Overview

overview

10

Static

static

3

0fd60696a3...b2.exe

windows7-x64

10

0fd60696a3...b2.exe

windows10-2004-x64

10

2996639955...59.exe

windows10-2004-x64

10

2acc7bf3a0...77.exe

windows10-2004-x64

10

526be697bf...a7.exe

windows10-2004-x64

10

537d35bac5...43.exe

windows10-2004-x64

10

63e7ea0ef8...61.exe

windows10-2004-x64

10

6ba7aab10c...ba.exe

windows10-2004-x64

10

6be7b83314...78.exe

windows10-2004-x64

10

8155bd24d1...a2.exe

windows10-2004-x64

10

98093b29a1...be.exe

windows10-2004-x64

10

a03054b15e...e0.exe

windows10-2004-x64

10

a6ac7e6221...44.exe

windows10-2004-x64

10

b4bd81eed4...04.exe

windows10-2004-x64

10

bc3d05e882...1f.exe

windows10-2004-x64

10

c423201e38...8d.exe

windows10-2004-x64

10

c5e42a3a50...3e.exe

windows10-2004-x64

10

cfb43a8521...b2.exe

windows10-2004-x64

10

e50cb48894...49.exe

windows10-2004-x64

10

e8168dd5ed...47.exe

windows10-2004-x64

10

f674a21edd...53.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r1.zip

  • Size

    17.7MB

  • Sample

    240523-w5qreabh3y

  • MD5

    3ba80db33a1158b759c80a5da56cd174

  • SHA1

    7623588003dbcf9243c9664f562fc139f8621dcf

  • SHA256

    75edb521bbb0ae12b7c2c52fa6e3ed769f4e764e26b92ef2dc4d7cb78ed92fd9

  • SHA512

    6f7be761def3ac0e248dc08d2510f80526e2dcb2eb4924da036a50fb2d3af4fe894d7c928e5b6b086e8dcefaa6b0270108159ad417a3a2837888c8530e612409

  • SSDEEP

    393216:dciNUS6skWgaI+C62OgGGfESZ/YBk45iotK0uxQGkfCyzxp2Uq4zDHo9KJvjr6:dWD0q6vysSlzcKfEBzxp2Uq4oEq

Score
10/10
healermysticredlinesmokeloaderfrantgigantkendokukishlutyrmonerbackdoordropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

frant

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

kendo

C2

77.91.124.82:19071

Attributes
  • auth_value

    5a22a881561d49941415902859b51f14

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes
  • auth_value

    a94cd9e01643e1945b296c28a2f28707

Targets

    • Target

      0fd60696a37853b9112e009b88f4a66eb9d6f837b4b77cfe28e58110267409b2

    • Size

      270KB

    • MD5

      7eeca2cbaccbd7eb357bfa4f623fbf97

    • SHA1

      67c43af2316b5b307922d952a0e48680b8270802

    • SHA256

      0fd60696a37853b9112e009b88f4a66eb9d6f837b4b77cfe28e58110267409b2

    • SHA512

      e986d779f9bc7de5c627e487ad3fa87921b2b404a25e2eec6cb85d2e7cac73660c354e0ebcb134a03fb809e8054f2f20538160343f53c315f620a8f5cbf5f401

    • SSDEEP

      3072:VJGkimM7usspGahWcy23rT1YCj2AFnKFCWWCMLfCpBJqs6uRtNeAg0FujCn8odDh:PapK3RlYo26KFCW8m3JqxAOO8+SVT

    Score
    10/10
    smokeloaderbackdoortrojan
    behavioral1behavioral2

    • Target

      299663995567ce7e8d92c1a76f6910056efcce778fe83d664f85a3ca9b2e2059

    • Size

      417KB

    • MD5

      f5fe73580e6061b453e5e52c1b4d1fe2

    • SHA1

      e29ff7c20633ba5b052d7bc24e3c056783af2f77

    • SHA256

      299663995567ce7e8d92c1a76f6910056efcce778fe83d664f85a3ca9b2e2059

    • SHA512

      40e96b896ae52e76ce5ed33cb5f68548b2bef2232721eecb2a2becb6f1523dd786778fd5bf454ef51727a755cb5959f69548139232f4cecb84941a3edb319977

