Overview

overview

10

Static

static

3

131b47af99...32.exe

windows10-2004-x64

10

227ab56ef5...eb.exe

windows10-2004-x64

10

4537f51b0d...4c.exe

windows10-2004-x64

10

4852dcede8...5b.exe

windows7-x64

10

4852dcede8...5b.exe

windows10-2004-x64

10

4d68d381e4...34.exe

windows10-2004-x64

10

62d27d23e1...d0.exe

windows10-2004-x64

10

6f4e5c3b3a...2b.exe

windows10-2004-x64

10

775b7a0479...3d.exe

windows10-2004-x64

10

80a8dab579...f7.exe

windows10-2004-x64

10

a28852a355...af.exe

windows10-2004-x64

7

d02a87f385...3a.exe

windows10-2004-x64

10

d0c1074be1...1f.exe

windows10-2004-x64

10

d427832084...e1.exe

windows10-2004-x64

10

d53f5a64de...d1.exe

windows10-2004-x64

10

d62198c81d...0d.exe

windows10-2004-x64

10

dd0f820c33...a3.exe

windows10-2004-x64

10

e3c377dc6b...f7.exe

windows10-2004-x64

10

e9172c1691...86.exe

windows10-2004-x64

10

f6c86e8cbc...da.exe

windows10-2004-x64

10

fbd8d72f7e...0c.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r.zip

  • Size

    14.5MB

  • Sample

    240524-kghv4sbd54

  • MD5

    5369caa7a9ccf5163091b23db8c6085a

  • SHA1

    a65dc4b3c0fc03dbd941bf5f4c8d16b1d939976d

  • SHA256

    3cc30911c3eb32deaf5fb8bc4dfe2ca6abbafa106ab4c16e8ff25a715c1fe7e7

  • SHA512

    f0d84d380b07099fc60b05d1aec2967bbf102e8de9033db77e698984b58c0c46db0c998cd97ca488772be825ffbb62b3c76364838b7ef8347fced22542d2b4a8

  • SSDEEP

    393216:qNAGAzaR8hlxkf12JnCzah1v10LFKy7kfrcwy8aba/C7ujSaB:qNAdE8hPkMJCmr90Lqw5nmcujS4

Score
10/10
mysticprivateloaderredlineriseprosmokeloaderbrehagiganthordakendokukishmagiabackdoorevasioninfostealerloaderpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

kendo

C2

77.91.124.82:19071

Attributes
  • auth_value

    5a22a881561d49941415902859b51f14

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Extracted

Family

risepro

C2

193.233.132.51

194.49.94.152

Extracted

Family

redline

Botnet

magia

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

mystic

C2

http://5.42.92.211/

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Targets

    • Target

      131b47af993204905e6dd4dd4ff06b43cb1a0fe2e2b140520d4962f73d4b6432

    • Size

      930KB

    • MD5

      0cfe607a0e71e8e8185964b116396f08

    • SHA1

      67406c6194bd8455a7f7112787cef8ecfc17d060

    • SHA256

      131b47af993204905e6dd4dd4ff06b43cb1a0fe2e2b140520d4962f73d4b6432

    • SHA512

      1e3bf90ce8060d336f4eb45e920c6d6b544fbf3eb70cbe5a3f15d1dac8c385fca16409aaedf2fe6d72bd8e1a144d61c21ee3ef7dec7c21d79f2cbb6244c3d049

    • SSDEEP

      24576:iytg+WfHZn2cMrrPTotPR47e2EmHTsjF7k6:J8fHZ2bdilNk

    Score
    10/10
    mysticredlinekendoinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      227ab56ef5937ce1494f5b0cd787a052c624e8a674162dba77f9c8d6aebfbceb

    • Size

      417KB

    • MD5

      29661c435e2a1539b16d18c8cf3e89e8

    • SHA1

      f7b2baf441d7712466af4b2e5b421fac1cee810f

    • SHA256

      227ab56ef5937ce1494f5b0cd787a052c624e8a674162dba77f9c8d6aebfbceb

    • SHA512

      58431e6f238d97c73e19cea639f403a7fd53bc95f67586b443f28899f834a7f0f6f1e659cfc209c194ec1ad621c70ef451445458df71b5ec466bb4b5ce24270b

