Overview

overview

10

Static

static

3

12529f4b65...8e.exe

windows10-2004-x64

10

177d217638...c9.exe

windows10-2004-x64

10

2dd3d7aef1...30.exe

windows10-2004-x64

10

3677484a61...a2.exe

windows10-2004-x64

10

4682d27822...6e.exe

windows10-2004-x64

10

492e1a379a...be.exe

windows10-2004-x64

10

50eee0d0ce...b6.exe

windows10-2004-x64

10

54a187adfc...90.exe

windows10-2004-x64

10

779aae8d26...ea.exe

windows10-2004-x64

10

7a8a88b0a1...14.exe

windows10-2004-x64

10

7d862d9155...a1.exe

windows10-2004-x64

10

994a6a489b...70.exe

windows10-2004-x64

10

b3e77f6d31...38.exe

windows10-2004-x64

10

b8349e4fcf...97.exe

windows10-2004-x64

10

c4b092b703...86.exe

windows10-2004-x64

10

c676d41b0a...68.exe

windows10-2004-x64

10

e6003af825...08.exe

windows10-2004-x64

10

edc38eb50d...b7.exe

windows10-2004-x64

10

ee34d9132f...8c.exe

windows10-2004-x64

10

f644369631...3f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r.zip

  • Size

    16.4MB

  • Sample

    240524-j8rrnaba3w

  • MD5

    e19f1e29720f956e4145562339da761b

  • SHA1

    077960be11a51222dd5c160febe1bff59c035568

  • SHA256

    3767bd9b929fb47ae3b158c424044d32b3c87ffb6efc8eb109dc1df9f3d9b053

  • SHA512

    ac865faf34a6cd11ba9c647664f0d85ab9f12338d6cae6f309da431951911b4e1f4c4e1abcb5b8ca03aca4c00cdcefe37d9cfb98db950c24c2534ba83d5cb015

  • SSDEEP

    393216:Bzf1hIHa4OtdO/lVwuvPfW65zn4iIkwoePFpES4KMeAgQ8Txx:t1hQjOq/vwoPe6Fn4iv8vESNbJTH

Score
10/10
mysticprivateloaderredlineriseprosmokeloaderbrehahordakedrukukishlutyrmagiataigabackdoorpaypalevasioninfostealerloaderpersistencephishingstealertrojan

Malware Config

Extracted

Family

redline

Botnet

kedru

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

magia

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

193.233.132.51

Extracted

Family

smokeloader

Version

2022

C2

http://5.42.92.190/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Targets

    • Target

      12529f4b65aafd82d9020e079a369f24e8f9a5b222765ebfd7fece173373938e

    • Size

      1.5MB

    • MD5

      1d7874fa02f9084e0b62af612261bdd2

    • SHA1

      b1d81b9a48264bc5771e37de7c7103256e6683b9

    • SHA256

      12529f4b65aafd82d9020e079a369f24e8f9a5b222765ebfd7fece173373938e

    • SHA512

      a9b95375adf0020c7e530176719a678a35bdceff076ef6d136d8a03820fda02b51acde2c336de952b049a78396fe6a954be740414766fbbffa12fc98836c34a0

    • SSDEEP

      24576:mycJDqllWkane4EQOdxmbFBj7UEiS6RJ4X/rZ77uYkMzTVoQ8xlQeM:1TbltndudeJ4X/l77uYkaTVofH

    Score
    10/10
    mysticredlinekedruinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      177d2176387c311fdc72de1156680cf2efd82af4016fdc8a6adcdda4d02b44c9

    • Size

      1.2MB

    • MD5

      ea7d2888eab1f5cf6eaa57c3814c8ab5

    • SHA1

      a9261b058defeb6ee253ac3d2fc3a72cebea58e9

    • SHA256

      177d2176387c311fdc72de1156680cf2efd82af4016fdc8a6adcdda4d02b44c9

    • SHA512

      9bccd9884e2365685edb69d4c2fc8243c513d0390cd966c497fbf8c57828cb11cb10a29ff7283ac855d0fc57970e78a6cd500f3ba0efb61fcbfb532220eaed52

    • SSDEEP

      24576:4yusLuDVSYDd4ThjIjeICWh1WzRmlJ8yXZvPzSAnlZ0Dr0Jkg3D:/uocVtDehj3vWh1WzRmvxeAn3bk

