Overview

overview

10

Static

static

3

0697314d1d...a5.exe

windows10-2004-x64

10

0f998493b8...79.exe

windows10-2004-x64

10

21e1937094...38.exe

windows10-2004-x64

10

2800d64eb3...31.exe

windows10-2004-x64

10

299e46ee08...d5.exe

windows10-2004-x64

10

3d64fae31a...d7.exe

windows10-2004-x64

10

652a4e2d36...35.exe

windows10-2004-x64

10

6b4d258a8d...1a.exe

windows10-2004-x64

10

74c99e0dfd...42.exe

windows10-2004-x64

10

7e6bab9491...d0.exe

windows10-2004-x64

10

80af2b3540...7e.exe

windows10-2004-x64

10

a96b277202...ca.exe

windows10-2004-x64

10

b618a9cedf...7f.exe

windows10-2004-x64

10

c1237a6a46...5b.exe

windows10-2004-x64

10

d7fde0f5ef...97.exe

windows10-2004-x64

10

da85318c86...60.exe

windows10-2004-x64

10

dc220ed080...4e.exe

windows10-2004-x64

10

e5e7bb0a7c...4a.exe

windows10-2004-x64

10

e91c8d8104...e0.exe

windows10-2004-x64

10

f3b6442113...3b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r.zip

  • Size

    16.9MB

  • Sample

    240524-f7mvjafb23

  • MD5

    fce70f31aa86b5b9578924bb289b809d

  • SHA1

    f1c72e9aca02764608748f748f20fef1b2eb4d3d

  • SHA256

    cc5e37d73955fc0316a074c4b20f0296dee40952f8d275b2c6c6eb4eb0947059

  • SHA512

    93075e33c989f7db98718ebda0f12924f28d2bb8ca3866e203304d2f05cb78a66302107a418afaade73907f011bb9d37b9011525afc4c8fc94080823dda552b4

  • SSDEEP

    393216:eYsgHqjPqc9ZqjxKogGkxV2HBFQsydqL5zm//EYUduOrlFJ9l:eYvqjPqcOjxK5n2HBysqqFLYUDrlFR

Score
10/10
mysticprivateloaderredlineriseprosmokeloaderbrehahordakukishlutyrtaigabackdoorevasioninfostealerloaderpersistencestealertrojan

Malware Config

Extracted

Family

mystic

C2

http://5.42.92.211/

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

smokeloader

Version

2022

C2

http://5.42.92.190/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Targets

    • Target

      0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5

    • Size

      1.1MB

    • MD5

      a0993b295f22b979045e9e5619184ea3

    • SHA1

      7197bf0e4d125a3c1c45d39ae75dac7632557213

    • SHA256

      0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5

    • SHA512

      7944f2b0747af7dae01b8a3d7e58f30b784ba74225d0b03f6924a9c03fbb89e9a15a9e663831850e9373c8be56254513a6f2481710ba1b9642e92bd650e23ee3

    • SSDEEP

      24576:UyiTdNkP+nx9l8jOuBMlDjy2YZpoDhR6sacCMyXaOvpsg8/j:jiTLk2B8jOuBMlyTpea/vXp1Y

    Score
    10/10
    mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179

    • Size

      508KB

    • MD5

      08f93718f532a5b6806992822abd5319

    • SHA1

      bf256764f2a7e66ce6043af9a36558d8ebfae3c2

    • SHA256

      0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179

    • SHA512

      01731396c4eddfca44f4421e74fff0c6a9551f87fcf4f6799e5a001ec1872cb398ffd66aaadc09bb92cedc47cb9e193b635f36d82a067d70a448764c47650801

    • SSDEEP

      12288:tMr7y90cskbQBr9Sm/zFAUl4RI27Senp1/oGjhvC:SytQBHzFFs3/oGtC

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      21e19370941ed45f65950d345652c8fe76f4f409b0bbb8261c579fb219042338

