Overview

overview

10

Static

static

3

02fdf4c910...66.exe

windows10-2004-x64

10

0be251d0ab...8e.exe

windows10-2004-x64

10

0e80ad3a8f...f6.exe

windows10-2004-x64

10

16688c383c...d0.exe

windows10-2004-x64

10

2fad2d07bb...73.exe

windows10-2004-x64

10

2fe920abb6...a6.exe

windows10-2004-x64

10

48143dd10c...4c.exe

windows10-2004-x64

10

4b7ea12db6...e4.exe

windows10-2004-x64

10

52365e9025...44.exe

windows10-2004-x64

10

695cd347d1...6a.exe

windows10-2004-x64

10

87139651e5...22.exe

windows10-2004-x64

10

9e061347f6...86.exe

windows10-2004-x64

10

9ec41d0e12...a4.exe

windows10-2004-x64

10

a68d0534de...a7.exe

windows10-2004-x64

10

b480c9cd31...f3.exe

windows10-2004-x64

10

cf449b541f...5e.exe

windows10-2004-x64

10

d8a34be272...bd.exe

windows10-2004-x64

7

e303858850...2c.exe

windows10-2004-x64

10

feb3084f5c...99.exe

windows10-2004-x64

10

ff0593e795...5f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r.zip

  • Size

    16.3MB

  • Sample

    240523-xfdafscd32

  • MD5

    3923b2d905a45591d86b88ab2fd1c419

  • SHA1

    d01b07a9ce1a7cb770b68c3e5d911829d4f4038f

  • SHA256

    2dae798f2fcb49ad5f375700dcbe54c08e9cc5c25fe542ebd7939aa5f5f023aa

  • SHA512

    034d3802e8935edc47bad1a24c72e2910a43deeed6e674b0e16184c8ae6371f52fda7ab983172d5b0798d65f71c970ca23a98611cf40be3c69ef68ea297389fa

  • SSDEEP

    393216:y9sh9aWO/tHuBMMwby+xpsjAfMHgKj0gpl/QT8:FaLH2AVavgKAgpOI

Score
10/10
amadeyhealermysticprivateloaderredlineriseprosmokeloaderbrehabubendaf753fb0fb8giganthordakendokukishlutyrmonertrushbackdoorpaypaldropperevasioninfostealerloaderpersistencephishingstealertrojan

Malware Config

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Extracted

Family

mystic

C2

http://5.42.92.211/

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes
  • auth_value

    a94cd9e01643e1945b296c28a2f28707

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

kendo

C2

77.91.124.82:19071

Attributes
  • auth_value

    5a22a881561d49941415902859b51f14

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes
  • auth_value

    c62fa04aa45f5b78f62d2c21fcbefdec

Extracted

Family

redline

Botnet

trush

C2

77.91.124.82:19071

Attributes
  • auth_value

    c13814867cde8193679cd0cad2d774be

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

daf753

C2

http://77.91.68.78

Attributes
  • install_dir

    cb378487cf

  • install_file

    legota.exe

  • strings_key

    f3785cbeef2013b6724eed349fd316ba

  • url_paths

    /help/index.php

rc4.plain

Targets

    • Target

      02fdf4c9103ebcca7b26adc9161a504fa42c4a825a66d1c39221891576c0f866

    • Size

      621KB

    • MD5

      13e38b18c06a3fcc3874d012f5a3b536

    • SHA1

      ce561e2299934e318dedbd976168f2f14dc0dfaf

    • SHA256

      02fdf4c9103ebcca7b26adc9161a504fa42c4a825a66d1c39221891576c0f866

    • SHA512

      018f08258dd87e176848a7edbbdeeb17468010a996f3f72b8845ff2604b136e40f89b1af28074e7076e9ba3960eaec40d4d7865dfd2f3c6e300b9ee8da569683

    • SSDEEP

      12288:jMrMy90Ek8gapGMsd3dp9vSEF6v3wGrcc6ZgdlTvVfo2fREdCaGl:HyQ8gaY33j9v76v3wGrr6ZgdlTBFREYL

    Score
    10/10
    mysticpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      0be251d0ab9bbcdf4e410ed6872fcb32d854da896cf79b561b30639bf6d7c48e

