Overview

overview

10

Static

static

3

3f631a363d...63.exe

windows10-2004-x64

10

498a26c182...6f.exe

windows10-2004-x64

10

4b34c552db...dd.exe

windows10-2004-x64

10

532834d8ce...8e.exe

windows10-2004-x64

10

5896992807...ed.exe

windows10-2004-x64

10

59c0083cd8...df.exe

windows10-2004-x64

10

6fc46cbdbb...5c.exe

windows7-x64

10

6fc46cbdbb...5c.exe

windows10-2004-x64

10

8433f5b093...73.exe

windows7-x64

10

8433f5b093...73.exe

windows10-2004-x64

10

86d4877bad...f4.exe

windows10-2004-x64

10

9b49de72ab...8f.exe

windows10-2004-x64

10

b05d662dcb...df.exe

windows10-2004-x64

10

b84e93b222...f7.exe

windows10-2004-x64

10

bee0ec9430...1b.exe

windows10-2004-x64

10

c95a5553b1...1a.exe

windows10-2004-x64

10

ca54f6dfd1...d5.exe

windows10-2004-x64

10

cca7f7e048...56.exe

windows10-2004-x64

10

cf9a62d5a1...b4.exe

windows10-2004-x64

10

d211b73bae...c6.exe

windows10-2004-x64

10

eb23946a76...29.exe

windows10-2004-x64

7

f2301f9ee1...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r1.zip

  • Size

    14.5MB

  • Sample

    240524-j9rhaaba99

  • MD5

    93f8b6c3000c5cc944a41ca698193b98

  • SHA1

    d5743c63379502a72117000f4dcd00b2dda8f6c2

  • SHA256

    47203fc7445c1e0e06643f363dd7d86ccc46b70ab234e5fbfe72badfdd6704ae

  • SHA512

    e44f79a58e3d375884aeced54e4c8da57196c28760398c40bd535a3da82a1740f382fad16ac64c60be7f70e91ab23e42d8f4f2510dd17eb7fe1a2eca936f19fd

  • SSDEEP

    196608:BG4hzbm+87GOCdN05Ou0ZBJ5heziYaMb5EteUpnFC8x36zCXalUOPEn1APHIUOQR:okzsGOJ8FbhezRetbpn4Z+POM58F

Score
10/10
healermysticredlinesmokeloaderbrehakukishlutyrramontuxiubackdoorpaypaldropperevasioninfostealerpersistencephishingstealertrojan

Malware Config

Extracted

Family

redline

Botnet

tuxiu

C2

77.91.124.82:19071

Attributes
  • auth_value

    29610cdad07e7187eec70685a04b89fe

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Extracted

Family

mystic

C2

http://5.42.92.211/

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

ramon

C2

77.91.124.82:19071

Attributes
  • auth_value

    3197576965d9513f115338c233015b40

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63

    • Size

      758KB

    • MD5

      5177f9d2842b74a2be7f5aba232faffd

    • SHA1

      9b6c926c477183ff5682d2afe0cb62de976379c7

    • SHA256

      3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63

    • SHA512

      6fa2f49b55f799a8f82a8d520db344383f645c834291d731278a08e344309a9d7064ab6123e56d43a00fadbbd79694d85355b011a145aadc607137bc26befd15

    • SSDEEP

      12288:YMrfy90krNR62zK5vnO9DfvHGmnqc3HJSo51S92qKytTWWzkyJyl:HyTNR61nO9DfvnV3prc9JNWoNJo

    Score
    10/10
    smokeloaderbackdoorpaypalpersistencephishingtrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

      phishingpaypal
    behavioral1

    • Target

      498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f

    • Size

      508KB

    • MD5

      e6833a21a604a3c8ab01355dcd97b2c2

    • SHA1

      4809d45faa3a7bfc8d8b30b2733e941bfb4fb52e

    • SHA256

      498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f

    • SHA512

      c66cc61603a7a0f3f329ec95bfc82a747a0b0cd64561c9d5d87d5e21a0cbe468ccee5d55a4fd7ef56d278cf8b50319e7500459802741addf3ea13519350e68e3