    • SSDEEP

      6144:Kry+bnr+8p0yN90QEM6uFCuzf8i/mEPtm+aiGEaC9c2fww:ZMroy90ejCuLl/mEVm1iVrTx

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      2acc7bf3a0c9793fa35ddb267e569c575a7a142b0722a61a3c49c2e87e994477

    • Size

      947KB

    • MD5

      e05b77f28bbe24dd2444a611884b0122

    • SHA1

      7bd1124270c5e41e1ae2a31df6140196d57b929b

    • SHA256

      2acc7bf3a0c9793fa35ddb267e569c575a7a142b0722a61a3c49c2e87e994477

    • SHA512

      0253d333d18904eb2276b4e7408f85b4cdb1804dd1871a86d89749976cd747c4949fdf3938fd9d2faaf377c95475cd345a8c03b8c32234db5b468618dafef3f3

    • SSDEEP

      24576:vyMfK22g+/ZdlEnzrsdVEeAWaWYvGJwLJxD5yVoYtrh:6AKuodksvJAEYvVLvBEr

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      526be697bff16798a7b0db1272f29ee6e6e4a0d2f8779f857ebe162729e247a7

    • Size

      1.2MB

    • MD5

      bdf7fc6e400c2bc8dafca00732a7b259

    • SHA1

      75ba29a05598998dca24bb52c7d311a6fe219c48

    • SHA256

      526be697bff16798a7b0db1272f29ee6e6e4a0d2f8779f857ebe162729e247a7

    • SHA512

      e13ce7b519e6da87493183e2699f38e5171359e8a824074e6d6e92ba1ad9d29b87db2ece73a79156168741e681728122bef2f666fc274deaf5c5306c41b476d0

    • SSDEEP

      24576:7yWodOfzIjZJXcoF7shLxvqA1UcHD7qHINivyoma19je:uWvIZdrF7s1xvqKHD7qHIIvyDa19

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      537d35bac51656a3d24c96fd5d730dbd1b3aa1e40870063892a5c0f247669243

    • Size

      1.2MB

    • MD5

      cd940c2af93b4093f92294507d63a84b

    • SHA1

      829dbf34628ba466b4a3e47a892cfda952854fca

    • SHA256

      537d35bac51656a3d24c96fd5d730dbd1b3aa1e40870063892a5c0f247669243

    • SHA512

      d63b8ca3cd579dce5071950fb767654c9d5b167ca33986f946d992cabae02a6f01e1f6f5b1630d09cc4658927fa1bcae0799da649061e487f1fd0b2e3d764889

    • SSDEEP

      24576:Gyqfq8S2gU9bBeRIEp1rkOWidPnEA+jO406CSVlOjo0pvn1ByeUU:V0jS9wBeRTOOPnEA+jOj66jokU

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      63e7ea0ef874b72273a3ea2e8d37753b642423f278258c8297d28ce3024ecc61

    • Size

      1.3MB

    • MD5

      b15dc7860f40ea21d727ada21c858d78

    • SHA1

      10bfa760f1a369aaaad29f09084d4c5a2ecd7c61

    • SHA256

      63e7ea0ef874b72273a3ea2e8d37753b642423f278258c8297d28ce3024ecc61

    • SHA512

      07b4a692a2db2e34c2ca0366e68a495021b4d7c799ebb49fae3f671e97d516f3e14edeb7a130a58bf4e4e3f73a2f4ecc379d2b498f762b20d173ee6b7de15ed8

    • SSDEEP

      24576:Qy/hJhEvVPVCZ7m0CWm+hYWrvqfip2d69GPWFh31usKvGV:XfSVO7dyiYWbqfpVWssK+

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      6ba7aab10ca9c6b1705b9de79a2e324a956c2ef5b8210ba6a6fff04274d5a4ba

    • Size

      760KB

    • MD5

      611d7feaeb5914a5e51cbcfb67f0736a

    • SHA1

      f8fbc7b3d0924083169fb7669df028c618e5fe21

    • SHA256

      6ba7aab10ca9c6b1705b9de79a2e324a956c2ef5b8210ba6a6fff04274d5a4ba

    • SHA512

      bbe10e8e6f5a565b3bba76833a91f25651a1a2e823383ca4634225d99a27907a6c98a680ff0772b88bc0524e51fc881452826d675eef509995ce9e0431248f5c

