General
-
Target
r1.zip
-
Size
16.7MB
-
Sample
240524-jkt7waab95
-
MD5
7c4c57c07751e3812b174966a468c57d
-
SHA1
dd5863c39cc024dc119fae46fed0a9637afc578d
-
SHA256
eafc2bfbeaeddb89f86da75f29f14435b745b919f0b99dd1d0d30b9d33efb415
-
SHA512
55d48ef8a61bda967dfa933a53cb002efef24a431fda26743e28e3b8d423792de3f2ff000f7978ac67585802fa134e47e7f6001e8374c4ab249557bf491a2183
-
SSDEEP
393216:DabfVqA31s0L74coG+qlQfjA3dQ6cCiZfMnN/X69z:DKD1s0L7VoGHgAjM69X65
Malware Config
Extracted
redline
nanya
77.91.124.82:19071
-
auth_value
640aa5afe54f566d8795f0dc723f8b52
Extracted
redline
kendo
77.91.124.82:19071
-
auth_value
5a22a881561d49941415902859b51f14
Extracted
redline
luate
77.91.124.55:19071
-
auth_value
e45cd419aba6c9d372088ffe5629308b
Extracted
redline
kukish
77.91.124.55:19071
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Extracted
mystic
http://5.42.92.211/
Extracted
redline
breha
77.91.124.55:19071
Extracted
redline
kedru
77.91.124.86:19084
Extracted
redline
frant
77.91.124.55:19071
Extracted
amadey
3.89
04d170
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Targets
-
-
Target
016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190
-
Size
636KB
-
MD5
14bf3b645a4a3fa119174ca38152620a
-
SHA1
647d39596c58fdf8398aa9509a70ef6e69ce0e9f
-
SHA256
016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190
-
SHA512
b89305ddf9b6ca81c0d769d740d5a52f87728a2cc58ff03df416ee0e775210c3b042f0c322e9057df103943097787869ac4d5fad23b55b78a2032a0752de48de
-
SSDEEP
12288:3Mryy90uN+HxJuPeXQP6XNK/2BEKDFpOsAQbPxySk+Tmno:xylN+H7umcn/upDFpOsAQFySDl
Score10/10-
Detect Mystic stealer payload
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
046f35763e317ea5c0e4e5bc1725bc6e4fbd85ebf7a2820a18b9033c87584f68
-
Size
1.1MB
-
MD5
f9ea3474dbb9042c2d93391723e11290
-
SHA1
089f3964fbea1af9ca2cc7e6fbc3f650c492d026
-
SHA256
046f35763e317ea5c0e4e5bc1725bc6e4fbd85ebf7a2820a18b9033c87584f68
-
SHA512
9732f9bf8b8b4f1900c0b3b87e3253dc45ca79f1cb14e301c06c2fab42e74c31761b8b0650d431190f4110de7c44f6690ccc5c148848ab4e334908c0050cbfaa
-
SSDEEP
24576:tyuCIG0kTDLHjOo/4CJY9rtBg5/ZbLKGF0tUEqTXinYxJM6/K1by18oRt:IEYDLDO4Y9RBg1ZbLluqTXinuCF2
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
14e25178ee8b8712bc968c820fb869e90a44dec170ecd8a6483ae8f108b1f2de
-
Size
1.0MB
-
MD5
1e122a6f0ed6181bda7d4bf1eb33f793
-
SHA1
6b1eb80241e7e528ca1e807c72313668ae8975a5
-
SHA256
14e25178ee8b8712bc968c820fb869e90a44dec170ecd8a6483ae8f108b1f2de
-
SHA512
b4bd70d297c2912540da9ec529070d31b9ef73b846a225fa4705402ba7fb75fc08c573512a8f7e0ed37476643b08455de7f68818b5677452a76f251c412cd082
-
SSDEEP
24576:hyKI2pjfsvcRzmYqFpts/vsBBpjW08KzPAf1pq:UK1f8c/OXovsjpK085f1
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
58609bf38be4777dd43032b4b64e68420854d83e377491d6356127f6c112181d
-
Size
895KB
-
MD5
c275615581b1a287c46bd4914c645377
-
SHA1
dd08381740c7105dd3f5bffd1b006410952282a0
-
SHA256
58609bf38be4777dd43032b4b64e68420854d83e377491d6356127f6c112181d