    • Size

      935KB

    • MD5

      fc5940b5bd6b4fab5e3454a71c6be1ff

    • SHA1

      9f4ecc6a4e02b092f896cb9d4d21031536f3c39b

    • SHA256

      0be251d0ab9bbcdf4e410ed6872fcb32d854da896cf79b561b30639bf6d7c48e

    • SHA512

      0fd0fc1d6b3bb99c8daf0b06722c2a88ccc8f0a5148a9a28c51360d9742690bfcb0d4aee8ffccc84ac215c49d01dc4755cdfe4b18d4b0afeb246ddfe8527db14

    • SSDEEP

      24576:ry2DzeJC89uopYQf19Xes/5QpBoY5oPklbI88VoD:eezeD9gQf19OdnLyM58Vo

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      0e80ad3a8f8f885a60f3f6210a2c5e9d2cb05a18b779d36f8aae8206aebbf0f6

    • Size

      1.1MB

    • MD5

      2a74ce12c8d822381814224ce2b98683

    • SHA1

      fe50b6161b186009ac4100c7ffe379232b9acaf0

    • SHA256

      0e80ad3a8f8f885a60f3f6210a2c5e9d2cb05a18b779d36f8aae8206aebbf0f6

    • SHA512

      7164861ef179a1620cd9bd1af7d4c3f821a3280096cd9108e6a82122b815bfb9fa8afb6a346169ac0a7753a3e13774911412fb563fb72a31115d5b14f09279ef

    • SSDEEP

      24576:py4KlhYs5R31A1Zj2bBOJ5xfTj7OxvbTaLe:c4KTL7BOJrfTYqL

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      16688c383c392aa6325c78d89165cf92d6a9aa6243e19fe6c19d73fb522546d0

    • Size

      1.4MB

    • MD5

      c2b04fbeb2611c15bdb5a55b47bb6675

    • SHA1

      2c21a5848c237d1fd171cd788e5c4a0bf9b990fc

    • SHA256

      16688c383c392aa6325c78d89165cf92d6a9aa6243e19fe6c19d73fb522546d0

    • SHA512

      1769369ad7a8d445ba23da9c1aadb065101bca1656329eb454f64414eab873be895df470fd571e8777fc5836a3e4cc82a0e7798f85321efe8de2a003243d1e26

    • SSDEEP

      24576:XyJ+jSTeTLVcPbco+tQAx69bZfkYzP89dkQHnCAys50R8IH:iJ+jSTeTL+PbUnExU3CAsR8

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73

    • Size

      292KB

    • MD5

      5c17238da1a32ccf60825ade1dca7b70

    • SHA1

      6d3d94d248c47c5251d4bbbe600776740d926756

    • SHA256

      2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73

    • SHA512

      97425dd74aa55060d41ec35f7813e953ff1ef76ba7d6b40c17b830600dec8a4482d8618ac4b83e59c88d5b167469bfd345237707491e60908ee07d1f296b84f3

    • SSDEEP

      6144:Kny+bnr+hp0yN90QECOurNn/ayrVD193aSZfshS8S2UvycIGxm:FMr9y90lit5R5xFpwSPRXm

    Score
    10/10
    redlinebubeninfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      2fe920abb67663cc154599076d351357cc5282ac2505d5c20990fb89b97853a6

    • Size

      1.5MB

    • MD5

      41edeb489baea415a780803dfe63165b

    • SHA1

      2d4d4cb00da4aff3ef3b4b00fb5c5b585d2df4a5

    • SHA256

      2fe920abb67663cc154599076d351357cc5282ac2505d5c20990fb89b97853a6

    • SHA512

      16aad9fb0dd5efaf08346eabe0ae11794d5184f90ac1ec3f36dc04cbc4b9085c270af18252e705b0163a497f324f7bd4e385a0003e1332ecb1bd5bc1a8fc3521

    • SSDEEP

      24576:NyajdLjh/NgA81iQlupQg1n/yE3SkfrkOd5b5hN5x7ilPGOzI8EQr43p+3Na01W:o5NEOg1KEnzk+hNOlPGOzo243Z8

    Score
    10/10
    privateloaderredlineriseprosmokeloaderhordabackdoorpaypalinfostealerloaderpersistencephishingstealertrojan

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      48143dd10cb17672737bf39325eefbced2eac21f1831cda9176650d72814984c