    • SSDEEP

      6144:Kdy+bnr+gp0yN90QEGQk1IFT7XtSbixnWrMiO6Z3ry4cLclR07Chm6SsHOpi:zMroy90BUIFTVncMiFYSlRa2HNH

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      4537f51b0d234db42162223f94f6617d6df0e7eb077362a4b5249ab8da1e684c

    • Size

      918KB

    • MD5

      b8365d87b8119c3374d71028fbe72382

    • SHA1

      baa6b90ca7d0c8b3649819e5255c5523d7228740

    • SHA256

      4537f51b0d234db42162223f94f6617d6df0e7eb077362a4b5249ab8da1e684c

    • SHA512

      3d074a6e1fc5c1a37e75d656b21cb48fe384b287c007018f436e4e33d7f471703d884bb7f99931607a97885ecae0275b8e508e48bad56d26ef2cfff0480bc252

    • SSDEEP

      24576:SyfJi0RO8s7j4giInc2xlkIYQ6F0M2kjStFS:5RfyjhnWzF0M2kjKF

    Score
    10/10
    mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b

    • Size

      376KB

    • MD5

      d31797dc0f17f69e5245e0a452aab2b3

    • SHA1

      9bd1e6981d8cde9f7db98540711101cd57ead02c

    • SHA256

      4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b

    • SHA512

      7de1f6f6b7354e684e0850fe3149253cddb01dfe9e7aa692c100e52f62ce5875a73d051a5f90c2a58fb78ea17c4fb46f706ae55c5afb694cf2315370230985f2

    • SSDEEP

      6144:V93K5fykNFVr5ywuibFEr3dyYAOI/CsqfCJijYXF7Z/2wk6CJOn0ttp:V9a5frbVr5ujxu7qfPjZT

    Score
    10/10
    redlineinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral4behavioral5

    • Target

      4d68d381e45f27176b76095693f986c42472611f4598e13b214a1c40acc89834

    • Size

      1.2MB

    • MD5

      56a2f2d0890ff16eb044b0a5778e7867

    • SHA1

      72ba83d1c6ed4ffaf733b1568d0d6398dbec43fc

    • SHA256

      4d68d381e45f27176b76095693f986c42472611f4598e13b214a1c40acc89834

    • SHA512

      115bd5b7617d63697c0de243e1e3b6544708d50c5a6d5c160765b838992ceb73b73f19016135e7fd1c0e2d70200c5e769e162952bda324a651d34f1eff72c9a8

    • SSDEEP

      24576:dy2i20A1nLmftA2TpmFJeqRzEhzasUml7gGt0ssGXyQl4Fj:42eA1WbTp8RKesUIzl4

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      62d27d23e1f8603e95173890b3a03815aecbbbba3cc357aa36aba1f8374397d0

    • Size

      1.3MB

    • MD5

      eb745fe2c2df0c9642e60c076ebbb8a8

    • SHA1

      cd9cf0966d4be269ab50bfb98635a74a0e958f57

    • SHA256

      62d27d23e1f8603e95173890b3a03815aecbbbba3cc357aa36aba1f8374397d0

    • SHA512

      dc88627295a2e54b31599818e335fc3e76b6ebe53e0d23a0405270516446c4325769b5f0772f30502c22ec92e30cc8be0fd4192937436f3d5395c678d0845db8

    • SSDEEP

      24576:oyM5I8I2r54QwinOnVK7oOKTX0fNRDgKwkGtUO5qcZ+ifXWp7B+WpwJMVd:vMCTQwiOVaoO7TwkGCO5qcI2mJAWpK

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      6f4e5c3b3a8de995cf390c778532164b570dcf1ea9c58ab8797a7cc16a674a2b

    • Size

      811KB

    • MD5

      91d88f49ab29b31c90140453f78f3a17

    • SHA1

      d4fa424afe634eb614ee8f0bbcfadbf766f7f921

    • SHA256

      6f4e5c3b3a8de995cf390c778532164b570dcf1ea9c58ab8797a7cc16a674a2b

    • SHA512

      bb04a4e664f48b7242dcaafc224ab91ec036fa58bc71bdd2a3ed1586b291e38229df844c0ceb666e77645895f95c65b4010d0228ae18beb6f0c82085628486d8

