Overview

overview

10

Static

static

3

0bd57c625c...1b.exe

windows10-2004-x64

10

0e85c02906...31.exe

windows10-2004-x64

10

1ad22f7c20...da.exe

windows10-2004-x64

10

2f0934382a...84.exe

windows7-x64

10

2f0934382a...84.exe

windows10-2004-x64

10

421c712a06...0d.exe

windows10-2004-x64

10

4958361c2a...c0.exe

windows10-2004-x64

10

4ee34ec273...69.exe

windows10-2004-x64

10

54ae781e47...0d.exe

windows10-2004-x64

10

597fd86cf2...51.exe

windows10-2004-x64

10

5af8e5b632...c7.exe

windows10-2004-x64

10

5edd2b7f66...17.exe

windows10-2004-x64

10

5eee268a87...c9.exe

windows10-2004-x64

10

65a4c04d9e...25.exe

windows10-2004-x64

10

6d2e6d5049...21.exe

windows10-2004-x64

10

77dcf40927...b4.exe

windows10-2004-x64

10

8c279e4e62...12.exe

windows10-2004-x64

10

8ee3fa55ce...d5.exe

windows10-2004-x64

10

8efb2f072c...7a.exe

windows10-2004-x64

10

a717651d7f...a0.exe

windows10-2004-x64

10

cecc5213e2...a1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r.zip

  • Size

    13.6MB

  • Sample

    240523-xqjvzscg35

  • MD5

    9d8a84cd06ba654c3d37b351c81c1a54

  • SHA1

    5ba3353eeb0ffa9d02e6b5f6737faf2f26fe5ee4

  • SHA256

    ffe8fa0cf1ed446eeb9dc6eef440d6e2121396f13b66e26a431adcd9f2d605e3

  • SHA512

    46f664ef01c46c8b6f0ea76678b973d9828698134e45d6b04be4ee1bd775ec5215e93a027b9238f322139f5d84b2a764a273afda4bb57419bf5dd0dbdaec1a00

  • SSDEEP

    393216:z2vPAfxL8siN2CE9Jg9G/WUxLuXv7onyMY6:6vmxsN2CEsEWjmyMY6

Score
10/10
amadeyhealermysticprivateloaderredlineriseprosmokeloader04d170bubendaf753fb0fb8kukishlutyrmagiamonerplostramontaigatrushbackdoordropperevasioninfostealerloaderpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes
  • auth_value

    a94cd9e01643e1945b296c28a2f28707

Extracted

Family

redline

Botnet

ramon

C2

77.91.124.82:19071

Attributes
  • auth_value

    3197576965d9513f115338c233015b40

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

trush

C2

77.91.124.82:19071

Attributes
  • auth_value

    c13814867cde8193679cd0cad2d774be

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

daf753

C2

http://77.91.68.78

Attributes
  • install_dir

    cb378487cf

  • install_file

    legota.exe

  • strings_key

    f3785cbeef2013b6724eed349fd316ba

  • url_paths

    /help/index.php

rc4.plain

Extracted

Family

redline

Botnet

magia

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes
  • auth_value

    c62fa04aa45f5b78f62d2c21fcbefdec

Extracted

Family

risepro

C2

193.233.132.51

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

plost

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Targets

    • Target

      0bd57c625c8696f13dca81e807695648802ac535fabc2f383ee13c655c34c21b

    • Size

      1.3MB

    • MD5

      9f8904e90d15b821ffc35d9795dc6946

    • SHA1

      6759026a0967a377c9a3001a534d2deb09985334

    • SHA256

      0bd57c625c8696f13dca81e807695648802ac535fabc2f383ee13c655c34c21b

    • SHA512

      8ae810835229d81e7a31bb3ae802c4360af9f910fe735d71ca770399e840fcd59ff3a5c184c7b7d5232a8375ab815b820317d2cbad993127409ac04c6503367d

    • SSDEEP

      24576:6yk5vFfu8pOEPcqhEdVpbkxeEAFoNrOjs2UFWBLM/k/UI:BuvO4hYpEAFo1P2lxpU

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      0e85c029067c6b16235fdcf9b3b93f0b3aef80462a8991420b61166786a76d31