    • SSDEEP

      12288:gMrIy90lSHpAvVRYEBOhtCr3+903jhZ2XQe:4ySgpSVRYZIuShsXQe

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      4b34c552dbab5efc9560efa54f934de7c83ac3d7a313df811145ebfadf64c2dd

    • Size

      1.1MB

    • MD5

      046b3bcfc5dd07fa793b5b9fc44534c6

    • SHA1

      98550b4ed41e9bf23ab492a09ac21ef451f130ed

    • SHA256

      4b34c552dbab5efc9560efa54f934de7c83ac3d7a313df811145ebfadf64c2dd

    • SHA512

      5050898ba55a16ca78bd5274f784079aafa782c4d6d75d29024b69d3cb38c47713818caa7341a1aae7e99f0f81592d42d35f412599b904ba895f37e2abb530c7

    • SSDEEP

      24576:HyHqpwwEbEGPY3bIAvlVLpaAy5SZ3+lyszXxadKi4zRJ:SKpZEYGP0JlMAykZ3+nAAR

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      532834d8ce7000d8e7eb38c91e27411e3b18295ef7db64dc83c3982ac0a9ae8e

    • Size

      640KB

    • MD5

      4e69763de347a093660a29f805ebc4c2

    • SHA1

      36a39f3eb16a81a3b16e8b65a851333825840cac

    • SHA256

      532834d8ce7000d8e7eb38c91e27411e3b18295ef7db64dc83c3982ac0a9ae8e

    • SHA512

      f1be611c111dc3893577b2cbd02dbfade9e2e06a799433ca037e74a661619a5919bfb44a058b982938e3c66df2feee4bc5ce194d83fd42edd6fbdd5e3555fab3

    • SSDEEP

      12288:nMrjy90j+Hx7kmR2WHBkmHN8wfWSq6vFjMaXXRLc+:0y4+HkM5NBWSqWFjM+

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      5896992807f979d7483ac37e3ec58f2b7816d71d0c0cc96def5c78ddb0301ded

    • Size

      731KB

    • MD5

      112db50547c96fbd04324315704f6e9e

    • SHA1

      418dd3a11725960471343871707ee5fe19499344

    • SHA256

      5896992807f979d7483ac37e3ec58f2b7816d71d0c0cc96def5c78ddb0301ded

    • SHA512

      9587f5f04c4f2c2b771669cc5e7b33c961330dfe571eecffc5b68b7de14c269ad970236b139a5ddeea9c54f13086dd53578d657943c601513f383e6215b8af47

    • SSDEEP

      12288:yMrhy90NIIWVW8iKoQOYUxgVQbrpqBImN3V9zMniNPmRSIQPgOb5G/iGKzKh:7yWlWzOQOYK3pqBbbqidmgIsgOb4zKzm

    Score
    10/10
    healerredlineramondropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf

    • Size

      941KB

    • MD5

      80d8470174fb9248378b139c425b1843

    • SHA1

      efb142c6bb25531517d5a25c04591e3fc08075a4

    • SHA256

      59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf

    • SHA512

      50ee796d88510be9f3999960a84061745034a1d997b12cc1fb150ca007af496f7cf81cc4b54de6db713fbbcfb2183df159d9ad9e4f27ce77a5b42939fc379f20

    • SSDEEP

      24576:TyctOyhluqSd8Euzhsse5O7gJIEY7JptxTp:mEhluqSdGlssBytebt1

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c

    • Size

      580KB

    • MD5

      ebcfc4500d1348332865ccb96be87f5e

    • SHA1

      f78a388d5a8c2718527181efee63aaf139954e0b

    • SHA256

      6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c

    • SHA512

      c87b17990cb308806e2e9048000155d488e3eb36655bb594d4efaaaf09640ea6753dcc1e55d17b55dd14f77a72701594b22e5719eb2cde3d2b5343f5bf277680

    • SSDEEP

      12288:iHU6GzAGLY4kowmI7VujGeY99pTkyIGtISDoxR5xwUiQ:iHbSAGxI7BqyIGtISDoxR5x

    Score
    10/10
    redlineinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      8433f5b093e4f920b53f3456df2f996e8f480ad451bdcdc88ebaddda4abd8a73