    • SSDEEP

      12288:lMrGy90sxN59718Z6IsiQp3FauvvFV/1nDjbFfL9i1RxZComUNiuUWgB2KG8va3f:zyd97Syp3Fr9l1nbVL9sxZCoLiua2KF6

    Score
    10/10
    mysticevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      6be7b83314dc014eebc2d7cc17ce0021ea7d66e03bf91c49ddd8050fdb95b478

    • Size

      421KB

    • MD5

      a724995af13018d9a70245cec8f7678c

    • SHA1

      0a6821ee014bbc65ba0d5d93a0f9bfc27a59b8a7

    • SHA256

      6be7b83314dc014eebc2d7cc17ce0021ea7d66e03bf91c49ddd8050fdb95b478

    • SHA512

      ab2e981992379507a8c9ad0e1863022df69199815ee0637a794009487529baaa937f2f20538a8311662f18a45f4bb0d1d9838addca80925aa5693df89c9c9d90

    • SSDEEP

      12288:XMrJy90h+08qFUvuohyGkUvWZ32N5spIb8lEQi:yyj08qF3oa2NPb8+F

    Score
    10/10
    mysticpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      8155bd24d116c57eab78ae836bd626ad73ea195b6cd88928129bb6fd1f3a80a2

    • Size

      1.8MB

    • MD5

      ae40dabebed6d3bb557de110ec0c6c54

    • SHA1

      d67d82f55b82f90fe157f17f7978697376aa2934

    • SHA256

      8155bd24d116c57eab78ae836bd626ad73ea195b6cd88928129bb6fd1f3a80a2

    • SHA512

      77a03e86e2235d01319d484c271cad80cae6028d27af25c2158e22c93c23692a8456bad7ef20dd8e1d65f5c77314ab24c3d378a68c618692f96f8c5509ee13c7

    • SSDEEP

      49152:9tH2hfpwhXRnvMM3eWH07UnnhnXn3kDQ:725pS9t9Ki0c

    Score
    10/10
    mysticredlinesmokeloaderfrantbackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be

    • Size

      1.1MB

    • MD5

      689af04893939e7333c5ab54564327ac

    • SHA1

      b5a3cb2db8caf56327c79b1378e69a8ee8ddc764

    • SHA256

      98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be

    • SHA512

      5220957905fbe451ab40d31194e1515fc814fec6fe4284d77085dc1ba14285124d3bb37554f104db87d076341a07d84d2fd68938a5c042adf18c87f0e570e04f

    • SSDEEP

      24576:Dy9FhmM9/epbOxTHMVL6Ehz/XKGts/RYUPVTtSMoxICJ626P0mW9P:W9fmM92pbYsVLnDK/qUV8Moc0

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      a03054b15e4fddd11bf2396780295da4431da23bddbec73b70a011da6d19a8e0

    • Size

      1.8MB

    • MD5

      f9690a36ed94deca8bf89850e3b11e42

    • SHA1

      1c3fb3887497b5ae9e209f81e67b7d094e77a0a7

    • SHA256

      a03054b15e4fddd11bf2396780295da4431da23bddbec73b70a011da6d19a8e0

    • SHA512

      720c0d7c4680551cb4ab1fc0bf16e3d20a4e6af6747db7d20d76af55591e70da37fdb2ae761be258f7cfb0e1665c1d50de88d6edb09bf1b031697c321324afb5

    • SSDEEP

      49152:+yXE6GXtxv57edxn+xA5kntPaqP5livt8I7:9U6YxvMdl3iFW

    Score
    10/10
    mysticredlinesmokeloaderfrantbackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      a6ac7e6221ae1940e4e6faa06a2e255b4e9e7a811c7b3e3859feeaccca699844

    • Size

      824KB

    • MD5

      f8896aa09cbf341133389cb3879cda71

    • SHA1

      76046da72c2c2e920522051abb913a34e6bc3247

    • SHA256

      a6ac7e6221ae1940e4e6faa06a2e255b4e9e7a811c7b3e3859feeaccca699844

    • SHA512

      348b33b83cf63f3bc543a00f58be4311e08aec4fb743ff49275e86bea02471538fc99f88663fd3907076ef3f874b20928af47eefd30a679e842c7794b0c7ce44