    • Size

      1.1MB

    • MD5

      990e933e09496f5e13846fe69ceb707a

    • SHA1

      6a8977a1da928de9ec6b61bfd60f5bae10a209e7

    • SHA256

      21e19370941ed45f65950d345652c8fe76f4f409b0bbb8261c579fb219042338

    • SHA512

      531ccdd9bd9393ea4d48174eca858f4de62776ed51a142ba3b677425593e0adecd557c3c1c125173c793e46e74889c9ec15557368b173e3297a51dd1532843e5

    • SSDEEP

      24576:5yIw4LjVhBurow429PCp1zm3jxNyNNUKbhB91NCV/Io7STznuZVBU:sIwwjnBQ42Mp1KHUXNBDNCd7SG

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      2800d64eb3bc5b7c1f807e9baaf76c469f1d63f07cc116fb310c5c866087d931

    • Size

      1.1MB

    • MD5

      970cebd220b029f825b123655aa738f0

    • SHA1

      9f36d37a6ff67d00e1eae8114acf2efaac6a3a1d

    • SHA256

      2800d64eb3bc5b7c1f807e9baaf76c469f1d63f07cc116fb310c5c866087d931

    • SHA512

      aaeb2d0307843b73b03609bea764d95ed871076a6fc0b95a9e50c09b303c1009558086c1ad5bdc16f23c0e769007a4c9d0743a1b17281014bd7efbecaea358bf

    • SSDEEP

      24576:VyVq1fbot71KmfaA+5+MrTOnbX/S4tJ5iFbaQ9Qe2w9rG7:wVqpmzhT8TmX35iL9V2SrG

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      299e46ee08841fc6eb4d1c18d756d39f82a681622c3d6cb0e68ec7f71013a4d5

    • Size

      621KB

    • MD5

      873fe20000f2954d9b2e2d3a1ee146ab

    • SHA1

      6d076ad8ec8c2eba2a1e1cf43a0089377c61e9b7

    • SHA256

      299e46ee08841fc6eb4d1c18d756d39f82a681622c3d6cb0e68ec7f71013a4d5

    • SHA512

      95f67206b77726a45449e20586b0e50798d6f9ec0ced4ae0c6eae88501ad33c2c1b0f5dba7856acdb96a149d97732a7ed57f88d7c7f92141b6ed05f7b6f46fce

    • SSDEEP

      12288:sMrPy90Hk8UpyDuuSZum4/9WArLJFskN/L5BLSXAAyesaNR:Lyz8gy9SArvsk1sAte5D

    Score
    10/10
    mysticpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      3d64fae31acb5d4e6e0319606608e94d2b3a017279c295dba43ce4d28aab53d7

    • Size

      640KB

    • MD5

      83f05c5fda15836298e46fb4040f4c38

    • SHA1

      63f0e9906de5027985d0bb31866535610e7da4d9

    • SHA256

      3d64fae31acb5d4e6e0319606608e94d2b3a017279c295dba43ce4d28aab53d7

    • SHA512

      d47fff8e77915d9289f57b3768d82722ce888b2a11548ef6f83661729d56fbc2ac3128760d9a363c405ba0092d8c2713e8826df45d0d6b73dd125beeb6f80e9b

    • SSDEEP

      12288:bMruy90Kr3s8LlcWABrlcjhrCWarqi8b+RdCGo6VE8+sjVyUQT:5ydc8LmBhIrzarqq06VEIyUo

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      652a4e2d36de8360e61d407c228b3eb8948cafa60881c208bbd568afd7222f35

    • Size

      811KB

    • MD5

      62c46e802b6ff9a1607d0498ed507110

    • SHA1

      1a0b7522c0fb59cd9b1d627f497ac207ab9d584b

    • SHA256

      652a4e2d36de8360e61d407c228b3eb8948cafa60881c208bbd568afd7222f35

    • SHA512

      8b2df6225b11758ec79cf77f439d4904c463b6a2ac7068b41b3cce760b66869e5404e2c65bb211a354f1dd8b73d0f3d086f625aa814c065adf7c40b153de9057

    • SSDEEP

      24576:AyzCNxCIzqSHqSiGmk1SdTRrmSPVz+p+7ZUh:HzACsKSiK1iRaSPV6se

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      6b4d258a8d8ba67789ff7894ed84c9e89d61a4f8f9d156a7c732ddf5e5f4511a