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral2

    • Target

      2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030

    • Size

      426KB

    • MD5

      1cfcc52c462884921efcd71d2964a590

    • SHA1

      f0950b2f31f492d57dd07e1070419b2a8d376166

    • SHA256

      2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030

    • SHA512

      cae2b703fd2e337c19f905d30112f379c1c5c2fe0f8bdf9a24076671ea1af71a6e2b82e142c20d5b364517600789ad0ca46d365140fffb9f218fdd61ac80eb6b

    • SSDEEP

      12288:YMrGy90/Ij9NkhgKBXQFaFGcfr6fuKAnuTZMp:eyiIj9TKXQFaFG2r6f9AmOp

    Score
    10/10
    mysticpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      3677484a61768095abfe1b2ea7de4cc0fe5fc5bf5cd7e10adb8b2e5024100ca2

    • Size

      1008KB

    • MD5

      c90aac7f3ef9e1256cdb06254c6ec05f

    • SHA1

      cc7232bbe0ede8bea9b17584af009cb89e738b74

    • SHA256

      3677484a61768095abfe1b2ea7de4cc0fe5fc5bf5cd7e10adb8b2e5024100ca2

    • SHA512

      19897bbcea64232554cca01af459ce3b99724ed4c85279c77e08afa702fa03da9ce1f34d2dc7fd719d391925d1cbcf9a650202af0db4fb1151f425453d81fef0

    • SSDEEP

      24576:NylINAMFhoMHmqvrkN7r8XRyuu6zcFbn+:ooAIhDWady1

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      4682d278226e301e51cb7c58cec10030fc6150aa3814efe79eb0a39400e08b6e

    • Size

      713KB

    • MD5

      3b44aab959d46df5ff3374adfa5b575b

    • SHA1

      ff6d6362f5139c2a650bafb90a6b1ee78a53a608

    • SHA256

      4682d278226e301e51cb7c58cec10030fc6150aa3814efe79eb0a39400e08b6e

    • SHA512

      42c5db052b01548d1d843a169a264ba87a20f790397ae968c0d0096b7dcb1342596b7067ad4a1bc36409382dceeeff9b4be51c45c602164815000c1d4e44d77a

    • SSDEEP

      12288:5Mrty90odAKlKWsDZ0NGmcF1DepG5J/+nfUrggA1T5V46Bl3h7l+eHqHSRJuSfGn:0yXAlPScfCpG5J+nfUSrzjlFK+7v415

    Score
    10/10
    mysticredlinesmokeloadertaigabackdoorinfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      492e1a379a14cf5b3c974097a7f3e1ff73ed7af7cc48869e72473f84910744be

    • Size

      782KB

    • MD5

      d78ee98c87c96e5b84c2af90acad9001

    • SHA1

      794696b9fef9ef7913cd1b1e93740df7196a1ad9

    • SHA256

      492e1a379a14cf5b3c974097a7f3e1ff73ed7af7cc48869e72473f84910744be

    • SHA512

      c5411569c3c899c019d91939d1f7036828f11a09fa05bf2a5fa93620cced8b0dd895d70d2e515843cd9d6a4988a6abe782a072abb14ebd70282d29567ce44d01

    • SSDEEP

      12288:vMrPy90d0ah8sdhVJaSKfq38qb8pJ+piGQplQkXEFm1+gzbK8yqBrWaeESFt:AyQ0aRZd4y8aHQDlEFm4gnK18QESb

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      50eee0d0cea3475aaf0d1b967b37fb6abff00bafb4fa6e17a8c948e2ef84aab6

    • Size

      690KB

    • MD5

      ded34aadbb2d073dca9fe7ab881865c2

    • SHA1

      1152a50b60333303cf6122a25141fdad64bf2467

    • SHA256

      50eee0d0cea3475aaf0d1b967b37fb6abff00bafb4fa6e17a8c948e2ef84aab6

    • SHA512

      363e2a8155764e80ca17fed13951e343a18d7c6f9793f0d51b47c7b187e4da4e74386801032e9ad12542ae01dc24af686016f37aed1fab5ab75b3bb9dc554785