    • SSDEEP

      12288:PMrny90Y58rHbQA4c/v7AaEzqIf9bOufRtL5V2dxWHH3jvzIOS7i4lpvuNxmrRFI:8y2rHM4ALEufjixKTvzXS7ispXFFXY

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      b4bd81eed44be3f83a4d778d3fe1bc914c1e5bca98bb8217707f964f5e0b0904

    • Size

      936KB

    • MD5

      4440531ebafc2168c09d9f1564b9d79c

    • SHA1

      63178757582dec4f3f7587693c46d8fefa6c3ad9

    • SHA256

      b4bd81eed44be3f83a4d778d3fe1bc914c1e5bca98bb8217707f964f5e0b0904

    • SHA512

      226e5a33ebe5aa1cd9a1dc3c2575e9413620591298d53cc5d7c8ceaefd8d81d494b8efe18d5f0b0c5f06f18d17a27f7130305224bea7922b476ff15576de7bad

    • SSDEEP

      24576:jyapEYWP1adbcE7bMKOp64nxuY9JRKsSFfAZDZqS:2aBVdbF7bMKo3nx1bRKnON

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      bc3d05e882eb83b7ad915dd2d33d3be8e73bb42e53f26b9662f99e79511e361f

    • Size

      815KB

    • MD5

      5f588bc47b5093eaa5d3a9c0644b0fa6

    • SHA1

      45386aff33a4247f8d51572f604b93a7c42ee96f

    • SHA256

      bc3d05e882eb83b7ad915dd2d33d3be8e73bb42e53f26b9662f99e79511e361f

    • SHA512

      6d0383da806a084f87f436ef1413c4d51f53c036c3b2fa06513f398ab8328793c910b775854fc6b512f6b33add8abc57660bf9612954420dc393c70661533ece

    • SSDEEP

      24576:syeR6ovnaM19/cDqmCcYge61HxqCSKcORi:beR3rmIAHxkKcOR

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      c423201e3826daee29004ed5dcf47d914f79b9e35aabb7cda630e407b4d2888d

    • Size

      1.1MB

    • MD5

      18446e1501e63e0019b372fc4029f123

    • SHA1

      c9d615ecc9559924632f68869510166c921dc59f

    • SHA256

      c423201e3826daee29004ed5dcf47d914f79b9e35aabb7cda630e407b4d2888d

    • SHA512

      05d3f76c722a465e23ecf0961021767a41e7abc2f1b1f13be75300b095521e2eb58e2159311403753429349176d6821e67dc5c8fa46486db71252dc9d30d81e9

    • SSDEEP

      24576:pyMC4dJevkZml2/xU1WPWz6MuFZeVYOQrekxPuLuQGZyA3aM:cMCiJeMR/xU1WPe52sfkxPuLu/ZyAq

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      c5e42a3a502b792f98bf1c2a5548dcfe3d99699a1ebd3b1dbbc5eebb02e0e13e

    • Size

      749KB

    • MD5

      a488dc8386a267e2acce14f3d1555b2b

    • SHA1

      c430f860139a9789dce9e649372373c5404f384f

    • SHA256

      c5e42a3a502b792f98bf1c2a5548dcfe3d99699a1ebd3b1dbbc5eebb02e0e13e

    • SHA512

      b8f58f66d108d2891a070bf3fb2062f260626fb38f65cd9cc729c176e3e2e0b39eef01567bf5f8ab1066b26d7ddcb11a080cfc35222e9a8f97a1fca62bcb35be

    • SSDEEP

      12288:yMrCy90ULBNqxe1t61hnIXvVoEpvX3KNzpdty6t0b1f3OAm/NyvLdOkaAl2TH:AyZOY1t6PnO5p/a7jJM1+1/NyT8kqH

    Score
    10/10
    mysticsmokeloaderbackdoorpersistencestealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      cfb43a8521b91093cc4c585e28556ea093351fade2937e840921fbc278f763b2