-
SHA512
aa616d9618d4abbf82b0b61f944f6beb655f1beb7cd66077706a63b299c08a58b977f813b61de7606b707d988cc50f556b12ca27c64a8756050c98034c0cba86
-
SSDEEP
12288:eMr+y90evp7ygaOcdT4rVF3XvoTELhfnxZOnok2+acz0vRquRC3KI63sNCl:syrp7ygPxM4lxZ8okicoRqxuswl
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
5e46be5a1605d21562eda70cd21e2675e650c3789e8dde9dfb908ec546adc9b4
-
Size
753KB
-
MD5
322d6f9c8ae6bcbfdc6bdf1690033868
-
SHA1
b01e1ed14b5c25ae7a818cc8115c7b454c27750b
-
SHA256
5e46be5a1605d21562eda70cd21e2675e650c3789e8dde9dfb908ec546adc9b4
-
SHA512
ece712f0fc503fbd6636c2423bfdd714a840bf1e7d2fda013adc58c5f481b669ee6ed299efb54bd55c2169b98fd969617179b15e3dd7ebd0a2dd3c8d2b700fd9
-
SSDEEP
12288:oMrwy901MTCuX1YYj/gL/2CQ44hzE46TzY7aHG2FWzB7kpPP03LwEKsmPO:IyS071YAhQxTE7yGPiU3LwTbPO
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
64220efa0582fe1aec27096123429aeb58dc263d43340ad6613555ad427544b0
-
Size
2.1MB
-
MD5
b19fd26a0c8f2bffa8943c00d03c5e75
-
SHA1
bf425da605d63e13b5d16f4eb884d791a5199127
-
SHA256
64220efa0582fe1aec27096123429aeb58dc263d43340ad6613555ad427544b0
-
SHA512
a2887a03670301c04b1d8bc36fa803726286ba0217dc3f533c745bd38bda425fdd08ea3cf0b6d304a6ac81540919524dbae6a3a5974143f8acfc55e90ccc6124
-
SSDEEP
49152:Da2AnhKw6IXNfUggg4WZuVwNBKLIlZsokAUJUSJiW1Hme:NLw/i4f20UEMUIiW1G
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
7252b3ba9094d91a1e12f9c9944f24ccf25c9a4c75e7f7e3380ca37b8e6bfbcd
-
Size
1.4MB
-
MD5
be9c6334a9f060d8e383c10608a271a0
-
SHA1
89958e3ef709d8e05e9b5bae33d09149098dc0d1
-
SHA256
7252b3ba9094d91a1e12f9c9944f24ccf25c9a4c75e7f7e3380ca37b8e6bfbcd
-
SHA512
094c026745ecc79e088cc0cdc4387c1f254a3d2c4e755234d914e399bda1bd6dddd5777f1e7bf1bdaa4a81ed9dab11cf4501fd363131a0309643a9e1f90def5b
-
SSDEEP
24576:lyU/Q553sqM2nXWkJ0MT9opnaX6RXVX6iU3jA7MvnhwmEY3Ji8KeMGCfY:An558NCXW4B96aX4XVXK3IMpFEYJi8KI
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
761baf17cd7e790b03075c76f9e902cd11700ce8b920d2741b04a70371069ab8
-
Size
640KB
-
MD5
54c00829bacd1fac5f4b3dd3ccddab88
-
SHA1
f240b2d3e965a8519ff74ceb16a32c54c94f52f2
-
SHA256
761baf17cd7e790b03075c76f9e902cd11700ce8b920d2741b04a70371069ab8
-
SHA512
8ba3f790616051fbad5142c887b050ae7589bf97b51b8c8ec1faba98689b6ee48b2ac543652cdfac240ce3c1af2f6a3c2f544309a903257000bcce614c2e2cdd
-
SSDEEP
12288:kMrMy90wSaqrzDRHYtbtxNKS7vr+BFVP5NjOFPUMhqOMDQ:Iyzor3RMbtmSn+JP5NCFP9tMDQ
Score10/10-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
79b34442d1c8507ff7bb7f184e63b7b674da3847ab0d3d8203b60c93467fa859
-
Size
1.7MB
-
MD5
0664c6a54c49fde112198a09288a6a2f
-
SHA1
08ee7fb3a8bb6f5cfba1c72a3bed549526d8f703
-
SHA256
79b34442d1c8507ff7bb7f184e63b7b674da3847ab0d3d8203b60c93467fa859
-
SHA512
9c465667dfd6288401f98a3005e4e5c133d7ea24d84aaf860291363ad025feb285d488479f9e1b69a34a4db2ffc0e4177ef72fc4a307569eb38874e5ed124adc
-
SSDEEP
24576:LyjV6NHr7qC6M/7jBDS4vfzvyF4r8+Xp1W1yvwMHvhRzD8/p3ytMf1cTFddk7Vut:+QJ/n7FtvbIivZ1YyvBv3kum1cXuw