    • Size

      269KB

    • MD5

      7026e3aa9f50316cae3b6011c9203154

    • SHA1

      b03356e80698e90ac1548a4086d8ebf84daf12d1

    • SHA256

      8433f5b093e4f920b53f3456df2f996e8f480ad451bdcdc88ebaddda4abd8a73

    • SHA512

      3de786fb21f2717ec49fb49705dd23f141293eb2d1437a7be4e20dc30f95d749e69473d22ea279c8d9bc76fe0282a030070cf68e1d1e7055ec2d77639c62e951

    • SSDEEP

      6144:VVqctlMQMY6Vo++E0R6gFAOzTEtftXg35:VVRtiQMYlXVT+Fw35

    Score
    10/10
    smokeloaderbackdoortrojan
    behavioral10behavioral9

    • Target

      86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4

    • Size

      826KB

    • MD5

      30b6a63464e5c3c721abfd7eb4412bb8

    • SHA1

      45a11c3a7f3aa12282027ed8a147e0f96735c480

    • SHA256

      86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4

    • SHA512

      2dafd947ceb398df19d7149cbc86688d72156693a3a02355b7aa34617de335a2dc2dd1f11b41bad5f66b0bbc99ac64503b3a250e494aa28f61fa4343d5c7dcdc

    • SSDEEP

      12288:FMrny90tZN3wv3qLsF3RUBaR4Ocar3t9wZO6L3VGhr8dbVpR/G478h+mtfrAj/w/:+ysZN3w/TFBmOfku8dZG44dtcws5i

    Score
    10/10
    mysticredlinetuxiuinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      9b49de72ab9ae9caaaf0da01fbe6d5bef6546c46b1e0c0b4c4c3f211eaec728f

    • Size

      1.1MB

    • MD5

      d4eb079de1ab0ac84e37b3962f93c7fb

    • SHA1

      5a3d086afad18c9ff744920abcb1ecdb7ea21e7f

    • SHA256

      9b49de72ab9ae9caaaf0da01fbe6d5bef6546c46b1e0c0b4c4c3f211eaec728f

    • SHA512

      7cf20358baa6de9e1cf07cf075e5207114c39422354357550a4b4373c7b658e104382672006e520831022f229d946847b625d6e9d2e766e298ef3143a5667927

    • SSDEEP

      24576:qySdf32T6YZO24dqCqceSWcxTkd0p3FyXiNjkEtLxPj7bgOU:xCf3+Hc7KSHqC3wSVxPjIO

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      b05d662dcb605a8af070c2bd5fadda687e65adad15dca9ac32982db6ebd36bdf

    • Size

      815KB

    • MD5

      e949d651f3fdf0479844a312e08b0f7c

    • SHA1

      694dc2dfcfd543a69ba5af447b9f7a4ad366afca

    • SHA256

      b05d662dcb605a8af070c2bd5fadda687e65adad15dca9ac32982db6ebd36bdf

    • SHA512

      3631d871c90f7ebe86a3f30ccbf9a3ac1b4cb0d14ca0e3f7a8910876394e65ab0e43767e46ef6e45b0c76d8cc72d63f32b69e0596bada34b73e7acdb97b63f0d

    • SSDEEP

      12288:AMrPy90SfXgZbiFJqOHSSPj1BPxQO9zOkLKQaPR6bQy42M/XLarjwfAtTyEG2:/yHPiiXXNPV1K1Z/fZ/XurjOclG2

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      b84e93b22256809e5241bcee59acc31b9865bdae579891d641826e1e159b15f7

    • Size

      744KB

    • MD5

      bd482d8ccefbb511b7c14817c174619b

    • SHA1

      23d0bd597726387f3efb5e5d7f1949250fa4f60e

    • SHA256

      b84e93b22256809e5241bcee59acc31b9865bdae579891d641826e1e159b15f7

    • SHA512

      07f6d45da2b34949c843dad1d125569ba9cc52601eaa3d45eee7c327aa058cb9a6ab2265509d1dbf59bc16e68860bf77313e0f04e015a86bc74f87a608207fbe