    • SSDEEP

      12288:hMrPy90NL1K7bAhMzYjFnTqZImauCVpXaMZKjRFdH4lUbpvzK8YRIFK:ayAL87bsjZNmavVpK+KtFdH4mBE1

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      775b7a04793f8621742cc362f51bef7b4d75b10169fa3493b7c9f713d38fa73d

    • Size

      1.1MB

    • MD5

      30ec8753ba08b1b439e43e84a4f02e90

    • SHA1

      a872df7ec9adaa22035b161ce6dad745e89a5a5b

    • SHA256

      775b7a04793f8621742cc362f51bef7b4d75b10169fa3493b7c9f713d38fa73d

    • SHA512

      593f922e0291eb7127041f4ce9868924817a3534d4dc67d69bc11127b721f2f33bb477654f4d74828d004d29c5862acf9f3022b706f2080cf238b8506325bd60

    • SSDEEP

      12288:+MrQy90QW+wWzj3Q6ks5eE/2NowcE/WEaDSEHxm5QsVGdqZnZQqHSqSyHU8GB88j:CyUQrtJE/WEsSWI3VlZQuhGBPni3O5t

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      80a8dab5792d1a02e87ec84b22f15eb4bbac6d7635c605250fb1379296e8ccf7

    • Size

      825KB

    • MD5

      400ee7963deca8fb4b658dea29bac901

    • SHA1

      f50fbbac4ee390ba843902f113d878ae566e0d3c

    • SHA256

      80a8dab5792d1a02e87ec84b22f15eb4bbac6d7635c605250fb1379296e8ccf7

    • SHA512

      4b0279621e180bbaa57368e9298d1e9450b78927432020b314764de367b9747fd0b99cd636ef1d25177d54f50d190f89436ef1b29b9a8a3bbacefe220c9982ad

    • SSDEEP

      24576:dyqpCSjfWexX/E0LoGYRV8lhQkQBJLZ/:4o9jf3vE3RV8QtB

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      a28852a355422f5e5dba04ddfb954e654687e210441a284402775d3dbb8392af

    • Size

      648KB

    • MD5

      87c2bf856d8dc10849144dede5202769

    • SHA1

      9007a486e18cf372b8ddf8a3bd413cdef9381f93

    • SHA256

      a28852a355422f5e5dba04ddfb954e654687e210441a284402775d3dbb8392af

    • SHA512

      2e85590e7463ad805b241a1883031b133aaf7be970cc0c9b85817fa457694fed66dfc27b77cac58f94c00ffc17181e15b35b739ff1851ff423ce9d07001456cf

    • SSDEEP

      12288:rMrBy90DKGyD0LwL855NjeJkV1CmhQajfz9Z5Q8h6JBz0Lc64V:eyV0LwCjeJkV1CWNZ5Q8h/Lch

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      d02a87f385dee50b4399336265bbf8fe7f692201914bcb50c64ca95a35707f3a

    • Size

      789KB

    • MD5

      e901a5126b5649aa0c7b248de33fe187

    • SHA1

      b6a687468d47f518bd517ea63e8a8a53fdb11d8f

    • SHA256

      d02a87f385dee50b4399336265bbf8fe7f692201914bcb50c64ca95a35707f3a

    • SHA512

      96376d282f7f1af7ca4ac42367dd13e7b6aa5cd284a6b7cbbb1223a8846ee9d4f4976d0d76754c3fb9fcc9689278c803a6dda1b2e9af4fd4e2d8985affa124c4

    • SSDEEP

      12288:NMryy90YN8degBdF/RIqaSVJ3zQFo/DiK+BZhzSLU2qQCNQmhZNyztJqkT2j:nyT8dTBd9baS7QW7lkzSFuCyyz/kj