    • Size

      640KB

    • MD5

      9a4e8c74a4e6a5fc1c51c71d095af441

    • SHA1

      04bffaef08e3fc153eddabea6f7047a01d83b7c4

    • SHA256

      0e85c029067c6b16235fdcf9b3b93f0b3aef80462a8991420b61166786a76d31

    • SHA512

      9d56d0f359693db3604dafdbd7415ef93fb0baa74652d59fadf914bf0a694fc50959f4c1d9d79a1cd620dca4ba0919b021ab2f93ca79a8ad5615c695d15216f4

    • SSDEEP

      12288:VMrby90H7NiOMM6nEZofl1XRmT74so1UV3LpQPfNy5:uyzbZ7dhRy4F1U4Ny5

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      1ad22f7c20ecd9c3f25fef51c4432f8d6609d2a5f951e6a29ab4a3a9b7d2ebda

    • Size

      1006KB

    • MD5

      8c0a63fb01c25edb39a66f28038f7aa0

    • SHA1

      18666baa1de5d7b6f5e4e273cc9946e4d295cd21

    • SHA256

      1ad22f7c20ecd9c3f25fef51c4432f8d6609d2a5f951e6a29ab4a3a9b7d2ebda

    • SHA512

      8e0aebc199e0b97fa264bcba47bd2abaafd94fba5f777350de1260512feb597193e46a31e911740c121318647a1b067c1cd5261440147fe4dbc2b2bcda0c6276

    • SSDEEP

      12288:eMrty90ivMV92xv+Zo90ItoX5rqNgUH16kaLm3OlGTI9trzLzwoBIthXTW1:PyPM6xv+ImprEgU4lLMO+IXgoKXK1

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      2f0934382aee1d9b657ffa98a2699fe864ed0a5bf8e1fc03bdcd479244e27b84

    • Size

      269KB

    • MD5

      ac88a92b64ce3501e09fb1871eb76dc9

    • SHA1

      539a8f7a674aba1fa8c4022bdb5210c9d2ce37a3

    • SHA256

      2f0934382aee1d9b657ffa98a2699fe864ed0a5bf8e1fc03bdcd479244e27b84

    • SHA512

      fc328382e8b544a43c404d2824784609322b1e2f2b84e5bce58c572793c4fb040d82632ab89527c816e4feb170025bf3cf59d904a85c378e11d6751abe4a599a

    • SSDEEP

      6144:a6SctlMQMY6Vo++E0R6gFAOwIOYIL+g35:a65tiQMYlXuIE35

    Score
    10/10
    smokeloaderbackdoortrojan
    behavioral4behavioral5

    • Target

      421c712a06e641733de7dc086abdc66469eef71d8cf926aa756f0f6910cd6a0d

    • Size

      383KB

    • MD5

      42d11f2b82dcb7347ed0e016f3a89be6

    • SHA1

      70f25e34f96ecaee0d9758c0f4eaeca90547326e

    • SHA256

      421c712a06e641733de7dc086abdc66469eef71d8cf926aa756f0f6910cd6a0d

    • SHA512

      019f1c83f86850232a165a0b70a3800d3d6e473f3ed697cb85b63d70a62cfc410bcded02a469becaf3588461293eeeb59ec20cde50e039fd36e0e42c7a9e07f2

    • SSDEEP

      6144:KYy+bnr+Jp0yN90QEXyo3FxSHF3F32KnACJeQ2Ut86H5777+1wxjnblSkcy:wMrhy905ycMF3F322veyT577C1wxXcy

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      4958361c2a42ff04e4d71bc10a59d5ce9b6fae6d86deb588a01b229caeadf1c0

    • Size

      1.1MB

    • MD5

      0e9408c5a1d43eacf2a83efc8ec28403

    • SHA1

      71c2d85e7c0d50ed22010a15493916d14344c19e

    • SHA256

      4958361c2a42ff04e4d71bc10a59d5ce9b6fae6d86deb588a01b229caeadf1c0

    • SHA512

      bb4db61931c6979ea415139b559fd69b832d9d3ddecf179e58ce44f8ec36c89943512e665eb22e70f4e75c48dc8a924d09d196139c923de08e7a9c8fc68842f6

    • SSDEEP

      24576:byZ0Y6i41PZiAYvfcxG5u9aeOUBZS5UaB8PGFQo5n:OOvi4/iAYvUxOR2pTPGFJ5

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      4ee34ec273a7f43b89678eff087bf31e1b510415dcbb3ef6c8fcf0c06f036669

