnwXlhUxEBYjYejzaREccnzS+pqbXrM3K9MML9+5DMWr:ZyFQ+/TmJ+WlhUmBmaREr2+peXrM3hMI
Score

10^/10

mystic smokeloader backdoor persistence stealer trojan
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral15
- Target
  
  9607b0ce5da9cdaed4a53ccbe60fb0d4863b49ad237993d21e1b23a6674e97c6
- Size
  
  1.8MB
- MD5
  
  c9bac1cfce49a87f78ebc04b8cb3a223
- SHA1
  
  1f4ecd7288d45a45080ca174a2fe3d94681a9012
- SHA256
  
  9607b0ce5da9cdaed4a53ccbe60fb0d4863b49ad237993d21e1b23a6674e97c6
- SHA512
  
  31b973cde45abc91f30ef2b9ced0a0c2c7872c390c435be73a963255567cd954e0761aabef5f3787775f6f638fd968b5b28e304ea42fb1b183969da67b296809
- SSDEEP
  
  24576:NyStAmpAPZUWXV7hGw7pJwnavgTx4ARl3Xw89W/i1HUp1Cs887Fj5Ex/fcPh+bbJ:oSbQfZhLwavMVp9W8Uu/qPE5I+99xxj
Score

10^/10

mystic redline smokeloader frant backdoor evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral16
- Target
  
  aa524ac0a848432537ae785725900e93cb6140ebd8edeace3fe041dd64b93f07
- Size
  
  1.2MB
- MD5
  
  f82666906b563093e7d9151ae07c8201
- SHA1
  
  f063119adddd1ebf6b9bc1034032e446195d936d
- SHA256
  
  aa524ac0a848432537ae785725900e93cb6140ebd8edeace3fe041dd64b93f07
- SHA512
  
  5ba83af323bf600485465ff2b23ea47b2c288f6a8d78353d7531d3c79589e24677a45b79c5278379c078c0add0dd81e44d7bb1250d9b1678ff1340dea3f06ded
- SSDEEP
  
  24576:Byu8LIM5kNQegrBPVd4y0P6i5cW0tgsaeA9QVL6E3KpZx:0u1M5km9rHd4vPtZla32H
Score

10^/10

mystic redline gigant infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral17
- Target
  
  b6f332f02aabba8a420db82ac6b2a3566d6384471d7dae236759ded20f8dde85
- Size
  
  1.3MB
- MD5
  
  39f0a05d9cffc6b37a511894b059bc41
- SHA1
  
  3824f46d185556377f522fa71219a8cffd91e1a6
- SHA256
  
  b6f332f02aabba8a420db82ac6b2a3566d6384471d7dae236759ded20f8dde85
- SHA512
  
  e636d7bd05c3dea755dbc513f16799cb8f4104d8650df8d887ae283d2ef2a0e23699b819f96abd70a58f5447b094f5a14e8456aa982cc01e96154231b280246c
- SSDEEP
  
  24576:qyiD/od1RQ2QJvKWMY8INJwYVCTA+oYueiVPvZ11+7ebeyBDZ+yk1gaacvyZAhxG:xiL2RQ2QJv7bJsFoLnVPU7weyzuambqo
Score

10^/10

mystic redline smokeloader magia backdoor evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral18
- Target
  
  cfebef463cdc3659ceb74203574f47da9a4378aab8633dc93e49ef6b8641bcdc
- Size
  
  884KB
- MD5
  
  e00423dabbb359e5616c2bffbd3ed241
- SHA1
  
  75c0818bc02e99a46d4024010cdba5c25b96170f
- SHA256
  
  cfebef463cdc3659ceb74203574f47da9a4378aab8633dc93e49ef6b8641bcdc
- SHA512
  
  a18483c1910f9e8137468ab7427eb424445071296c1a313ea646f96bca4c091b1365f08d61fed65f82b1459b1d90e2006f6250773b946e3369e6df5174067256
- SSDEEP
  
  24576:YyxczE3pCXXFoqw49z/s+YAhSTqUa+W2apq:fxcopCHFI49zkiUW2A
Score

10^/10

mystic redline gigant infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral19
- Target
  
  d0feb2ba6d8db360600c65c0a9ff51f8124b12ca9b415bbfdedf54b559a9c672
- Size
  
  937KB
- MD5
  
  9cb0d1e9df3d1720afc640d283626935
- SHA1
  
  96c1c2a73af255b93ad71afa9765ee4a39399062
- SHA256
  
  d0feb2ba6d8db360600c65c0a9ff51f8124b12ca9b415bbfdedf54b559a9c672
- SHA512
  
  b25dd4d624fcf6a244e27a23fb116718e16d6de76da01fabf4204261b3583841df037f1775d2d068f7836fa71e5bebedb834cc46cf4be3f8a6667c017efe5922
- SSDEEP
  
  24576:LyCaA28bWLsxVTbMV9/PI2flZUYwo9+KguBkflfO:+FxGQV9BfsuI
Score

10^/10

mystic redline lutyr infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral20
- Target
  
  df0b96135e1607d766af3caf4942e58032580d533155a67061447124b2259851
- Size
  
  884KB
- MD5
  
  9da6ae0abd9c3a78664394854d47e298
- SHA1
  
  9e0aa5c1f54a56f31406ad10558fb9cb921dbcf6
- SHA256
  
  df0b96135e1607d766af3caf4942e58032580d533155a67061447124b2259851
- SHA512
  
  16e466a37d1b953bad31d04164a6ab3622cd29b2e2ec27a522bcf688aa706eda232a4952e1bcb328c4fc52ef089a7ec2b91663baa45e9d4253800e620658086c
- SSDEEP
  
  24576:byRu5r0YROgynnLwA5fIjaKPNQ3fF2VsIY4:OI5Q24nnEPpPcN2VS
Score

10^/10

mystic redline gigant infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral21

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Detect Mystic stealer payload

Modifies Windows Defender Real-time Protection settings

Mystic

SmokeLoader

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Modifies Windows Defender Real-time Protection settings

Mystic

RedLine

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Mystic

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application