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral12

    • Target

      d0c1074be1d3cb22682be7bb947cb39668cb342942917997126020b102ea101f

    • Size

      1.1MB

    • MD5

      49d567d32dd0c1e1e61bf5e848c46345

    • SHA1

      84a6f4f0b064e024c714d235de7ad29e60831730

    • SHA256

      d0c1074be1d3cb22682be7bb947cb39668cb342942917997126020b102ea101f

    • SHA512

      d6e6e2ad69dc513fdf17b0502fa97f9fd269cb6269743050e4b3768a2b34cd52fbc7c852c6a6a3a00f912d5c2c6b17ed40f7f63583f3f370b74e9257bc2b74df

    • SSDEEP

      24576:Gy+DubI6MnVbrroOWonnRie4FLFyHm9M6Scvr:VUQI6M93oOWEnRie2LFom9Mb

    Score
    10/10
    mysticredlinesmokeloadermagiabackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      d4278320848f0e71f678149e0b9ee4ecac3b5305400ae7d69a7131364d60cae1

    • Size

      382KB

    • MD5

      6c3d6a9ec51ecc2a6a3d5a9c2dc110cf

    • SHA1

      963481fb03f578599ae2a1f891e1c4e543e3f7f1

    • SHA256

      d4278320848f0e71f678149e0b9ee4ecac3b5305400ae7d69a7131364d60cae1

    • SHA512

      9d6089355195b763262cfe6085161829d7896fdba1ccd6fefe9ac0021f80154ca455151a322116b8a50e3fe84918991b2a136500006e0d0a773cc7a2cca246e9

    • SSDEEP

      6144:Kyy+bnr+Up0yN90QElUJW+qa+JH06d1stdHzliEmcQPoLzk72b03tZcjtJRiJCU:2MrUy90PUAnpeKCXTliEmGzC2wc5riJ9

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      d53f5a64de740270c801f8951781be9743b4ec40b8b353271cb0cbf0a4c8b8d1

    • Size

      383KB

    • MD5

      1b5eb87432b4697dac2f152e9d5be6b4

    • SHA1

      f0750a31de57e8343d78a74db781a6c68cb9af96

    • SHA256

      d53f5a64de740270c801f8951781be9743b4ec40b8b353271cb0cbf0a4c8b8d1

    • SHA512

      3a1d09762eb036305cf7ba74062c4071f7c055980443ea240ddd8fefe84a1d5f6d9c7808dc1b36f698a792ced50e5f27c133e0c5ef0aae85283b91f65b0129ef

    • SSDEEP

      6144:Kgy+bnr+Dp0yN90QE/j6LJ7Yxxs4CiSlttmxxk70t7iFuK5V67ufgSx:8Mrry90t69CTx8i7iNU7xy

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      d62198c81df0ae252c179f6cb6041efd2bb2aea225a387a06ee457bcd7d5930d

    • Size

      839KB

    • MD5

      ff24fae8745206c4269b6c6fa50b1639

    • SHA1

      3528935a1c923cf79eb507bdfe79e0af92dd7f79

    • SHA256

      d62198c81df0ae252c179f6cb6041efd2bb2aea225a387a06ee457bcd7d5930d

    • SHA512

      46bd86945bf49339fb278337a13e0a52939673a4cd352c1dd2eac551e12bd56e12a50faf7f62da3d935b161ae9d8c6779ffc7130923d735c05f6a750547a5bda

    • SSDEEP

      24576:QyObegToqBD6bfxbOqgsmK//21X7gZYQeQAw:XhgHD6bfxbOgm2l3

    Score
    10/10
    mysticredlinesmokeloaderbrehabackdoorinfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      dd0f820c33b1cedd17049cf9b5cc18637676e9aa3cfaadbd8f19144e345b7da3

    • Size

      1.1MB

    • MD5

      157293e9ec48c365745959b8300b17e1

    • SHA1

      6e47a29b6f96c9a5f18dd25afc2d8e2a17792dc8

    • SHA256

      dd0f820c33b1cedd17049cf9b5cc18637676e9aa3cfaadbd8f19144e345b7da3

    • SHA512

      922146ea84fb7fae01c153329ceba4e265db7cfde77c38f3199c8d09c243a0ea12807297691f6542581c8e5b74aaa4e268c20d6d4b65639313364815fcb259ad

    • SSDEEP

      24576:HyMyx7uQwJpYPGJiYh2uUT0IG+HuZZx40dJcZv3Ph/KOSyUAPZ4KX8P:SV7uPa8ignrMHuZ0sOfP4yNX8