    • Size

      271KB

    • MD5

      083ef6f2294813c0726842c851aa5678

    • SHA1

      4245d5c4be3f5580bf5bb2d0ab5ace4c077786f0

    • SHA256

      4ee34ec273a7f43b89678eff087bf31e1b510415dcbb3ef6c8fcf0c06f036669

    • SHA512

      0a78098a2cdf0b16defde233d9068fac53e8b5cffec0a4336c15585b15683b7fa0cd44d24c767b7182eae80fe4883ca4d04607020ce80af6975184c2b7dc1ab1

    • SSDEEP

      6144:KKy+bnr+Cp0yN90QE1rQPo8mc84Rh5z+IM5iLWUg:2Mriy90AQ8mNOhQIBWUg

    Score
    10/10
    mysticredlineramoninfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      54ae781e479d4e60bdd8734270b33ab0db93c1543e6f477a3dcc2c93b42f7e0d

    • Size

      1.8MB

    • MD5

      d078d93742d71acc505a75d0db9ff581

    • SHA1

      0c5593e415e6cf86bd2498902b29ee53068919c9

    • SHA256

      54ae781e479d4e60bdd8734270b33ab0db93c1543e6f477a3dcc2c93b42f7e0d

    • SHA512

      26ca1e093147c7ac45420008bb26c94173e1f68eccfa5e67a94fd4da11990e3597cc48ea9bb3b08047c9d7767e1df18c23376e99517de282ca2e1ac328d6b6d8

    • SSDEEP

      49152:SMdBDQOVJVm/9av1a8Pk4sixuPpeOnw+/MQ:hd6OVJVm/Ev5k44PpeOw+/MQ

    Score
    10/10
    amadeymysticredlinesmokeloader04d170plostbackdoorevasioninfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      597fd86cf22402c976ac13f554867cf010ab3d5c9bdcf8d817c66e620dce4751

    • Size

      306KB

    • MD5

      bbc0e66e9970c6d289d5aacbe28ad8eb

    • SHA1

      3172486f0db1519646b971f93cf94b00b18dbe3f

    • SHA256

      597fd86cf22402c976ac13f554867cf010ab3d5c9bdcf8d817c66e620dce4751

    • SHA512

      38ef3029b13f9a499a50213782281294bb2e8a18df1b7f6699d8f8517ac50f55013b37c4d320b4f463b60d5ee113d0246d0f11a2f48f1358af76792fbd6c56c2

    • SSDEEP

      6144:Kny+bnr+Vp0yN90QEdXp348Oa6+keANsZlJB0gN:JMrhy903Rxke5ZtN

    Score
    10/10
    healerredlinemonerdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      5af8e5b632a39ba2220e0edd14997e390e73614f2bbcd55986f62325da0e16c7

    • Size

      729KB

    • MD5

      82c85db59edaa8dc52bf1c07c43bf40b

    • SHA1

      94560464456584401c8bb85a979a43cd91dde5dc

    • SHA256

      5af8e5b632a39ba2220e0edd14997e390e73614f2bbcd55986f62325da0e16c7

    • SHA512

      4c5e45ccf84d7fae3168c99afacefc436faa185eeb1038b11ffeb3bb120515a4ba61756c84c5fa9c60d81774c8de1841372cffdfb60d7d151fc8923a124e179d

    • SSDEEP

      12288:uMrvy90TqAzTul9aPd5v/QYxKNFAdtI2DPCztUKAMhFN+08EvFne99jnEl5m4cdz:xyKX3R5HSIt3u2B8FN709Il5hy/r7zJ

    Score
    10/10
    healerredlineramondropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917

    • Size

      382KB

    • MD5

      4d8700ac9e259e9c05ccb05abcd3e55b

    • SHA1

      3ca1f31e449c427a5223165abee3858b8d3a1bc6

    • SHA256

      5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917

    • SHA512

      a52da5997013a09ab0fbcc5516eba9eee0bc6fb971294d8ca48b985a1d2030c495493d02eb7d7646b67787816ba65ad67331aa08411944dede4301d1b01e28cb

    • SSDEEP

      6144:KUy+bnr+Xp0yN90QEvNhYCAaMbdsJNuYI50Y/BJf9+aOwYSlup:MMrny90xNhCbdsLxI+Yd+9w6p

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9

    • Size

      382KB

    • MD5

      0cdd1d630baea001d0bad7a95db25072

    • SHA1

      f4360bae0c4b6609c534eba13aafeaab3a492e54

    • SHA256

      5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9

    • SHA512

      2a6d327e07511fa00ed5c440afb2730a61384064ecb974c4ac895062bed87e1fe4388fbc0b9ddb633154827289c599949722aa4517f5fd6fc90854b4071d2cf1