    • SSDEEP

      12288:wMrly90TY1vFUS3OmEEz7jP7+i+EryADUjm9YWCcyVITDLGngoV14Jk/xBAY:FyBPROmx7jj+i+ErvDcm9DCcGI3LGgoL

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      54a187adfc33710db0fd5acd2d87f491717cf1110b0efa415680e544e43fd590

    • Size

      811KB

    • MD5

      6d8683aa618e42dedaa0b1481f2beef5

    • SHA1

      28989953e99c68e658d9667df1be4868a67c6539

    • SHA256

      54a187adfc33710db0fd5acd2d87f491717cf1110b0efa415680e544e43fd590

    • SHA512

      426fb085dce3294ab7959ef052c3d2670d5a1801c2e8270d307ae641db2e5ffb99a9f3a8f1ae527badd3002084e1aaa28cdf4758ca79a92625859d54f1a4873d

    • SSDEEP

      12288:XMrsy90DcFSGxIWNbwOvC498Kv2h+sMT/kV03itewXTGkjlxBDdmzMuQL:DyacvIWhTvC4lvPYVE8XqCxBBmdQL

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      779aae8d260600fca091beb81ca497c21eb41aec31324f8fb00764038f5235ea

    • Size

      839KB

    • MD5

      7f8ac6fc633a133ac4398d0460fce273

    • SHA1

      40f71057a5b04b180960a954fb41aa832a404d22

    • SHA256

      779aae8d260600fca091beb81ca497c21eb41aec31324f8fb00764038f5235ea

    • SHA512

      cf843a3711aff18abe98e081e4ade629eb0eebeccde423094ca7283dde8ec4082a38e862a413f0af9816060c7f8ae7d0dc308cd0c1148e52bcbc03d13158b799

    • SSDEEP

      24576:zyMd2GFla0vq5RCW6gpgeD/sH71oaSUxgnhnmUG2M40:GMDFg0veCxgpLLS2ignZdG2M4

    Score
    10/10
    mysticredlinesmokeloaderbrehabackdoorinfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      7a8a88b0a15e4a8745bd118e981c6441287f021628c402661c208c01855d8b14

    • Size

      900KB

    • MD5

      4a9648d4eb38e033a991e4a829fb3e93

    • SHA1

      85836d217cb987fe87348137629345e06a2a8993

    • SHA256

      7a8a88b0a15e4a8745bd118e981c6441287f021628c402661c208c01855d8b14

    • SHA512

      55d564f97226b83e81cb888ba0ee310996e200a9f0d455eb454d9f9760b8b361476c04061d59b4e0bce2252bb905058fab40503bf76b8eebd835193ca2858345

    • SSDEEP

      12288:WMr6y90lQmdp8Bbof4EIKdniEMeYP/CynvCNCGGEsqbZZACGKvuMm7hD16RYTlSx:cyvGfXUE5YPq4qRsqbZZAzqaDkR3RHL

    Score
    10/10
    redlinekukishinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      7d862d9155b189b61a61193301acc9e68d4ba8c3fc2687dffba6916219efcaa1

    • Size

      1.0MB

    • MD5

      747e37684f3601391f7c34c3bad3b714

    • SHA1

      f962f15719a0ba24ea00deab14bdcbae53aa1331

    • SHA256

      7d862d9155b189b61a61193301acc9e68d4ba8c3fc2687dffba6916219efcaa1

    • SHA512

      8e7b01da1c0b3e87e7315850674683d0d51c6515157d218f52fa4bb09477f9fe0e8a4ebff8b175c3d5994ed59b44cdb23c79122b8bd21b84561e9009ffcaabd5

    • SSDEEP

      24576:9y/osSiG1X/awsTEK6/PupZmRlguBpAlclFpjCjswtSD:YApB+e0mHO4FVmsX

    Score
    10/10
    mysticredlinesmokeloadermagiabackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      994a6a489bd088aa19cbaa9f7de2d6b2d95d35431eea33ab9869ec6f43f3ee70

    • Size

      1.1MB

    • MD5

      958b8b7d0630648f74a8a205376639c7

    • SHA1

      27f77d759c810b0ba6fdbe55fc3b992ef02c9def

    • SHA256

      994a6a489bd088aa19cbaa9f7de2d6b2d95d35431eea33ab9869ec6f43f3ee70

    • SHA512

      eb82e6be4aa2bc873897fa51d7846660e7dfc4ad50a73f6e04126b451208a5474a11a1daad0680579ac3b6016d2e057fb37089d8c2ba3e2f02b1fd4e8b7a923b

