General
-
Target
r.zip
-
Size
17.5MB
-
Sample
240524-jjsbwsab65
-
MD5
0390187b05413bff4d0de67d69e156e3
-
SHA1
061aae8ca8ddc1200a63d84842202fc25c9cc6a4
-
SHA256
bd5cb5ed04f67f5a6f2f5411e9ad5c457c0c3e3bf3a38e4996624bdfba01d98d
-
SHA512
75bfc0d6cc7e62d199ad9e04ea9a8cfffc4815a48e5a128e02b8a151332db514f39834cfc023582f5511a147f0e7dda676b0b04d16489425a487ee676cc2e37f
-
SSDEEP
393216:QvSS2ncNlHyb1AGggHNWqNFIkDegOVY7pm2FSyFBDN:Q65m2jBIkqx8p1Sy7N
Malware Config
Extracted
redline
plost
77.91.124.86:19084
Extracted
amadey
3.89
04d170
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Extracted
redline
taiga
5.42.92.51:19057
Extracted
risepro
194.49.94.152
193.233.132.51
Extracted
redline
kukish
77.91.124.55:19071
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
ramos
77.91.124.82:19071
-
auth_value
42c0ec91d63648bb7119ab787aa3fb94
Extracted
redline
horda
194.49.94.152:19053
Extracted
redline
breha
77.91.124.55:19071
Targets
-
-
Target
0068388548827b89762c020630c0e79519dedb7b7ff6c4f1c625aca59fbf5996
-
Size
1.5MB
-
MD5
fc90bdeb8090c310f3f771447f6e260c
-
SHA1
1536e69cc76caf53edd224b3cc21db88cc3e8dc5
-
SHA256
0068388548827b89762c020630c0e79519dedb7b7ff6c4f1c625aca59fbf5996
-
SHA512
b8cfd2f9c103c45484f12afb0db0ba3eb9dd0fb65335e3ffec364a87b8694a6318081b8e9dddd3cd5d919d741193ab169e0782eca910a58eede2d2d0036a7857
-
SSDEEP
24576:6yxyuv9F7yl31JhViK6oag0H2MCsIAZ4TZ4YunVS+sp5rH8ELvuwKLhGISnY:BxyqFGl31XeZg0WFwSV9uVQ8BF8n
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Detected potential entity reuse from brand paypal.
-
Suspicious use of SetThreadContext
-
-
-
Target
13243e4dd58e70de2748aff5360c6262fe2a6de7562acb1334b8a8adbb876f33
-
Size
829KB
-
MD5
913d70432f75c66b7dcd9eecf8b40cf4
-
SHA1
f8fe21e3f16add7a4e1a53fd4e234fb58c060189
-
SHA256
13243e4dd58e70de2748aff5360c6262fe2a6de7562acb1334b8a8adbb876f33
-
SHA512
f050ddb67a87e1e835c9f84df51b0c0414e69f5c2d1c4ab457d4b10e1d8cd73201b8c3b5d4c999021470a7462b3d24037f1cac7b5841ec0e0076fd40fe163dbc
-
SSDEEP
24576:zy9MQf/lrMhhOGq+jePBjR/y/fYLOR46qzL:Gz/g/qzBj5ycw46qz
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
202040bebe757e0adc39d99b3d7327e79e0354b43f2a6c6fe0d1c1362d3e4198
-
Size
1.1MB
-
MD5
2a0c21ee9b17ce0cd8c48c3d0f9d977e
-
SHA1
d02d327e0e0a891de8f829d00605d537437d3867
-
SHA256
202040bebe757e0adc39d99b3d7327e79e0354b43f2a6c6fe0d1c1362d3e4198
-
SHA512
ea40fc8640943ed73e0f1bb93e1e7d8fc36ab4d417ff6a785330b1f5d9632d08a8e45499d1a86fba32979c853ffa80e2eafab786b2a2e822430f563b8185e333
-
SSDEEP
24576:hyWoAbkIuWxV6pLSGIuIuGqReUE/j+0hjJ3mK2ybqkm6YXUl:UZAbiEV6tLEUE//jkKfeAYk
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
3a1c464610d6f381fd4237273e1990d1b05567b780bacaa50c4d2462441faeff
-
Size
2.6MB
-
MD5
c0bcbd6fc52faf83d90d164b9f48b136
-
SHA1
0735b86bbab76ed8e1930a049650bcac3b6a7c7b
-
SHA256
3a1c464610d6f381fd4237273e1990d1b05567b780bacaa50c4d2462441faeff
-
SHA512
370dd2f9cfff8104ad5bfc336b2e7c4e71ed3b8db7b4554278b2d2123cf406359643caa5304b5f60b607947992f86675560490dfd79368b812a817272a01c5b3
-
SSDEEP
49152:3MeeD89tUqsw3OHDAZzXrHxBvMrqL/MRjF6T9CJYNSKbyW3zV1OZoXmyd1Ouj2hg:d2ULVAUxvMrK/OjYRYKbyGzPOByd1Ou2
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
556fc723a7eab0f91113f11d7171070d3875bbfca8f5e2397500b5ee832c0310