    • SSDEEP

      6144:KFy+bnr+hp0yN90QE5krZ8aQlp2GTvQFg1qo/qV0pB5BcWJoJnTY67h3TXhN:DMrFy90jkra2i4i1T/qV0DSBr7h3Tj

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      65a4c04d9eef0d0db884e244647345959a2f576dab0d856bc052140c13b17025

    • Size

      1.4MB

    • MD5

      ce3a43f12f3f536a897ffe527cd1f10f

    • SHA1

      8a4763f0a032b5c70846ba3c7da378a3482eac12

    • SHA256

      65a4c04d9eef0d0db884e244647345959a2f576dab0d856bc052140c13b17025

    • SHA512

      c3aad6a4a86b79b167a3989eb8d4cc6f75df354b805f8c160f8cb5dbe812144daf5d7bd07c36d3e12767adc8f8f554cfd4846599fe5f9524b9eb3e79fb407a1e

    • SSDEEP

      24576:oyW34oUUWqSF+Ww//7tpefhOrb44GWpd0a0SJtD6K5SadD3F9G:vjjZoWw/ztUJ4E4GWz0hSKKtD3b

    Score
    10/10
    amadeyhealermysticredlinedaf753fb0fb8trushdropperevasioninfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      6d2e6d5049e4da686813824edc4aa0a843fff13079a0a9399739fe64efcfd021

    • Size

      1.1MB

    • MD5

      122ae58495d166acc0cb676f112ac7ea

    • SHA1

      4570a45b76a6c9c4a05c0924a46851e13d656871

    • SHA256

      6d2e6d5049e4da686813824edc4aa0a843fff13079a0a9399739fe64efcfd021

    • SHA512

      ba3eb43d869838febdec3309505c46b6eca82bc0b33885f646d5f8e5817fef50119a641b93579125c777601208e8a3386f469e201125318eb29de4ae3e205cfd

    • SSDEEP

      24576:jyuvjnSODUPGMROZ/8ksUeKnHUS8QD9d0fiIXDXZN5Ja:2ubnvDcQ/8ksvKnHdd0qIXdL

    Score
    10/10
    mysticredlinesmokeloadermagiabackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      77dcf409276e0e91ce08daea19f8477d18c5dba52a0ecbb55c40bc98744973b4

    • Size

      628KB

    • MD5

      1466afcf9212b6b9064360ff405de2ae

    • SHA1

      a124963faff7312f1ebda5edfb99a63d48a8fa78

    • SHA256

      77dcf409276e0e91ce08daea19f8477d18c5dba52a0ecbb55c40bc98744973b4

    • SHA512

      cd35527c01c944ffd9eb477d4ab62ca3c6dc8e5e7e4bbb39ecad997867cddb132e820e26aed9b87c54720d3d917374912034fab473bf10b1b25db494e4bf79ec

    • SSDEEP

      12288:6Mrvy90Ia7VfVNeSa+kGuYsCwuqnRGddMTTzP814D8QO9Hk:NyZQFVBwYsCGIddMD81oAk

    Score
    10/10
    healerredlinebubendropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      8c279e4e627a1cf50482f625b1ee518eae0ac11a42f443c27e6f6ee04c180212

    • Size

      1.1MB

    • MD5

      ed888651c68b1cf8488cc0699d2f7743

    • SHA1

      421586dcebb5d402b53e5153cd497d760f82f4ac

    • SHA256

      8c279e4e627a1cf50482f625b1ee518eae0ac11a42f443c27e6f6ee04c180212

    • SHA512

      ef84d57aefe109f83fd4040acbe53bfda3b5b384f6d2b2794b907713f7f70d40796a6ab349a0cd938752edcf8b31b61804ab6913183b13b390f0ec5397519207

    • SSDEEP

      24576:5ykxqe6jmiTbMFiMOTLwaPKQnA+S2gZlH2:skAfM0MOgXxLH

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5

    • Size

      628KB

    • MD5

      128b755cd25a91c7322dd65c70ff4f7a

    • SHA1

      c61f3449981c9389672005c0976b26a2f5288950

    • SHA256

      8ee3fa55ceed18988822ea9dd7e193a1c7e306b0010f172aee42ec3ddd3b2cd5

    • SHA512

      06573cef4530821eb96c797802a3920c98781aeb7b75fc3812c9b4b11cf49e04706580be12a1a6f7b856725e1371c5d178699cc25e22cd4105cd8ef7a4eef441