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
7bca30b01b52faa483cb9bba6adca25589109b55d6cd6c01bb4219ef6d8f4444
-
Size
634KB
-
MD5
fd9bc66ceca8b5e95e78558334fcdd70
-
SHA1
0fcbf40047842e5c5b1b4fee84b6396b6f9b645d
-
SHA256
7bca30b01b52faa483cb9bba6adca25589109b55d6cd6c01bb4219ef6d8f4444
-
SHA512
8fbfcfe3590ef5588e8af5017362f4024e52a4aa25cc66d6e415857ba05fd29bca041b86ee969585f692f4203ecd59f054e3f01f88265b3abd183b77d4d9ea33
-
SSDEEP
12288:TMrZy90IkujYvPGmnqc3JQSo61S9WsQydCFJpq:qyFkujY7nV3Gkc9hqLq
Score7/10-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
-
-
Target
7f2d656f1a4331d02ffea567b5177c3a772a6a6e9c022b13e9042bd0dccbf324
-
Size
749KB
-
MD5
33805f2b53d2f319d3b41a7ed74278a1
-
SHA1
201de42d0319e08a3b40a9489c96a564f4b93a53
-
SHA256
7f2d656f1a4331d02ffea567b5177c3a772a6a6e9c022b13e9042bd0dccbf324
-
SHA512
77794e49ec66fc5b92e0ae589cf830fe6c7ac82bf48846985f24ead9cd453f3ca922d770c21d0241b75164ce4a07c98426343efda7a184979eac34070d5b5075
-
SSDEEP
12288:pMrBy90akPV3+Jj1f+wYXvVoE3JXwU3Ceszc+jy39BKwpVi3WkwPRImpi6pr:Iy3Y+Ft+w+53RUeszfgKuRkA+hO
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
92903f5aac10e31279ef8ae844a86a677e02e1799ba17380867ee77d55b31433
-
Size
928KB
-
MD5
6de73278543ec875906fb3c292e51098
-
SHA1
3b9acda7cde3eebd35aaa0cd287a79f13edcce61
-
SHA256
92903f5aac10e31279ef8ae844a86a677e02e1799ba17380867ee77d55b31433
-
SHA512
81a541a41f9e96eb19a645e6e16d8c2dd80532d7186ba4aff04a6f5e1e38096ad4a6bcecf487a76dd922b708d8732ef0725f915b6d7f1b95cf1b8003314f761c
-
SSDEEP
24576:4yNx/u/e4828PhjEs++YqQ/q3GC6h38y7YdgecwmbDwuu:/Nx/Ee485Q66h3tYdge+D
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff
-
Size
396KB
-
MD5
fabbe9bb4bd6fd42e310e054a4990a6d
-
SHA1
0788c133a29974f06dfb39fd2e677d3376bfc81f
-
SHA256
a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff
-
SHA512
f12e1b7af0b9e398548a80afa33c264953f0c04c2ebfb815dead8543a8d34e609a923132d679772a7fabc4281a04173210af6e517e588a4315daa9cd2605068f
-
SSDEEP
6144:Kjy+bnr+fp0yN90QEnA1zC5RFAJGBOnZDd1w7oTizoqReUj2sqqMrUWfp4:xMrby90RSCfmJTZDgxzoImUWK
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
a9a24c6b40b53ea0f85263a4222bf4792c43b7f26287058d9cd536b2ceb5a779
-
Size
382KB
-
MD5
0323fee9778c98fb771fe21c7d5116a2
-
SHA1
4e6500f6d9afff1e52210ffcf666803edb74b95d
-
SHA256
a9a24c6b40b53ea0f85263a4222bf4792c43b7f26287058d9cd536b2ceb5a779
-
SHA512
fab3cd9c2582c9b79b70a4b1feaf57f154276d72b5d52e84d7816028b25edfb8f16d64c409a19535b48e81cf4d78434eaba96250173e8443814f7a124f330ee1
-
SSDEEP
6144:Kuy+bnr+Lp0yN90QE0FiOOECN5X7O/NunK4TiQnmLtx9lK7PT5mgn:iMr7y906OF5X7OAKRQnmJx9lKzT5mU
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020
-
Size
382KB
-
MD5
61ea25d77feb05e4700cba7bbf682ccd
-
SHA1
da9b0a03694cf3766fcd1b2438cbbd7094a893ce
-
SHA256
c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020
-
SHA512
acc7845555d396393e8362deb0ebcfe924ae2f51b195c0d71ee1a1300c2f3b474b9756137eed1e8d6c745838b69ef15620e7708582ee1e620b539ea23673c5c5
-
SSDEEP