    • SSDEEP

      12288:5Mrhy90qaiTvT1+x73gyrtJ1gMwJZnMiTc6ihgJBbFU2DaURZeS8aT:0y8irT1+xbgy/mhMW4ubFU2DFXe3aT

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      bee0ec94302af9baabb3e2b4d22397424e0fa315031f65258b35135c92ff0b1b

    • Size

      577KB

    • MD5

      7e5a5c1814794055b55a04fe525a125e

    • SHA1

      f42f766a75151ab8ff7c688f43fa30b430d9ca84

    • SHA256

      bee0ec94302af9baabb3e2b4d22397424e0fa315031f65258b35135c92ff0b1b

    • SHA512

      331744e8b2b3714ea2cbe6c0a4480f7b0f251304b62c962384aed768219b58154dd59245498894aef3b2bb0a9c151a527cc6e8eee40c4942c5a4192cd8be22a6

    • SSDEEP

      12288:CMrLy90iloIG1yJErQNjCIZai9X5doTSPWJZqxsc9:hy9blAQBDaiN56TQW+xsO

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      c95a5553b1a709f22bba8f3f68e6c4c0eef94f99fcf143faebfb68ead35a0f1a

    • Size

      640KB

    • MD5

      0914224943c0087d896a2876e94b3e00

    • SHA1

      573868ff775ff39ff79890046182780d019a48f0

    • SHA256

      c95a5553b1a709f22bba8f3f68e6c4c0eef94f99fcf143faebfb68ead35a0f1a

    • SHA512

      921e8b46afa64aa5fe07ec47125ec273ef7722c1ecf796593e0c6cbb527690ebab86eb5849d6a86a4f5a010faa01166c4e8a248805c75d6d22a633f9909e8f9a

    • SSDEEP

      12288:pMroy90uz5t7W35T0tDyS1uuYB0fJr2NcoP4G8g4PGUijAXhp4ey:1y5XKR0xySJbxxox8gZdEx1y

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      ca54f6dfd1d165cc099fcff983a1e0d5045ab7589a3cefbb07c34deaf08e0dd5

    • Size

      820KB

    • MD5

      d33443b48c9399fb7256af55874a82b6

    • SHA1

      b6163279131f120ace8ccea306480ee4d507953b

    • SHA256

      ca54f6dfd1d165cc099fcff983a1e0d5045ab7589a3cefbb07c34deaf08e0dd5

    • SHA512

      71f3f23f7325fd17836c065887c7eeb71e955117cd98a02c3e5ab2ed61d49207c611c8712c33f6d63c3a0b7488e6b4e37c7cf07f1f57bdbda24f615fab64c13e

    • SSDEEP

      12288:1Mrty909/n92wPfDYIalgf3zW6dRqymoT9WVSTpwESCqScmndB/Nj/iwAYGhaju/:wyOFxP7YfCBLWQ3nddR/puvWD6Erw1

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256

    • Size

      1.1MB

    • MD5

      8dac299e092f27165c51ef8f3dbb4abc

    • SHA1

      e9766391e0d24fda435682e27203453100dd66d0

    • SHA256

      cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256

    • SHA512

      f8f780c9852570d62eba8ee2c1578cb76dadfcdafb4dde3384913ce84b8d27f3b02af39891e629ca8812b328c8f8a657e9466ba3dbdad4f124f873ba45f85925

    • SSDEEP

      24576:UyxHA1Gjwbjz572eC77204/eYoTVoeLZlYzLU:jxg1LZ74m0xPL7Yf

    Score
    10/10
    mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      cf9a62d5a117aaa03d348685a49a3a176c6dd3ef98e68cdcecaabe67cee3aab4

    • Size

      1.1MB

    • MD5

      95573ab04fabc6686129f917a970354b

    • SHA1

      580c9581f15227a6f3b338d4cb7c50faa77e0cf3

    • SHA256

      cf9a62d5a117aaa03d348685a49a3a176c6dd3ef98e68cdcecaabe67cee3aab4

    • SHA512

      cf50641dce3a009b68071be0e80df5778a3344fecdf328e1b44e91b5e8b1b555b12543a1f799124862a6db13af3af0c6f87680ec2fb81cff20b1c682fe78d89c