-
Size
668KB
-
MD5
b4bef785be57804c1e24834a6ab4350d
-
SHA1
f3d72a3e355d8ac49cdb9a1a6edcda419fddd59d
-
SHA256
556fc723a7eab0f91113f11d7171070d3875bbfca8f5e2397500b5ee832c0310
-
SHA512
bbfab441a3be6e3932a6b4c2f5d72d02db063932a6953f187e62e8f1e74949dad45e8a95feab54cc6dc08559528f54da8acd7592c7db2c6bdde35a04a0949af8
-
SSDEEP
12288:GMrCy90or6LX9RTEXbdWPUx4rT7IivEpgOw0KcoeWbc0W54cT:0yRi/TELMRE6Owy/McX
Score7/10-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
5eb8ed45ba47d4135feaee11bbc17194ba1e8dfa693a293e370a7725fcfcd401
-
Size
878KB
-
MD5
2f644eed4a3ec1fa0b21ce67fa0c4f6e
-
SHA1
dc30e349aa5eec96b3f3d0553e6216717e60f2d7
-
SHA256
5eb8ed45ba47d4135feaee11bbc17194ba1e8dfa693a293e370a7725fcfcd401
-
SHA512
ca853264841f75ff604ac06ebc5e31f3865a8a370ca8269c6ce94e9c516ea114cda94f0d742d3bf558077272c03b8dbb2408e9a541da56399788d16fadf96109
-
SSDEEP
12288:NMroy90B+AQ4uNbPKMXaex4IC5CpCPHGt9PLvTMXiYQXDEzAavkuWc6ViZc2Ysxz:ZyIQ4uBSMXaeuIs+C/G/LYD9W5T2Yo
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
-
-
Target
663bf6b48c7a6589e9a0bbabacbb8b22b1556f79bd63892788caae034d162437
-
Size
621KB
-
MD5
e5784414634e1235d5efa773224cc37c
-
SHA1
2cbb86f19792e4923848679f2ce64b52de998264
-
SHA256
663bf6b48c7a6589e9a0bbabacbb8b22b1556f79bd63892788caae034d162437
-
SHA512
9999271c680a5ba9f3bba6669659d7b1b8f758d9779d5fd54809e93a9efe3ce410ca8fc5fc6b30ecf9df9425c0c300dd45ff4750359a3cf98c0aa8e2ddcc9871
-
SSDEEP
12288:DMrwy90yk8gapGMsd3dp9vSEF6v3wGrcc6ZgdlTvVfo2fREdCaGC:bye8gaY33j9v76v3wGrr6ZgdlTBFREYc
Score7/10-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
67dbedea2ea23fd4fe189651241dd1489f71cf6bb5803d660d3d7ecd91ff5669
-
Size
479KB
-
MD5
5de79890538ec9e56c749846ff57eb06
-
SHA1
9a85404f227edf8455d9b3aed7591539fb522450
-
SHA256
67dbedea2ea23fd4fe189651241dd1489f71cf6bb5803d660d3d7ecd91ff5669
-
SHA512
ac3452391e92fb42531cd0f291a6aad43e2073110c9e1ad20f5827f4647f3f898f21cb164a3c6e6271616cdb0ff3893a7ed9d6468f744ed62e59503bb8bad120
-
SSDEEP
6144:Kzy+bnr+Jp0yN90QEUdcwpvuLTBW0k2yAICL2eSuAsL53lqmDxTBUOF5zTOWrBax:hMrty902d12LTOXv4J1qGNppaWr2ug
Score10/10-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
7e4d47aad3f9ebbd9422d69a7b96b1808810801c43b385031da5bd1472cbd411
-
Size
743KB
-
MD5
8007f70cede5d57d0c0e7783516c91b1
-
SHA1
944d21a372168dc1b9b5706e6de4623fba31b4ac
-
SHA256
7e4d47aad3f9ebbd9422d69a7b96b1808810801c43b385031da5bd1472cbd411
-
SHA512
b7e5748347a5ebb32f9dc6ce9fcf153a0484fff0cc5623d22d5cf1cb55a149dfb42ebecda43298d4fe3353c6bf5fc94b5697fd106e88faac3534fdd822f5c4f1
-
SSDEEP
12288:7MrRy90KTCaViOOvzI6irYlpoUHNoHhaKm3pouixDUD9I:qyL+axOL5JpBmno2uiRUD9I
Score10/10-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
820ec15efb9f2f70d27557121fc2619065a095a0db4a83720d911fc56bc7eedb
-
Size
1003KB
-
MD5
d633ba16a6a77e63044fd70f886471d3
-
SHA1
41da78358e41bd6d5b513cac508a66d913a35158
-
SHA256
820ec15efb9f2f70d27557121fc2619065a095a0db4a83720d911fc56bc7eedb
-
SHA512
b2439af134ba4ea592b46473f98a8ea16b2fad4af5acc4dc4e2cd2c977a54e454ef8e976654a0cde4d30883b7284970b7edcbfd3a13f371656b7843af8012aa8
-
SSDEEP
24576:Wyo4MtnVpaekIsZClGVltDwkbhRqc3LNDj:l/eDusGB7bhbN
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Detected potential entity reuse from brand paypal.