    • SSDEEP

      24576:syk7IXTxaXrMWlBKgZy2XTWvUKY7hV2/nX1p5J7dvtQZ7/:bw8U5fPy2Xisr2/nX1XJnQZ

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      b3e77f6d31ee37298332a8155798214c602890ab8954cc30261e7ff78e48f838

    • Size

      1.1MB

    • MD5

      29f505918222d2923fa3bb617664ea33

    • SHA1

      2b468ac0a3bb06e3d8fed347ae0cc227480c0fee

    • SHA256

      b3e77f6d31ee37298332a8155798214c602890ab8954cc30261e7ff78e48f838

    • SHA512

      e9904233debeb2f658b08d3bdc9dd08cb1540a7e4015c7576336ee2126616446a4f4e4c402901012ed829df199ad04055ae9536be144bab45ac24b6512086671

    • SSDEEP

      24576:7yP+uO5OFQwmqtkMPHW6A0QbshuPVeRyHLqlHXo:uw5FR+lQbshKcyHLqlH

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      b8349e4fcf81aaf69399949c00e2b6efa4edf8c68b2d76a88e1139a7a1017897

    • Size

      448KB

    • MD5

      5c898b2f8892249d25ff1db25356629c

    • SHA1

      165e345df5ccc55b119826bfa59522c74d15a71f

    • SHA256

      b8349e4fcf81aaf69399949c00e2b6efa4edf8c68b2d76a88e1139a7a1017897

    • SHA512

      322748d61c5f44d94b21b52c6811e0358fccd8243aa6d48c5714c9301acec7a568d9c336098295e8b4410137e570f6d440d87ae4a8e892cfa77e5d02442f3022

    • SSDEEP

      12288:qMr6y90A39SI9kAc1YZ1iA0Zz2gbs3YY3:0y19SIy1Yzi552gYIY3

    Score
    10/10
    mysticpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      c4b092b703d3b8e7772eaa70361a67341f5b16e479098aacb7a1948595f79486

    • Size

      621KB

    • MD5

      5835e56571d1086d311f1cc81646282b

    • SHA1

      d4bf9d4e416a9fd826f011a36c972b9db270f4ba

    • SHA256

      c4b092b703d3b8e7772eaa70361a67341f5b16e479098aacb7a1948595f79486

    • SHA512

      020e026aa8a17275dbf73d03ad676582ef9413b580d5448d4582b06343e2370cea5f99ac0248ed8b4e43ce78cfea06cb5aad8373cc471095889f7f3330d10b97

    • SSDEEP

      12288:1MrDy90Sk8UpyDuuSZum4/9WArLJFskN/L5BLSXAAyesaNU:6ya8gy9SArvsk1sAte5y

    Score
    10/10
    mysticpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      c676d41b0a465dc9eb99bf5bb3c392c6a4f9afc8ebf66c4271f1ca36dbf6f168

    • Size

      781KB

    • MD5

      d381ac0bf5b98cc768347eb22be18617

    • SHA1

      2fc3368a9e9f62f87447d442adbc65755d201516

    • SHA256

      c676d41b0a465dc9eb99bf5bb3c392c6a4f9afc8ebf66c4271f1ca36dbf6f168

    • SHA512

      c4c363fe591c749328b589c8af0e9bded01638e6a9e4b400787daa2014c20e25be873f8c8e7dc63d4b8d3995364dbb0a2a14905c5b7f2db106b882c1f5f1a12a

    • SSDEEP

      24576:vyIiN6d5UaeuIsKC/GdLYDcl4gf2M82ogZe:6sNet9EGW6jfogZ

    Score
    10/10
    mysticsmokeloaderbackdoorpaypalpersistencephishingstealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      e6003af8259118d585d59c577d4350638e3cbde579b5f4ec0fce9845a97d4f08

