General
-
Target
r.zip
-
Size
16.9MB
-
Sample
240524-f7mvjafb23
-
MD5
fce70f31aa86b5b9578924bb289b809d
-
SHA1
f1c72e9aca02764608748f748f20fef1b2eb4d3d
-
SHA256
cc5e37d73955fc0316a074c4b20f0296dee40952f8d275b2c6c6eb4eb0947059
-
SHA512
93075e33c989f7db98718ebda0f12924f28d2bb8ca3866e203304d2f05cb78a66302107a418afaade73907f011bb9d37b9011525afc4c8fc94080823dda552b4
-
SSDEEP
393216:eYsgHqjPqc9ZqjxKogGkxV2HBFQsydqL5zm//EYUduOrlFJ9l:eYvqjPqcOjxK5n2HBysqqFLYUDrlFR
Malware Config
Extracted
mystic
http://5.42.92.211/
Extracted
redline
breha
77.91.124.55:19071
Extracted
redline
kukish
77.91.124.55:19071
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Extracted
smokeloader
2022
http://5.42.92.190/fks/index.php
Extracted
redline
taiga
5.42.92.51:19057
Extracted
redline
lutyr
77.91.124.55:19071
Targets
-
-
Target
0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5
-
Size
1.1MB
-
MD5
a0993b295f22b979045e9e5619184ea3
-
SHA1
7197bf0e4d125a3c1c45d39ae75dac7632557213
-
SHA256
0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5
-
SHA512
7944f2b0747af7dae01b8a3d7e58f30b784ba74225d0b03f6924a9c03fbb89e9a15a9e663831850e9373c8be56254513a6f2481710ba1b9642e92bd650e23ee3
-
SSDEEP
24576:UyiTdNkP+nx9l8jOuBMlDjy2YZpoDhR6sacCMyXaOvpsg8/j:jiTLk2B8jOuBMlyTpea/vXp1Y
Score10/10-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179
-
Size
508KB
-
MD5
08f93718f532a5b6806992822abd5319
-
SHA1
bf256764f2a7e66ce6043af9a36558d8ebfae3c2
-
SHA256
0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179
-
SHA512
01731396c4eddfca44f4421e74fff0c6a9551f87fcf4f6799e5a001ec1872cb398ffd66aaadc09bb92cedc47cb9e193b635f36d82a067d70a448764c47650801
-
SSDEEP
12288:tMr7y90cskbQBr9Sm/zFAUl4RI27Senp1/oGjhvC:SytQBHzFFs3/oGtC
Score10/10-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
21e19370941ed45f65950d345652c8fe76f4f409b0bbb8261c579fb219042338
-
Size
1.1MB
-
MD5
990e933e09496f5e13846fe69ceb707a
-
SHA1
6a8977a1da928de9ec6b61bfd60f5bae10a209e7
-
SHA256
21e19370941ed45f65950d345652c8fe76f4f409b0bbb8261c579fb219042338
-
SHA512
531ccdd9bd9393ea4d48174eca858f4de62776ed51a142ba3b677425593e0adecd557c3c1c125173c793e46e74889c9ec15557368b173e3297a51dd1532843e5
-
SSDEEP
24576:5yIw4LjVhBurow429PCp1zm3jxNyNNUKbhB91NCV/Io7STznuZVBU:sIwwjnBQ42Mp1KHUXNBDNCd7SG
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
2800d64eb3bc5b7c1f807e9baaf76c469f1d63f07cc116fb310c5c866087d931
-
Size
1.1MB
-
MD5
970cebd220b029f825b123655aa738f0
-
SHA1
9f36d37a6ff67d00e1eae8114acf2efaac6a3a1d
-
SHA256
2800d64eb3bc5b7c1f807e9baaf76c469f1d63f07cc116fb310c5c866087d931
-
SHA512
aaeb2d0307843b73b03609bea764d95ed871076a6fc0b95a9e50c09b303c1009558086c1ad5bdc16f23c0e769007a4c9d0743a1b17281014bd7efbecaea358bf
-
SSDEEP
24576:VyVq1fbot71KmfaA+5+MrTOnbX/S4tJ5iFbaQ9Qe2w9rG7:wVqpmzhT8TmX35iL9V2SrG