-
Suspicious use of SetThreadContext
-
-
-
Target
88a5b8b09ad1e32abc7fce3415b25a2aa7be90802b17e91d650f6961ee4e8744
-
Size
888KB
-
MD5
40607be14525e79eb0004ab99c5c4767
-
SHA1
a927972377354270313358ae9215cd657184c093
-
SHA256
88a5b8b09ad1e32abc7fce3415b25a2aa7be90802b17e91d650f6961ee4e8744
-
SHA512
59679bc750c9253eb4cce2e840616cac96fffc0632c314b1427fb8d73e422aabbdf9a511a2611258a01c5b570ab1e1b01ff751e374d190f8f2f2173d2a0ebc91
-
SSDEEP
24576:7yWXtYjSDrBNRzGDFv1JkyKbo+2VV+Om4G/khW7:uWXtY+5NwDVDrK8+22Om3MhW
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
9c0f7f64959c0f4f98391ebbba925fb68cac09522971875cdbdf5e52983343f7
-
Size
1.5MB
-
MD5
86625ad75631f83ea4cd8fa7a4b14746
-
SHA1
bc7fbd2f348d7b584354e3600c3b68b85aff2fd1
-
SHA256
9c0f7f64959c0f4f98391ebbba925fb68cac09522971875cdbdf5e52983343f7
-
SHA512
93f578cc3a6eee6de5d609a8216fc2a600be8ab977aab66ec16c257281f7205e46331d182665249ab5a99a80238f1dbd7aa8aad7154b0f1e47e6661404aa3502
-
SSDEEP
24576:NybWSXHURab0mUxblcutLA4FH0mvqFnXhbmWg9KhGxtWLqNjE3Gx:obhOcuDUmmhqWYyGjW2pUG
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
bd0a957eaebb4aaad5274b94282e2e629645d3cfc2d373f90812b885800536c0
-
Size
270KB
-
MD5
fedcba531f97a219853ff2322af626d0
-
SHA1
b141998a2cf8032e977f2ea8d7a5de8721422c5c
-
SHA256
bd0a957eaebb4aaad5274b94282e2e629645d3cfc2d373f90812b885800536c0
-
SHA512
f540b590cb1b2933c928262a57246f32bc9dc1538159870e9a31dbc61fe78ff3d95306c1cba96249ae0c43765981cd7fe41fa289382531a6ce6ca923665a3aff
-
SSDEEP
6144:svpK3RlYo26KFCW8m3JqxAO1A591bVx7:sRK3zZ2tnEbA5
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext
-
-
-
Target
c8e229c27623b0e1055a59f9b684a98468f33e92a47da3dcf5b041f74d4eca39
-
Size
1.5MB
-
MD5
19f3cbb17138af08c5bd91e3aab324c4
-
SHA1
f15720768ade102439f446c8d624b4149b603df4
-
SHA256
c8e229c27623b0e1055a59f9b684a98468f33e92a47da3dcf5b041f74d4eca39
-
SHA512
1b8acfb018f9bda540ce0ec607a696925fe6578a1c140e13245a74c7217b006cb730c98caa48e0f212a696c5e6693a8ef0ff8090d2960758997c02c6c4083110
-
SSDEEP
49152:NZ7COdsQvIpUub/r2ypC7hex41knzA1GPL:fCQTkUub/ylhex41kMEPL
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4
-
Size
840KB
-
MD5
06a78e3337e83b49d1e9dc5681174893
-
SHA1
24a81377502011be71396b292bff433e7494d26a
-
SHA256
ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4
-
SHA512
11bf89fe44bf599e600ba8cf3769124f6907855eb8e1d09752e2462379d273bb1ba4e3d674a1db48cde3ffb268afe87d2fc6d34d4a3f24849c401ccc9258204e
-
SSDEEP
12288:EMrTy900DY29HfxRQe2yX84pcbj/I8ScC7CtYhUodFgUdmsJ/0j0YlL3I8B44:fy7Y0HfTQe2yoQpGtwngzIO0YlLD
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