    • Size

      828KB

    • MD5

      491026bed4cdc5db8e7d164b5dba20b6

    • SHA1

      510c3096e2dbcab4edfc4b33364eb5aad40ef03f

    • SHA256

      e6003af8259118d585d59c577d4350638e3cbde579b5f4ec0fce9845a97d4f08

    • SHA512

      ad29be3401873ea07d09d404f9ffedd2116f119ef0bbf9229d1badc01f419bfabe54c263db9ce98669c611771fd3c592ea1daa9702d16d9790120a58e432e699

    • SSDEEP

      24576:3y3SrcZsrHSws6TZXv2COI4zlEk2CjTbZo:C3YcWHSwssXeCR4zlqCjTl

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      edc38eb50d5c825ce8f755649e1c6c7fc24bea3b596f693c5932147527f4f1b7

    • Size

      817KB

    • MD5

      f349d0bd45133b10ed68a9c88f029241

    • SHA1

      6b66e2751890f4c0ad4a2831beba253c75597def

    • SHA256

      edc38eb50d5c825ce8f755649e1c6c7fc24bea3b596f693c5932147527f4f1b7

    • SHA512

      a6d43adf3fbcfc955d9a3ea62201e835c4c6fb3d85c8a0470b0e82fbf60742737ca32f292a976c06edcdad98ab0da063cafde4bae0b21d25eaafe45bf7f5966d

    • SSDEEP

      12288:VMrfy90H8rp3PSeLF2LybxWResO0Mo3+R4vrfXKLFKCXQFkAFW:2ymgpflLFnAL7MoORGrfXKf+kAFW

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      ee34d9132ff6f1ea60e43803547dbe294602944fc0ebcf46cae0b6a5b671d28c

    • Size

      942KB

    • MD5

      61c05ab7c728ffec4a4fb15320931746

    • SHA1

      8d31b6e48d35a465dc8001535dde6e7a60d33926

    • SHA256

      ee34d9132ff6f1ea60e43803547dbe294602944fc0ebcf46cae0b6a5b671d28c

    • SHA512

      d48b900e1d1b105570cb2a79edaee451be76235d2e32d56602f362e1a2ea504ffb4feb99587be3f191ca3b59f4ba45daa612cfeb60914d285aec97e3cb537343

    • SSDEEP

      24576:uytCBBS5OXe1djEwXNThMmQpBPT04un4E:9tVOO1dJTa1144u

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      f6443696313e66561de8a0606699f87b170317b79b832ec3fa91395d503a3e3f

    • Size

      1009KB

    • MD5

      0230fb1015985d0e43e328c72f9d98c8

    • SHA1

      96a53c65d6cbbdf0054d18258400547ab5a1c8b9

    • SHA256

      f6443696313e66561de8a0606699f87b170317b79b832ec3fa91395d503a3e3f

    • SHA512

      7608ccd420016472530e440c2c2976e1aeeb66aa99d4483e146f1206d657cc945bbd163b70a5620308eaf3291385cc9517822edb3bf3de6970e3d0127e14bf3a

    • SSDEEP

      24576:ByRsDICik0gGuggDbsVqImYHlcCORzoLdAy6KFf:0sTikcu5sgImqcCldA

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

2
T1053

Persistence

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Scheduled Task/Job

2
T1053

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Scheduled Task/Job

2
T1053

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Modify Registry

23
T1112

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Credential Access

Discovery

System Information Discovery

11
T1082

Query Registry

7
T1012

Peripheral Device Discovery

5
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

mysticredlinekedruinfostealerpersistencestealer
Score
10/10

behavioral2

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral3

mysticpersistencestealer
Score
10/10

behavioral4

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral5

mysticredlinesmokeloadertaigabackdoorinfostealerpersistencestealertrojan
Score
10/10

behavioral6

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral7

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral8

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral9

mysticredlinesmokeloaderbrehabackdoorinfostealerpersistencestealertrojan
Score
10/10

behavioral10

redlinekukishinfostealerpersistence
Score
10/10

behavioral11

mysticredlinesmokeloadermagiabackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral12

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral13

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral14

mysticpersistencestealer
Score
10/10

behavioral15

mysticpersistencestealer
Score
10/10

behavioral16

mysticsmokeloaderbackdoorpaypalpersistencephishingstealertrojan
Score
10/10

behavioral17

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral18

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral19

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral20

mysticredlinekukishinfostealerpersistencestealer
Score
10/10