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
299e46ee08841fc6eb4d1c18d756d39f82a681622c3d6cb0e68ec7f71013a4d5
-
Size
621KB
-
MD5
873fe20000f2954d9b2e2d3a1ee146ab
-
SHA1
6d076ad8ec8c2eba2a1e1cf43a0089377c61e9b7
-
SHA256
299e46ee08841fc6eb4d1c18d756d39f82a681622c3d6cb0e68ec7f71013a4d5
-
SHA512
95f67206b77726a45449e20586b0e50798d6f9ec0ced4ae0c6eae88501ad33c2c1b0f5dba7856acdb96a149d97732a7ed57f88d7c7f92141b6ed05f7b6f46fce
-
SSDEEP
12288:sMrPy90Hk8UpyDuuSZum4/9WArLJFskN/L5BLSXAAyesaNR:Lyz8gy9SArvsk1sAte5D
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
3d64fae31acb5d4e6e0319606608e94d2b3a017279c295dba43ce4d28aab53d7
-
Size
640KB
-
MD5
83f05c5fda15836298e46fb4040f4c38
-
SHA1
63f0e9906de5027985d0bb31866535610e7da4d9
-
SHA256
3d64fae31acb5d4e6e0319606608e94d2b3a017279c295dba43ce4d28aab53d7
-
SHA512
d47fff8e77915d9289f57b3768d82722ce888b2a11548ef6f83661729d56fbc2ac3128760d9a363c405ba0092d8c2713e8826df45d0d6b73dd125beeb6f80e9b
-
SSDEEP
12288:bMruy90Kr3s8LlcWABrlcjhrCWarqi8b+RdCGo6VE8+sjVyUQT:5ydc8LmBhIrzarqq06VEIyUo
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
652a4e2d36de8360e61d407c228b3eb8948cafa60881c208bbd568afd7222f35
-
Size
811KB
-
MD5
62c46e802b6ff9a1607d0498ed507110
-
SHA1
1a0b7522c0fb59cd9b1d627f497ac207ab9d584b
-
SHA256
652a4e2d36de8360e61d407c228b3eb8948cafa60881c208bbd568afd7222f35
-
SHA512
8b2df6225b11758ec79cf77f439d4904c463b6a2ac7068b41b3cce760b66869e5404e2c65bb211a354f1dd8b73d0f3d086f625aa814c065adf7c40b153de9057
-
SSDEEP
24576:AyzCNxCIzqSHqSiGmk1SdTRrmSPVz+p+7ZUh:HzACsKSiK1iRaSPV6se
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
6b4d258a8d8ba67789ff7894ed84c9e89d61a4f8f9d156a7c732ddf5e5f4511a
-
Size
1.5MB
-
MD5
0c949673ce549079af032d4298d9e8cb
-
SHA1
d7a889d9434be7b5e55b6df4dec0905899b997ec
-
SHA256
6b4d258a8d8ba67789ff7894ed84c9e89d61a4f8f9d156a7c732ddf5e5f4511a
-
SHA512
13264a8ff11b5beba5ebad1c854b81eef24f39c395056d049e98a473fd5c26fdaff64cb888419c13feb01eb7f1398a9f277d1c8bde3eeab3478354ec32d2fc10
-
SSDEEP
24576:6yjXmF5XP50jauubNHvtTAwYSd4utYYMDiRaF+9eXzrdG+gqD+MuyDA:By/WGHvGC4ufRuLrdtHu
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
74c99e0dfdc0750268c34c3d63288e0bea52796a82c9b157a495fbe2608d4942
-
Size
921KB
-
MD5
7cf36789e46b4e994d0ec822dc83dc7d
-
SHA1
27d15125db1a5513c8ee55b640f548ce93778370
-
SHA256
74c99e0dfdc0750268c34c3d63288e0bea52796a82c9b157a495fbe2608d4942
-
SHA512
0279d8e9d32a20dbcaf163a9a97a974273cfe42c55def0ec0b695046b0818732a31fae53bf32c7c97ef59532f2901ddf3f91ad52e390b0bf317243a2f6a9fd6d
-
SSDEEP
24576:Yyf0kXWxLoarfj5VYwLCo5Y0FAe9u0/C37qI/:ff0kCnrrgSL5Y0Oe9ukZI
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
7e6bab949194c1776ccda7ecf613ef45e2d619717d44730efec0049e322789d0
-
Size
1.2MB
-