    • Size

      1.1MB

    • MD5

      9cede695194136214f017abf6997be1e

    • SHA1

      3b1183591e0f83e40c3bc596746bf0ad3ff4ca7c

    • SHA256

      48143dd10cb17672737bf39325eefbced2eac21f1831cda9176650d72814984c

    • SHA512

      b175768e20b2cd0413e5282ec7de926d63c122b2de2171c1ef6291d0afee20aced35844a6006b69b9f340a72ee3695f9f5e31d4eb0d8b7a3e12dc7aa8de3a162

    • SSDEEP

      24576:nytbOhoQ0HLS6oFFhFED50aHYNWJpo66YRZR3CkwqOYvTdKQi:ytbB93khSl0EWCbR/wqOSB

    Score
    10/10
    amadeyhealermysticredlinedaf753fb0fb8trushdropperevasioninfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      4b7ea12db629e57826906a92344722cd83a635004026635b2ca16c24e67dbde4

    • Size

      1.0MB

    • MD5

      f2206ecbd7925d4420beb0cdb8223844

    • SHA1

      1b90e925b97d351300ab32717d48dc2827bff943

    • SHA256

      4b7ea12db629e57826906a92344722cd83a635004026635b2ca16c24e67dbde4

    • SHA512

      cdc69caa57a79819d79f19eacfb0bbbc6127ae138e6c9fc3cd18206f75d9dab29b7a4b75379e278c2b9f3436d28feee843bf485d1226e7f74751808fb24af068

    • SSDEEP

      24576:DyjJGg0XCjghLfa3DGYtq9QB9xNXooGF:Wjgg0yjghTaz1TX

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      52365e902526bb91828ec4b8904240033cb658cf61b7ec8ee9189f96d3e93e44

    • Size

      509KB

    • MD5

      86209bb7bbbb6e6443b3cc605d1a600d

    • SHA1

      bf9e70b3c3ee37060351788834fd1d0f03821003

    • SHA256

      52365e902526bb91828ec4b8904240033cb658cf61b7ec8ee9189f96d3e93e44

    • SHA512

      a353a2230aa9843739136d82b31af7dc4d4d3a16724e191db7141c05ab4007ff3bbb5892f13e0a13fecfd303f961123aa0574160b91d8ec6aebe5d6558c7ad75

    • SSDEEP

      12288:5Mryy90jmtyrg1j6tr0lYNXHq0HXdyCZMU0QMR9:nyvyrhkYVK0H4is

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      695cd347d1d92d0b9066594b4970367e5d1c92c1b9b4885e6615432f165fc26a

    • Size

      1.2MB

    • MD5

      c67e62ad4b7137f920527c3694dbfc00

    • SHA1

      8603e8d58c50d129ae643d421cb0281c2e855200

    • SHA256

      695cd347d1d92d0b9066594b4970367e5d1c92c1b9b4885e6615432f165fc26a

    • SHA512

      b6bbe524bd04578cb83db4ca5947876a7d80e6eb2951eb336416a7dde6a251bcc8d4897fed4778ef19b218ffed7e0ee47c84549ffcce943394ddcfd1e3dc4f40

    • SSDEEP

      24576:6yO0OwQUN5eeYDLKt+6roiPIc/lv6q/qxU8L:BCU+eYDLEZoktyoqxU

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      87139651e5e0bbbfe1bfa2f0a0607e9be351dbd75ab76f7846f919648224e922

    • Size

      272KB

    • MD5

      ce888d3e95fd72b44ba9755a7b5f3070

    • SHA1

      acfac50f32c643900534a35b95e5324a79a6f24c

    • SHA256

      87139651e5e0bbbfe1bfa2f0a0607e9be351dbd75ab76f7846f919648224e922

    • SHA512

      4d7b3b5acb8d2de6ddfc8ab6e2e0ffbac86fd2cbdf55ca001390a073d4fa878d4886c636021b8c4276377137113f31b609fa8afcbbf9cc55bb3d7f5856e37487

    • SSDEEP

      6144:KRy+bnr+ep0yN90QEsdTwoe7P0PF+BR4OFYECMUyYhv+OJAa:nMr6y90mw9L0iR4xnTvFV

    Score
    10/10
    mysticredlinemonerinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      9e061347f64310d6e4bee03e70c36999f9e81fbcbba43f870f821e4fff10c686