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      e3c377dc6b3cceb0b4ae2fa0504de53fe1dad61a6bb656af0994220dfea6bdf7

    • Size

      382KB

    • MD5

      2600d98c44bf7addf229345421746121

    • SHA1

      5909cb291178933b0f40491f4ab2c43369fc7047

    • SHA256

      e3c377dc6b3cceb0b4ae2fa0504de53fe1dad61a6bb656af0994220dfea6bdf7

    • SHA512

      336ba8bf7b5a9c335772611b270795fb9b935f25adb757932c26e453798dfda6ee3ef20e48d749d8b99a5453c8e5ab4303e90ea50aea58dcbd5b68e030df81c0

    • SSDEEP

      6144:KDy+bnr+1p0yN90QEY5IfJpscWaUBETleouHWxRgvjbjVMEKdB:lMr5y90Ku7sqFzuHQM7KdB

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      e9172c16918ce5309dd65e1af444189e955a30b3ccec8e619cf23b147ebfb586

    • Size

      1008KB

    • MD5

      100602fe3e9beff6fafb32f8be16a64d

    • SHA1

      93941e2aae1f0f717c72cb708f41598b24908df8

    • SHA256

      e9172c16918ce5309dd65e1af444189e955a30b3ccec8e619cf23b147ebfb586

    • SHA512

      db129a290ceb46fc264dabd3dca635860678bf936ae69813e7ab4a2efcab608a38689bb18b4219e3c19f264baa0bcc5997811a0a6a8181d7754a5ad28c310839

    • SSDEEP

      24576:jyRyvg2jeg6TBTHnRO2erkrkluTI7hLdyVS:2G36TBTHrikhTKa

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda

    • Size

      381KB

    • MD5

      6989654d4a8e854885b551c22957d828

    • SHA1

      ff366f5fcb1208c106f4415722c3dfdc83e5cbbf

    • SHA256

      f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda

    • SHA512

      2ac699e41092271a137ea2609d9b556a493f2ab1bd3afd5b7a4300a5a3a90e8639451a10c04a48f07d4053ac9091670a3353b223f109e7f81332cb5569cff161

    • SSDEEP

      6144:KBy+bnr+np0yN90QEBgipOiI8821AgFFBKmbrIkqlq8HCtYpJUnfCKM52U:DMrby90DgWOW8sEmbrIDlq8Hh7UnKKMr

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      fbd8d72f7e8046c650efa73c6d984945abfe9952bd8f67360b4658fc5138e70c

    • Size

      819KB

    • MD5

      7cfd257b34fae866ba8aaa6df8b08c12

    • SHA1

      cda2df546de510f73a7d41977e0725e4f3180ac3

    • SHA256

      fbd8d72f7e8046c650efa73c6d984945abfe9952bd8f67360b4658fc5138e70c

    • SHA512

      2a2e2a75b1f149d9304fe66690e7a2a712b17af9a6da0ede0870e137bad74243392fcfcfc564e79055913990976da8895bba3bb8755323064876e5f5e4dc125c

    • SSDEEP

      24576:uylD/6lNdDsTt6hNZP4UdJcVqNqhvKDiyU:9lT0Pa6hNiMMUqdy

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral21

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

2
T1053

Persistence

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

2
T1053

Privilege Escalation

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

2
T1053

Defense Evasion

Modify Registry

22
T1112

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Credential Access

Discovery

Query Registry

5
T1012

Peripheral Device Discovery

3
T1120

System Information Discovery

8
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

mysticredlinekendoinfostealerpersistencestealer
Score
10/10

behavioral2

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral3

mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral4

redlineinfostealer
Score
10/10

behavioral5

redlineinfostealer
Score
10/10

behavioral6

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral7

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral8

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral9

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral10

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral11

persistence
Score
7/10

behavioral12

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral13

mysticredlinesmokeloadermagiabackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral14

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral15

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral16

mysticredlinesmokeloaderbrehabackdoorinfostealerpersistencestealertrojan
Score
10/10

behavioral17

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral18

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral19

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral20

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral21

persistence
Score
7/10