MD5
2184c0b0f1719f6e847905d1b8c16d75
-
SHA1
a346ddfc7dfac42ef45b856957a49da604d4788a
-
SHA256
7e6bab949194c1776ccda7ecf613ef45e2d619717d44730efec0049e322789d0
-
SHA512
515fe6cbaf9cc7ecef386b1c9fe455d5e177a6d5b10e6ad4c0454b2958faba3ddacd21d1ddbbbc747608dd0b6468dee306aa0c63862d36e1d56accc2c4123423
-
SSDEEP
24576:oyH9alXqINC8tf/DnEFvrg5mzfPy4GS+xUywf2WMn0IAClu:vH9al6I48tf/z2v0gzfPybOyiRal
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
80af2b3540716fa5dcd664b7f7ed120e1c1aa575c2fc1e1b6ee5df1723f2ab7e
-
Size
1.3MB
-
MD5
1cb0d9a73de2ed437d313f8f5e9f324b
-
SHA1
f4b12e8a694e5f5ccca161aebe6bd66a60474e49
-
SHA256
80af2b3540716fa5dcd664b7f7ed120e1c1aa575c2fc1e1b6ee5df1723f2ab7e
-
SHA512
aa6c85222b8ed1b49d497f7aab8e2a1ce787d9175da1594f545d414c70b818ba0f893238bcf5c7dc3c9edc0cfd2f0c3d46a1122212d73b55322a91a1369fcfe6
-
SSDEEP
24576:BySsRytVMlI1Melx8vHpMz9kX1tdLBzgj5MDvBAngjrjsZXo:0EjP1Mw2vW5kXHdLBEj5GvBPf0X
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
a96b2772021c2a9c228f53c7583855c51eac18dbb16e1dc62969e62c6aa9ceca
-
Size
935KB
-
MD5
7c48d0260b3561c0bd83681d4e14b2cc
-
SHA1
d710c30efc2b38a57fe06894ec82d9dc2985c9cd
-
SHA256
a96b2772021c2a9c228f53c7583855c51eac18dbb16e1dc62969e62c6aa9ceca
-
SHA512
c7898ff1ff23a2bd3e7f684c83ffd836e0508f25046796ff2a4b2fb86283d5f1ef21d00ce20a38f122e613f8361fc74edfd9c930067a32a145b19fb8c445408c
-
SSDEEP
24576:2yNYzfCr0NMJxqAdlJflIp1jWnS8x3NtP2qA4h2iTTcOY3Jfzw:FNYzK4mJxqWjflIoS0/P2/4hFTTcJ
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
b618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f
-
Size
514KB
-
MD5
d24fc153514f465665aeb87afce202e2
-
SHA1
bebd7242e149c1df0840e0970379591a96a00ddc
-
SHA256
b618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f
-
SHA512
bbf65202c6001b58bd4fcfb4fbb69368df9befb3015324d4be17a8facd75d535c2ac9a02fcdb1741889fb223b3f8e1b5536cf24f1b1ca661d34fb0fa7a1efe17
-
SSDEEP
12288:HMrvy909AEAh/NT/igEITEpSzu8DBQ0ctCHHM6x:wyZFNT/ddTEIz+0TTx
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
c1237a6a46458518390f044aae909d7b4e395ae64c6bb1db16e0cbe581f8d65b
-
Size
1.1MB
-
MD5
805fab0520813f1daf4cbaa9fed21d46
-
SHA1
209a066865bcf0daae7ec4460d26bc20ea4d6eaa
-
SHA256
c1237a6a46458518390f044aae909d7b4e395ae64c6bb1db16e0cbe581f8d65b
-
SHA512
7f561ac50b702e66d983cb35ecee637b6481956cb254e71990b5d6db5cd9fd08044015e6483ad46d39d39177f8a566eee4ec1d37c2f84fe99ad65bdd037e3217
-
SSDEEP
24576:OyCh/1QpnUZKnb8nOaEt0M7JQWXZVbtrwcwRhadKLT:dIUxL0qucwcwRhad
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
d7fde0f5efb7f555528ff1c98946e36088ec7396d07c4fd0a577c6b49c4bcd97
-
Size
692KB
-
MD5
75d4d328a799d98cbfc1e833cd018aca
-
SHA1
9d5dcb6ccfb99ed7ec5dcc77bbf544c71ade5e04
-
SHA256
d7fde0f5efb7f555528ff1c98946e36088ec7396d07c4fd0a577c6b49c4bcd97
-