    • Size

      1.5MB

    • MD5

      0c949673ce549079af032d4298d9e8cb

    • SHA1

      d7a889d9434be7b5e55b6df4dec0905899b997ec

    • SHA256

      6b4d258a8d8ba67789ff7894ed84c9e89d61a4f8f9d156a7c732ddf5e5f4511a

    • SHA512

      13264a8ff11b5beba5ebad1c854b81eef24f39c395056d049e98a473fd5c26fdaff64cb888419c13feb01eb7f1398a9f277d1c8bde3eeab3478354ec32d2fc10

    • SSDEEP

      24576:6yjXmF5XP50jauubNHvtTAwYSd4utYYMDiRaF+9eXzrdG+gqD+MuyDA:By/WGHvGC4ufRuLrdtHu

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      74c99e0dfdc0750268c34c3d63288e0bea52796a82c9b157a495fbe2608d4942

    • Size

      921KB

    • MD5

      7cf36789e46b4e994d0ec822dc83dc7d

    • SHA1

      27d15125db1a5513c8ee55b640f548ce93778370

    • SHA256

      74c99e0dfdc0750268c34c3d63288e0bea52796a82c9b157a495fbe2608d4942

    • SHA512

      0279d8e9d32a20dbcaf163a9a97a974273cfe42c55def0ec0b695046b0818732a31fae53bf32c7c97ef59532f2901ddf3f91ad52e390b0bf317243a2f6a9fd6d

    • SSDEEP

      24576:Yyf0kXWxLoarfj5VYwLCo5Y0FAe9u0/C37qI/:ff0kCnrrgSL5Y0Oe9ukZI

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      7e6bab949194c1776ccda7ecf613ef45e2d619717d44730efec0049e322789d0

    • Size

      1.2MB

    • MD5

      2184c0b0f1719f6e847905d1b8c16d75

    • SHA1

      a346ddfc7dfac42ef45b856957a49da604d4788a

    • SHA256

      7e6bab949194c1776ccda7ecf613ef45e2d619717d44730efec0049e322789d0

    • SHA512

      515fe6cbaf9cc7ecef386b1c9fe455d5e177a6d5b10e6ad4c0454b2958faba3ddacd21d1ddbbbc747608dd0b6468dee306aa0c63862d36e1d56accc2c4123423

    • SSDEEP

      24576:oyH9alXqINC8tf/DnEFvrg5mzfPy4GS+xUywf2WMn0IAClu:vH9al6I48tf/z2v0gzfPybOyiRal

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      80af2b3540716fa5dcd664b7f7ed120e1c1aa575c2fc1e1b6ee5df1723f2ab7e

    • Size

      1.3MB

    • MD5

      1cb0d9a73de2ed437d313f8f5e9f324b

    • SHA1

      f4b12e8a694e5f5ccca161aebe6bd66a60474e49

    • SHA256

      80af2b3540716fa5dcd664b7f7ed120e1c1aa575c2fc1e1b6ee5df1723f2ab7e

    • SHA512

      aa6c85222b8ed1b49d497f7aab8e2a1ce787d9175da1594f545d414c70b818ba0f893238bcf5c7dc3c9edc0cfd2f0c3d46a1122212d73b55322a91a1369fcfe6

    • SSDEEP

      24576:BySsRytVMlI1Melx8vHpMz9kX1tdLBzgj5MDvBAngjrjsZXo:0EjP1Mw2vW5kXHdLBEj5GvBPf0X

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      a96b2772021c2a9c228f53c7583855c51eac18dbb16e1dc62969e62c6aa9ceca

    • Size

      935KB

    • MD5

      7c48d0260b3561c0bd83681d4e14b2cc

    • SHA1

      d710c30efc2b38a57fe06894ec82d9dc2985c9cd

    • SHA256

      a96b2772021c2a9c228f53c7583855c51eac18dbb16e1dc62969e62c6aa9ceca

    • SHA512

      c7898ff1ff23a2bd3e7f684c83ffd836e0508f25046796ff2a4b2fb86283d5f1ef21d00ce20a38f122e613f8361fc74edfd9c930067a32a145b19fb8c445408c