    • SSDEEP

      24576:fyjP1DXW75bmjvQpgiIjaR1ai8mj2sGEcSC3R+gAGxD:qjdDXsy0rR1Bd2sGEcSC33nx

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      d211b73bae9760b12d1e027c009a4d8f4dbdb34ba630703d65ca56fc612e45c6

    • Size

      881KB

    • MD5

      57f9cac20f1d2dea1abe7b8f95275437

    • SHA1

      fb9118f831cf8c9b283ec98fa90d619119545682

    • SHA256

      d211b73bae9760b12d1e027c009a4d8f4dbdb34ba630703d65ca56fc612e45c6

    • SHA512

      652b53be10e17b02602401cf340d7b458a2dbd6e9d54641a9682a8cd8fe58fc6fce77bbb4b1926839fd17874d7254597ce02ded499cdc3baf4858ea9e8c13408

    • SSDEEP

      24576:GyDydHoMaeUIsECtGsPYD964moblfbHvL/:VsIVezPiGTh5

    Score
    10/10
    mysticpaypalpersistencephishingstealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      eb23946a76bf1590eafdacfb8f44604c986536b0b24a3b11f0aa7f8eb4722829

    • Size

      908KB

    • MD5

      a3bea3c18870dbaa2c6832ee2a3f75e4

    • SHA1

      901488b975632e3a2f69a1664fcbb791948b0963

    • SHA256

      eb23946a76bf1590eafdacfb8f44604c986536b0b24a3b11f0aa7f8eb4722829

    • SHA512

      39d2d54433770f5855204506501c06c06e9a0ebca82b5a332833ba14054e4f2329d6872ff38fcf30288f2613614e28b68fa6f059bb2d042bb35a2badf143f912

    • SSDEEP

      12288:lMr9y90hbegZ6/VgVqr3o+asbZc87BUD55HyPjixx0mOYaSc2G8IQo4Ha/mLu:QyuebgVqUsV3B+iPjiUmOkc2G8g4YN

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      f2301f9ee1f258528e83f30f1d7ea7bb59faa2f5d97139ddf14e0b5a805cd018

    • Size

      819KB

    • MD5

      616b55a6e65ff99109b6d5a590cd3f9c

    • SHA1

      037a52fb3c6563eaca5280e5adf4eecaf2e0373c

    • SHA256

      f2301f9ee1f258528e83f30f1d7ea7bb59faa2f5d97139ddf14e0b5a805cd018

    • SHA512

      fc8a0a7aeac420d373523345c83be3567cb7a3e70d288501a831163eaf2dd00891be5eab8233ce51aafbd1af4d257c7f5e6d8400df7effec339afcc9d59025c9

    • SSDEEP

      24576:6yFZERTjpzjmGYPTNZ0Pd88HIEWaFJ4zd6:BFZExjp1YPTNZs8udhf4

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral22

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

18
T1547

Registry Run Keys / Startup Folder

18
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

18
T1547

Registry Run Keys / Startup Folder

18
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Defense Evasion

Modify Registry

23
T1112

Impair Defenses

5
T1562

Disable or Modify Tools

5
T1562.001

Credential Access

Discovery

System Information Discovery

12
T1082

Query Registry

9
T1012

Peripheral Device Discovery

5
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

smokeloaderbackdoorpaypalpersistencephishingtrojan
Score
10/10

behavioral2

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral3

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral4

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral5

healerredlineramondropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral7

redlineinfostealer
Score
10/10

behavioral8

redlineinfostealer
Score
10/10

behavioral9

smokeloaderbackdoortrojan
Score
10/10

behavioral10

smokeloaderbackdoortrojan
Score
10/10

behavioral11

mysticredlinetuxiuinfostealerpersistencestealer
Score
10/10

behavioral12

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral13

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral14

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral15

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral16

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral17

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral18

mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral19

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral20

mysticpaypalpersistencephishingstealer
Score
10/10

behavioral21

persistence
Score
7/10

behavioral22

mysticredlinekukishinfostealerpersistencestealer
Score
10/10