    • Size

      472KB

    • MD5

      9356a23c1646ba20d0c9835c21cdbe9a

    • SHA1

      ec98fa4e32404b377df2b2602d386cd057265c0c

    • SHA256

      9e061347f64310d6e4bee03e70c36999f9e81fbcbba43f870f821e4fff10c686

    • SHA512

      8b4e5529ab5706631e49cb7d300954ac68c08b7529e2a607f541a1b9d8a2c5e69636ab96be88503cb966d24f5b0a2311a000c22c899f28f17f5c5120e529009d

    • SSDEEP

      12288:SMrny90yzEsfm9kzqGttN+E62pnVoa60+4k:ty/EAx3o6Vg

    Score
    10/10
    healerredlinemonerdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4

    • Size

      742KB

    • MD5

      f9a8fb0e8bc08416a56f6abadce7c209

    • SHA1

      237564839550770c1347c3cf62997b953bc438b1

    • SHA256

      9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4

    • SHA512

      d11b6686e901c38c886a140d598cb2037b9c9eb8db8960dba0b17e77255bdcdbae141ba2b9f8c04abea07bc30bae3a776caa82d4e970c7587af5eaced6ea9d75

    • SSDEEP

      12288:GMrwy90oeqm9YLhnjzaA/ZFqIk1WnL1ZGfgXPan44vrYuJvNUuC:OyLex6LhjzaOp5nL1ZQgA9TVvOP

    Score
    10/10
    mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      a68d0534deb0e389e03aa786911c769caba8ce5acc03a27e3cfadf2a704811a7

    • Size

      382KB

    • MD5

      9e5ad5eeb4977f30c2e8f627ba872e8b

    • SHA1

      aa80020c366200674cf0d1e7fb5c6bedabd4b4f6

    • SHA256

      a68d0534deb0e389e03aa786911c769caba8ce5acc03a27e3cfadf2a704811a7

    • SHA512

      d63fcff0e2745681fe01bb7a426828bfb6483135f7119582c36cc8a3279e9d8a7cd91c9c4e337624269d84a24d15dbbfc8dea2841af51c080bc36d8003abd41c

    • SSDEEP

      6144:KPy+bnr+Xp0yN90QEZgrMOM84oh7731r8xTughvpXMWDRS4h3J9lXXn1Sd:hMr3y90fE9xB7314rvpXhRd33tXn1C

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      b480c9cd314e4d7d6a5d2b82b815eaccf37a30106d4a7f50993c34d6bd3466f3

    • Size

      515KB

    • MD5

      03c0ed2484604444eec5a18b64754ecc

    • SHA1

      fe077f4b71c43f05a140b2ab762a7b9cb792a0b7

    • SHA256

      b480c9cd314e4d7d6a5d2b82b815eaccf37a30106d4a7f50993c34d6bd3466f3

    • SHA512

      a64b5d4c1787131783c36c2560356341772205cb94d3231bb9c2db21efa26f311a0df36bcfa235d4d34ef0ed7d097c84cad96dd0ef50046acb50ddb7639bc4fd

    • SSDEEP

      12288:eMrty90z99rJnLWr2DEI2EEITEpSz45sFPXtPKe:TyS9WeECdTEIzpZXpn

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      cf449b541feb04da499c8d4ae8b93d871fe5c6772403b253da370ea358d20b5e

    • Size

      920KB

    • MD5

      0c6b96a4d0f47a8decf22abca83388ae

    • SHA1

      bde728459843f820a93c841541c58c9e362ddc78

    • SHA256

      cf449b541feb04da499c8d4ae8b93d871fe5c6772403b253da370ea358d20b5e

    • SHA512

      a9844bda6c240857fee414462d681e7efe0707bc7315f5a2a85d75602a73ea3475aca859bf339d140f2c677cd22289c4b80f15d3fbfcae1a76cb16d72c03da9f

    • SSDEEP

      24576:3yTHh/JLWnFYKqf8YKictPcTznSx4vMMN1WNkjz7YB:CPKMyHYp1HWWXY

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      d8a34be272e0dbfba0df5744bafa235f27121e065c13cb3620946ea7d15898bd