    • Size

      1.2MB

    • MD5

      1052f8a9850ff2cdb3305c4693fb3bc2

    • SHA1

      32363959f3f2db69aa1311d268affce5f7e5a130

    • SHA256

      cfb43a8521b91093cc4c585e28556ea093351fade2937e840921fbc278f763b2

    • SHA512

      1f65110317fc5bea56d95df856de912aae3cbeea853d62fcbf0487d47de212fb95740d6400088177bd1a313932df06460547a68910b2d62d4362cb6d895908b7

    • SSDEEP

      24576:Py8i+Ca4HSc3QJthXZ+8LKwtWPoq+aNQO418UgpMc/eSpQ:a8i+CmuqhJswvq7OO4WUa/eSp

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      e50cb4889413649fb6e1cca1572c73dae745fb6ad9c37514bfa16650aacbaa49

    • Size

      841KB

    • MD5

      f025917edad34f0971f4b62b76003de9

    • SHA1

      35449daa9b1d2b0ba53897b43dd9f40a0ea782fd

    • SHA256

      e50cb4889413649fb6e1cca1572c73dae745fb6ad9c37514bfa16650aacbaa49

    • SHA512

      31e4b993c86c3e913da3049110ee66570b238b53223dccbf7b64587fd8c19a56490d410640d721dc71f9df7ce5f0ff3ed755783cdd2670148a7b5984d99f8225

    • SSDEEP

      24576:JyRTYigN40cVYvpnc9gqPts8M/afOFONn:8RU3vcVSRcf1s8mafOFU

    Score
    10/10
    mysticredlinekendoinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      e8168dd5edaf1e8b049e5f5e7c1241a1e9e3c746375080bfc3d7dabb994bc847

    • Size

      472KB

    • MD5

      200604b5e079ef62ee499596045e855c

    • SHA1

      61571e9ae4ac5af5f38f80da06a4071cf2c4bf22

    • SHA256

      e8168dd5edaf1e8b049e5f5e7c1241a1e9e3c746375080bfc3d7dabb994bc847

    • SHA512

      70aea25b97004fc0b531251992939d62b804936efb005c0c574add40d7a17e0b5c0228bd48e5c3b1d5d66be96c6fa39f58f2f3729321c5abfee231b654fbf2d0

    • SSDEEP

      12288:3Mrby90DkrKaSYbxfqaqAr6/A0IoKX6pPl1Z2SqUiP:syG2Swx3q/A0Io66L18SoP

    Score
    10/10
    healerredlinemonerdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      f674a21edded6b58ee18fe72f4241798a2dc4a04eebb177a73f1ddde8cde4f53

    • Size

      605KB

    • MD5

      9a6e6c325ec6dd023c76243100c08bde

    • SHA1

      ad3a4a56867514408546b8f0322b96dbc7288d8d

    • SHA256

      f674a21edded6b58ee18fe72f4241798a2dc4a04eebb177a73f1ddde8cde4f53

    • SHA512

      9a9711f2d290ea6b1ff8e7f3cc5c11a0be87c6a09ff1b608a9093febc35da58ae5fb6cb3a8e59fefbdd151305504af17d362cda27c517db2d1115c755ba8a179

    • SSDEEP

      12288:RMrUy90aIl2VtsnMvNDP2LftanwopFV8OL53AHHBh/bCf:ByvVdvxP2LY/r9iBs

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral21

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Defense Evasion

Modify Registry

23
T1112

Impair Defenses

4
T1562

Disable or Modify Tools

4
T1562.001

Credential Access

Discovery

Query Registry

6
T1012

Peripheral Device Discovery

4
T1120

System Information Discovery

8
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

smokeloaderbackdoortrojan
Score
10/10

behavioral2

smokeloaderbackdoortrojan
Score
10/10

behavioral3

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral4

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral5

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral6

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral7

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral8

mysticevasionpersistencestealertrojan
Score
10/10

behavioral9

mysticpersistencestealer
Score
10/10

behavioral10

mysticredlinesmokeloaderfrantbackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral11

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral12

mysticredlinesmokeloaderfrantbackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral13

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral14

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral15

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral16

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral17

mysticsmokeloaderbackdoorpersistencestealertrojan
Score
10/10

behavioral18

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral19

mysticredlinekendoinfostealerpersistencestealer
Score
10/10

behavioral20

healerredlinemonerdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

mysticredlinekukishinfostealerpersistencestealer
Score
10/10