    • SSDEEP

      12288:xMr+y90wTyutwnA6Swsg7w2OwEpzU+5kbesfe6g4mEk0A80:zyRP/HgB0pzU+eyLx4Zk070

    Score
    10/10
    healerredlinebubendropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      8efb2f072c814649d82dcf129f78158d28b7ec827dd8deeccf8e21e23771ae7a

    • Size

      383KB

    • MD5

      10157d8d3d357ae7b51b1c1da1349a41

    • SHA1

      84b30b0505c3b15fc3771117975fdfcd7faf3382

    • SHA256

      8efb2f072c814649d82dcf129f78158d28b7ec827dd8deeccf8e21e23771ae7a

    • SHA512

      de6fc008a1b6503996778702b0940a3de5fe6ee8b91e8d3b9eff36254d53383d3926bb97d846ba69053ebcf0349be4236ce7dead55c9c0bc1cfa2cd89286d4c3

    • SSDEEP

      6144:Ksy+bnr+qp0yN90QEP6/c+6cQ7PxWiyywTeqtPGbVw3ZvcYoFgf3yCHa:AMrGy901Uc+6EiH+7tPGW3ZvNvy9

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      a717651d7fa6766bf2853b11671e7a5465fd6b8d88661bb92df08a819e765da0

    • Size

      514KB

    • MD5

      64213f2dcc8b5d22b389dba89f44cc7b

    • SHA1

      c2cc89dea6afc99231930fb1aef87d168d7cb4ed

    • SHA256

      a717651d7fa6766bf2853b11671e7a5465fd6b8d88661bb92df08a819e765da0

    • SHA512

      24f6726d7a91ee02dedd3a3052746c203044e33435dda9be41fa4b2554a3e31cec36380043d9944baf24e6af37b94329611693f8cdb81cedbe5523e590acd06c

    • SSDEEP

      12288:xMrzy9083raexrx0W0GEEITEpSzvEzoJ19xO:+yPpkjXdTEIzvEzoPu

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      cecc5213e25a8a2dfe40b0f517d513ce319f2cdf28bcc26df3130a53a46d79a1

    • Size

      389KB

    • MD5

      eb246738bb8993185b4d383c62b85abd

    • SHA1

      adee718865a8a9b9fe267ee2e242913fa3b081ce

    • SHA256

      cecc5213e25a8a2dfe40b0f517d513ce319f2cdf28bcc26df3130a53a46d79a1

    • SHA512

      6e485f06c842c90d47f8e5e4bcbaeabc0ce18b7b90d104337db6a8b1a8d9b4def54926d695cdde79b997eb80bea6142cb60035ca9b70f9716aec5f9e583d1ca7

    • SSDEEP

      12288:XMr3y90LFeSD9i3YJTUs2Wug+4+wS7EFut60WtNV/c7F3:AyOFeSDM3YRz2WuHUSooI043q3

    Score
    10/10
    mysticredlinetaigainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral21

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

2
T1053

Persistence

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Create or Modify System Process

7
T1543

Windows Service

7
T1543.003

Scheduled Task/Job

2
T1053

Privilege Escalation

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Create or Modify System Process

7
T1543

Windows Service

7
T1543.003

Scheduled Task/Job

2
T1053

Defense Evasion

Modify Registry

27
T1112

Impair Defenses

8
T1562

Disable or Modify Tools

8
T1562.001

Credential Access

Discovery

Query Registry

7
T1012

Peripheral Device Discovery

3
T1120

System Information Discovery

10
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral2

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral3

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral4

smokeloaderbackdoortrojan
Score
10/10

behavioral5

smokeloaderbackdoortrojan
Score
10/10

behavioral6

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral7

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral8

mysticredlineramoninfostealerpersistencestealer
Score
10/10

behavioral9

amadeymysticredlinesmokeloader04d170plostbackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral10

healerredlinemonerdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

healerredlineramondropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral13

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral14

amadeyhealermysticredlinedaf753fb0fb8trushdropperevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral15

mysticredlinesmokeloadermagiabackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral16

healerredlinebubendropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral18

healerredlinebubendropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral19

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral20

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral21

mysticredlinetaigainfostealerpersistencestealer
Score
10/10