    • SSDEEP

      24576:2yNYzfCr0NMJxqAdlJflIp1jWnS8x3NtP2qA4h2iTTcOY3Jfzw:FNYzK4mJxqWjflIoS0/P2/4hFTTcJ

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      b618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f

    • Size

      514KB

    • MD5

      d24fc153514f465665aeb87afce202e2

    • SHA1

      bebd7242e149c1df0840e0970379591a96a00ddc

    • SHA256

      b618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f

    • SHA512

      bbf65202c6001b58bd4fcfb4fbb69368df9befb3015324d4be17a8facd75d535c2ac9a02fcdb1741889fb223b3f8e1b5536cf24f1b1ca661d34fb0fa7a1efe17

    • SSDEEP

      12288:HMrvy909AEAh/NT/igEITEpSzu8DBQ0ctCHHM6x:wyZFNT/ddTEIz+0TTx

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      c1237a6a46458518390f044aae909d7b4e395ae64c6bb1db16e0cbe581f8d65b

    • Size

      1.1MB

    • MD5

      805fab0520813f1daf4cbaa9fed21d46

    • SHA1

      209a066865bcf0daae7ec4460d26bc20ea4d6eaa

    • SHA256

      c1237a6a46458518390f044aae909d7b4e395ae64c6bb1db16e0cbe581f8d65b

    • SHA512

      7f561ac50b702e66d983cb35ecee637b6481956cb254e71990b5d6db5cd9fd08044015e6483ad46d39d39177f8a566eee4ec1d37c2f84fe99ad65bdd037e3217

    • SSDEEP

      24576:OyCh/1QpnUZKnb8nOaEt0M7JQWXZVbtrwcwRhadKLT:dIUxL0qucwcwRhad

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      d7fde0f5efb7f555528ff1c98946e36088ec7396d07c4fd0a577c6b49c4bcd97

    • Size

      692KB

    • MD5

      75d4d328a799d98cbfc1e833cd018aca

    • SHA1

      9d5dcb6ccfb99ed7ec5dcc77bbf544c71ade5e04

    • SHA256

      d7fde0f5efb7f555528ff1c98946e36088ec7396d07c4fd0a577c6b49c4bcd97

    • SHA512

      a5be29a9ef0c570c2328782d7a017152d78402c7314c6acd93ead929553bd40caf98fb229e92c71b88fecbf80ff75cd5dbf0979d956c5035313d42d745d99ba6

    • SSDEEP

      12288:+Mrsy902LH5YQp71v571GYKcrw1DHY88Up2VsK35LdPUO7K2avsVjA5vyQ:uyjH53Q9Ydc2Vsw4O7PavspEvyQ

    Score
    10/10
    mysticredlinesmokeloadertaigabackdoorinfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      da85318c86e347642de41ee65fd6363813b5e0b29587b390f0258c819f35ec60

    • Size

      479KB

    • MD5

      a36f65f317ac41f8fd835d9472e54596

    • SHA1

      0770f7e17bee482e980bde6157d36ab6612eafa5

    • SHA256

      da85318c86e347642de41ee65fd6363813b5e0b29587b390f0258c819f35ec60

    • SHA512

      8dbfcc1b252a305f435b289ba4433e3c6c6256a8bfe99b73e1b323270c174885ad6ed3917607b1fc81573f79ce6e07ed7bb91dbae1d693ed9a04d948d58eb32d

    • SSDEEP

      12288:QMr5y90ud12LTOXvHR3swsWf4yLlnzmXJ:5yeTOXvHRLsWQ4lnzA

    Score
    10/10
    mysticevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      dc220ed080f58ca4a078f8ea2a3ba2d42611f3da8514d41359c39eae805b1c4e