6144:K2y+bnr+zp0yN90QEBoOVYvi8Qy1gPu7gsM/hlVj9NNqb4eIHukyZ6c+ea447dNx:KMrzy90ToOVYae1gPeyZl9f0bmHuuD7B
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
d30a3fe09c9a256105cd948f3eb2049778fcc4c34bdd05779bd39a344805a590
-
Size
421KB
-
MD5
cbdd721a570f358915a7aecafb93bef8
-
SHA1
3c849cac1c801fc0b88c54650592510a00c018a3
-
SHA256
d30a3fe09c9a256105cd948f3eb2049778fcc4c34bdd05779bd39a344805a590
-
SHA512
08fd1698d69f47a0d4024e240dd2d5f4c098ec2370813e96f18e682216ccb824185bcbc85f0cd85a2366de63a47a3eae3012c97610cde921be2267c27bd1393f
-
SSDEEP
12288:EMrLy90B+08qFUvuShyk/C0Dtolno1qQ/gBsne:nyD08qF3St/C025lQ/ve
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
d4c8c5a1d2ba6f3920e2785153bc3ad1843efb3696b1cfd86ebffe60bc121e4e
-
Size
819KB
-
MD5
f89fddde3d9714fc698fc708de161a7a
-
SHA1
1a9af029df06aa8cbf4a1b3e7e25079bf3c347f4
-
SHA256
d4c8c5a1d2ba6f3920e2785153bc3ad1843efb3696b1cfd86ebffe60bc121e4e
-
SHA512
dc3153f743b911f934668ebfa48377756fbec4f102f836c2fb933b9344d08dcc742b2d58c4d3ed07060c886d7220ee84f130554dc791f106d8fa3ea05ea6acf7
-
SSDEEP
24576:ry1LboSWg7clqL9Ii9tvVtPQrIdnnw93:e1LsSWwcl6fvVtPPdnc
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
e2ca05276c37a88d337993eae49ec4ac99bf1c9f9e56112366021c7a649bf337
-
Size
639KB
-
MD5
23b871d98adf8e627167bff2a2c43597
-
SHA1
fdf756924e8266a1f7c48e339dfd355fc20882cb
-
SHA256
e2ca05276c37a88d337993eae49ec4ac99bf1c9f9e56112366021c7a649bf337
-
SHA512
b93c4e78455e44886d501d8c4a27a0e958870e878765be46524ae1987472f3156eeea5e1a6b96adb26c186386a1ea4419ea19dc1ae6003077702e24932d9ca92
-
SSDEEP
12288:sMrCy90ZczjJFspR1UewQx2fM7Hbfozro8UcUo:OyPzbspvUC8MrbfoHNUcd
Score10/10-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a
-
Size
1.1MB
-
MD5
8928e859550f225a0fa2c3727e6f551a
-
SHA1
a2ac88ff7cdfd0337a2df772802de116a2001344
-
SHA256
e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a
-
SHA512
496746371015da58117348e6ba82f814f46a0d1fd5383ef1265abf968906f418bf09d9b3bede061ee57dd17187618a15fe21b1fd45aec12abea819163e86eedd
-
SSDEEP
24576:NyAHA7bV1IlZkQCi3ED34dM1gaqiANXL4sVBN3Hp0FbK4+Hg4:oxHyCiUD34n1hNXL7N3Gg
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
fff53a878cc4bf75cd2f5a6ea052244eda18185761d3173fcd0c10469adce0d6
-
Size
896KB
-
MD5
acb96f2c56fdf3eb258c2edae74918b8
-
SHA1
b4f63010294375e0655311a97aa2fbe840d04ae3
-
SHA256
fff53a878cc4bf75cd2f5a6ea052244eda18185761d3173fcd0c10469adce0d6
-
SHA512
2e147a07f4f1f043ed3bdcb3a066e2d6b3691bf4d395c23f16c93c3ed6bd2d783e4b9b6e8b67dca4677bba1eeccd8919f41912caafed8c4f9449c7ee7d742ab7
-
SSDEEP
24576:zyyDiQj64i1K7jr+ihsg6rCm8dR9N4NuayU40/JOLuy:Gypj6h6j66+CHzWFyDS0Lu
Score10/10-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
5Windows Service
5Boot or Logon Autostart Execution
20Registry Run Keys / Startup Folder
20Scheduled Task/Job
5Privilege Escalation
Create or Modify System Process
5Windows Service
5Boot or Logon Autostart Execution
20Registry Run Keys / Startup Folder
20Scheduled Task/Job
5