    • Size

      1.5MB

    • MD5

      55ac574c4ef4dd9994d3b6a8bb90bf76

    • SHA1

      9bb6565183842674814a031ffa9627529e019adc

    • SHA256

      d8a34be272e0dbfba0df5744bafa235f27121e065c13cb3620946ea7d15898bd

    • SHA512

      7c61ebf6636369cf1c83a7b0371b578fb999a2c788fc209c4d3ce17b02d46903e8f6603533cf72b8a6693314789d44cb71f7842ff92715b20229780303a6e7bd

    • SSDEEP

      24576:vyoG2YgyWn5lp099Hq3qg+GKU3nArBUNZYoo4i/xwt8HxZiCMZPunxwwHphLeVxh:6odn5k/+qg+TmnDbVt8Hjquxvppeb

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      e3038588509eb9920f189d128da3a43d650c5a72fc8ad856641f6777809f702c

    • Size

      1.2MB

    • MD5

      12dc952ccbe66cc596b8fb68fd32209b

    • SHA1

      2e170a590fb586d5b1ac04ee0539fa83b4f28bf2

    • SHA256

      e3038588509eb9920f189d128da3a43d650c5a72fc8ad856641f6777809f702c

    • SHA512

      213f0ce7763330641a9725eccc10c0e2ffb8d16b40458bc92cda66548d83d4ab1f082ca2699c84f1fd89fafaa10c836cb493e8422d960cab67e63aa032f43d48

    • SSDEEP

      24576:PyxzHQw/Ut0++rFH644Fmb9gezT5b196DL11O:a/+w5WO9Lzha

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      feb3084f5c25ee7a6f595b0324d2f1b160f286a327d520b89a60520c6b5c9099

    • Size

      939KB

    • MD5

      65622bef79ddda9ce698926571ce25b1

    • SHA1

      0b3e1903f85a04dc99e682a838f967878963e52e

    • SHA256

      feb3084f5c25ee7a6f595b0324d2f1b160f286a327d520b89a60520c6b5c9099

    • SHA512

      a80b1a00117b003b3cf936e74f6b3502f5de4427761fd77576462388f9bb1173aeefe5344930284986b281c8d0ebced52da77108bfc41eeb7952aa79da17629f

    • SSDEEP

      24576:jyIFsdExiJhBjUW6BsYe5HwA3O6Nf8sZ9X4u8:2geEEUjSYqHw8PNf8s1

    Score
    10/10
    mysticredlinekendoinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      ff0593e795d855d33fe8872b94c0354d60cb3bf24a1af92da6667c6aec50325f

    • Size

      639KB

    • MD5

      9d31279f82e915bb190816b5c928c78f

    • SHA1

      7302252f683762dae1617e51e4638dd8b9996c01

    • SHA256

      ff0593e795d855d33fe8872b94c0354d60cb3bf24a1af92da6667c6aec50325f

    • SHA512

      2d0c7f64b280ddc0b6855a8390627789aeb642b4d46d4bc59344f2faf41e46d2467ee919ab08d5fd6ed843cbb0a6e11e094eff8ab2867708dfbf60faf703236b

    • SSDEEP

      12288:0Mrty90JX064XJVHTZDXdLBxRNtpejPFXlcduf6Zt+hPq7E2f:5y+bwR/HHejF/f6UAE2f

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

3
T1053

Persistence

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Scheduled Task/Job

3
T1053

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Scheduled Task/Job

3
T1053

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Defense Evasion

Modify Registry

25
T1112

Impair Defenses

5
T1562

Disable or Modify Tools

5
T1562.001

Credential Access

Discovery

System Information Discovery

8
T1082

Query Registry

5
T1012

Peripheral Device Discovery

3
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

mysticpersistencestealer
Score
10/10

behavioral2

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral3

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral4

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral5

redlinebubeninfostealerpersistence
Score
10/10

behavioral6

privateloaderredlineriseprosmokeloaderhordabackdoorpaypalinfostealerloaderpersistencephishingstealertrojan
Score
10/10

behavioral7

amadeyhealermysticredlinedaf753fb0fb8trushdropperevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral8

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral9

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral10

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral11

mysticredlinemonerinfostealerpersistencestealer
Score
10/10

behavioral12

healerredlinemonerdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral14

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral15

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral16

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral17

persistence
Score
7/10

behavioral18

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral19

mysticredlinekendoinfostealerpersistencestealer
Score
10/10

behavioral20

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10