    • Size

      1008KB

    • MD5

      014a2a1979a35d870c55175b30df4794

    • SHA1

      1473c11702720aa9deb9877bf4ec8f10c745d6a5

    • SHA256

      dc220ed080f58ca4a078f8ea2a3ba2d42611f3da8514d41359c39eae805b1c4e

    • SHA512

      049797fac32069693c9342812a1de56796ad9feec5b69ef037ea29f99a97c5a9c121217e71245031504ecd5511dec1bdd4f5efe97eb374f7b56c55cfa2b31769

    • SSDEEP

      24576:fy4SXxIK8PAwSsWbOMUEq6tl9zbGdfLeg21zL0ZS+mxE:q4SSKaAwSsOZq6tl9zbBhJL/v

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a

    • Size

      648KB

    • MD5

      c12139634f017d2d2c93952feebda554

    • SHA1

      34d49019576082964f1d79b2cb8fa2f1298f1c29

    • SHA256

      e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a

    • SHA512

      85480633f93547b3ac6bf0b0971b42d41ef30bc4fda2eb1f91b8459e371d7705008fe168f63ba8eb11c5ce61cff484faa6200b823022183c39c10bbbf148b38f

    • SSDEEP

      12288:6Mr/y90MJQl5BK7ra5tpf0e7FlSBhobizWQG+UhZ+wGBEAb9ot02QH4xk:NyWl5BMa5/tRitiQG+UhQvEAGtDgd

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0

    • Size

      1.3MB

    • MD5

      ba596649dd39015b9ebb20e53e576673

    • SHA1

      1f6bb78f5decfae319019346d7a2c5c2d5be2cd4

    • SHA256

      e91c8d810420c37f7d9fedc2bacbb5930e0178d958a77de6f83732cc996f85e0

    • SHA512

      4544fd2669ff8d9632241040946868026712ddc7faf1a0db708ccf8f0c7edcb92a6c6ec9167b59421014158b0f27353b6afc4026d3a2748bb7fa3252e2747f57

    • SSDEEP

      24576:gyfJAGy3eES79rsujbjYlvUJG76Sh44Q+x6/7XOHG+nnsQPGKkUw:nfJBbES79rjYbth44xsKxJPGKk

    Score
    10/10
    mysticredlinesmokeloaderbrehabackdoorinfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      f3b64421133b7924d58e6aecea4508423a6b611f1b55b129f7ac031c0458b73b

    • Size

      436KB

    • MD5

      d213e2080232807a50a68cf06de48dd0

    • SHA1

      a09601da7b45676d1a3cb07d767e093399d14b60

    • SHA256

      f3b64421133b7924d58e6aecea4508423a6b611f1b55b129f7ac031c0458b73b

    • SHA512

      03867c11eed2d693fc1cd81da1c8c29b74bb6c45ff4f608ceb5c411ef8d9ba6e8fbad68a17bd4558c2055aa8258e1b39e24daca8d18558912ae0d6e7f16673d2

    • SSDEEP

      12288:DMrUy90Y4kZKi2MwPlfAbMdllZ+jYIvK4+IA:3yNnKi2NPZPcsIy4rA

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

2
T1053

Persistence

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Scheduled Task/Job

2
T1053

Privilege Escalation

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Scheduled Task/Job

2
T1053

Defense Evasion

Modify Registry

24
T1112

Impair Defenses

4
T1562

Disable or Modify Tools

4
T1562.001

Credential Access

Discovery

Query Registry

9
T1012

System Information Discovery

14
T1082

Peripheral Device Discovery

4
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral2

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral3

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral4

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral5

mysticpersistencestealer
Score
10/10

behavioral6

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral7

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral8

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral9

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral10

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral11

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral12

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral13

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral14

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral15

mysticredlinesmokeloadertaigabackdoorinfostealerpersistencestealertrojan
Score
10/10

behavioral16

mysticevasionpersistencestealertrojan
Score
10/10

behavioral17

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral18

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral19

mysticredlinesmokeloaderbrehabackdoorinfostealerpersistencestealertrojan
Score
10/10

behavioral20

mysticredlinekukishinfostealerpersistencestealer
Score
10/10