d0c5f927631e1bb113c5cb5f1178cddd83c9fa595df60b9ffc903fe23c0bcb68
-
Size
605KB
-
MD5
0fb1a131811a12a0d0ad0d4541a5aba9
-
SHA1
4c07fea4019f52ce63d16bb4c377e4225c38a00a
-
SHA256
d0c5f927631e1bb113c5cb5f1178cddd83c9fa595df60b9ffc903fe23c0bcb68
-
SHA512
aca05ebce3ef3442caa6246f4d2477406240f773d1aea34f2f290b98896bc7acb1053aa930f32197be52d94693d514c74fc36ecf41625ec0d97466b92fb5808f
-
SSDEEP
12288:KMrby90W2qciukb5sgQoP8kvuQhyz9bw6YSG6N9IV3KpfPdcR0Z:By0Zk97QlQK9bw6Bj/IVo3dcR0Z
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
d3f2262a94435b8347df3ab935ed8eca2004e7db1ebf5da5384c7f7fe78efe31
-
Size
628KB
-
MD5
6340ed1fce00bcbde6403d9959542a3a
-
SHA1
f3388f75be6c3ae8a42145035d0d9167752d0fb4
-
SHA256
d3f2262a94435b8347df3ab935ed8eca2004e7db1ebf5da5384c7f7fe78efe31
-
SHA512
86198d3184b33172adb74875dd5159c90fe51a83604b58ed9d150dff96757abb1dd4f45fd7076cf91e04fc2cb25bf1534af754521a47e1fd64fc1cc278c17a7d
-
SSDEEP
12288:tMrQy90kQIiE3Zs19zg/ShSbDoHH/ECPK46mb:RyIIiamvzUGSbMH8IX6mb
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
d40527d1f87af48fe58a0377e98e5eafc8b6f2ba2f0023257f76d0c61f1096ed
-
Size
382KB
-
MD5
49ab42ec06f1fb7a80cd3f814a6c04a0
-
SHA1
ef44e2abe916c31fcf960c7181be014043d5e1e7
-
SHA256
d40527d1f87af48fe58a0377e98e5eafc8b6f2ba2f0023257f76d0c61f1096ed
-
SHA512
04538c42df4c1643a55c5b561f56fc04e7c309e98a72e72acd2c01ded7fd42b836401fd762b55b19425d25db46d2295c3373b721b4ed69467eb64f4416befbbf
-
SSDEEP
6144:Kzy+bnr+Pp0yN90QE6MvKlW1Qy7/1UWASQfiwf3XlqM6OKE/ln7JN:BMrny90aoei9UWhwf3Xlq1UN
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
de4076a0397d9f3a10c9a7ec7c19d95dd219e5330592bc236b71f5cea26f87c9
-
Size
828KB
-
MD5
0296a9b7156cc99de76a868f0a85ddbd
-
SHA1
7ed4d6af60fea7e55d8d6d3fd08c81758c5a3f3f
-
SHA256
de4076a0397d9f3a10c9a7ec7c19d95dd219e5330592bc236b71f5cea26f87c9
-
SHA512
e8f22048e50bf5835511a83a41b5b382d22146d14770bd24c2174243952dd7181874fab2a923705a1743ba85d727e48f966ad441e592a67bb8c930b2fea9f4e2
-
SSDEEP
24576:7yJ8pn4Gr7TAzDeDZqUh3oeh3sA07/1c/OrN1vTLmFCav:uuRB/keDZNh8AT/OrnvTiwa
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
f80bd799075b9e73bec4964dc911341456e6d8cb065c4ab30d36cb613faf6593
-
Size
811KB
-
MD5
cf846f7c594cd193b3ed42192f1aa70b
-
SHA1
cd8d543d7f3e31185a888037df93b430684d18bc
-
SHA256
f80bd799075b9e73bec4964dc911341456e6d8cb065c4ab30d36cb613faf6593
-
SHA512
b62d90a3b3556fdcc4d7c18eb86eeec31850c807200056558e037b40dddff2a0b7324accef115c7cbabbaafa29393f9b0c237f044c8b85b361a70974c779cf05
-
SSDEEP
24576:kyvaji1WUvRUmEyEihp3u3GRPYl7SYtdQ:zMi1WUumEyEihn+AY
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1