SHA512
a5be29a9ef0c570c2328782d7a017152d78402c7314c6acd93ead929553bd40caf98fb229e92c71b88fecbf80ff75cd5dbf0979d956c5035313d42d745d99ba6
-
SSDEEP
12288:+Mrsy902LH5YQp71v571GYKcrw1DHY88Up2VsK35LdPUO7K2avsVjA5vyQ:uyjH53Q9Ydc2Vsw4O7PavspEvyQ
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
da85318c86e347642de41ee65fd6363813b5e0b29587b390f0258c819f35ec60
-
Size
479KB
-
MD5
a36f65f317ac41f8fd835d9472e54596
-
SHA1
0770f7e17bee482e980bde6157d36ab6612eafa5
-
SHA256
da85318c86e347642de41ee65fd6363813b5e0b29587b390f0258c819f35ec60
-
SHA512
8dbfcc1b252a305f435b289ba4433e3c6c6256a8bfe99b73e1b323270c174885ad6ed3917607b1fc81573f79ce6e07ed7bb91dbae1d693ed9a04d948d58eb32d
-
SSDEEP
12288:QMr5y90ud12LTOXvHR3swsWf4yLlnzmXJ:5yeTOXvHRLsWQ4lnzA
Score10/10-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
dc220ed080f58ca4a078f8ea2a3ba2d42611f3da8514d41359c39eae805b1c4e
-
Size
1008KB
-
MD5
014a2a1979a35d870c55175b30df4794
-
SHA1
1473c11702720aa9deb9877bf4ec8f10c745d6a5
-
SHA256
dc220ed080f58ca4a078f8ea2a3ba2d42611f3da8514d41359c39eae805b1c4e
-
SHA512
049797fac32069693c9342812a1de56796ad9feec5b69ef037ea29f99a97c5a9c121217e71245031504ecd5511dec1bdd4f5efe97eb374f7b56c55cfa2b31769
-
SSDEEP
24576:fy4SXxIK8PAwSsWbOMUEq6tl9zbGdfLeg21zL0ZS+mxE:q4SSKaAwSsOZq6tl9zbBhJL/v
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a
-
Size
648KB
-
MD5
c12139634f017d2d2c93952feebda554
-
SHA1
34d49019576082964f1d79b2cb8fa2f1298f1c29
-
SHA256
e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a
-
SHA512
85480633f93547b3ac6bf0b0971b42d41ef30bc4fda2eb1f91b8459e371d7705008fe168f63ba8eb11c5ce61cff484faa6200b823022183c39c10bbbf148b38f
-
SSDEEP
12288:6Mr/y90MJQl5BK7ra5tpf0e7FlSBhobizWQG+UhZ+wGBEAb9ot02QH4xk:NyWl5BMa5/tRitiQG+UhQvEAGtDgd
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0
-
Size
1.3MB
-
MD5
ba596649dd39015b9ebb20e53e576673
-
SHA1
1f6bb78f5decfae319019346d7a2c5c2d5be2cd4
-
SHA256
e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0
-
SHA512
4544fd2669ff8d9632241040946868026712ddc7faf1a0db708ccf8f0c7edcb92a6c6ec9167b59421014158b0f27353b6afc4026d3a2748bb7fa3252e2747f57
-
SSDEEP
24576:gyfJAGy3eES79rsujbjYlvUJG76Sh44Q+x6/7XOHG+nnsQPGKkUw:nfJBbES79rjYbth44xsKxJPGKk
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
f3b64421133b7924d58e6aecea4508423a6b611f1b55b129f7ac031c0458b73b
-
Size
436KB
-
MD5
d213e2080232807a50a68cf06de48dd0
-
SHA1
a09601da7b45676d1a3cb07d767e093399d14b60
-
SHA256
f3b64421133b7924d58e6aecea4508423a6b611f1b55b129f7ac031c0458b73b
-
SHA512
03867c11eed2d693fc1cd81da1c8c29b74bb6c45ff4f608ceb5c411ef8d9ba6e8fbad68a17bd4558c2055aa8258e1b39e24daca8d18558912ae0d6e7f16673d2
-
SSDEEP
12288:DMrUy90Y4kZKi2MwPlfAbMdllZ+jYIvK4+IA:3yNnKi2NPZPcsIy4rA
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1