healer | be3323c3b2bd6ba736703199d528de6bf1396e8a7c6b9b58e4ca31fda43b00e0

Sharing

Copy URL

Twitter E-mail

General

Target

r1.zip
Size

20.6MB
Sample

240524-klqrhsbe89
MD5

cc21953f033463dfd04e04a16428fbbb
SHA1

542741ff47cd47d47b016540dc99866998a8bb11
SHA256

be3323c3b2bd6ba736703199d528de6bf1396e8a7c6b9b58e4ca31fda43b00e0
SHA512

30e5bf74af8916d32fa056913da38caf5c20ee1d23934d988a04b18973faa23174ce5bc2f5de6aa3b1e99c2bf588935dfdf424de5a666bc905a04c238a96fca4
SSDEEP

393216:U2A/YlwgbQNBuScF+ra6AJkAvthSBGPllpn/xv/UE+LZAF:d1bQ7uScJ6AqAPntxv/UE+d0

Malware Config

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

193.233.132.51

Extracted

Family

redline

Botnet

@pak_1111

45.15.156.167:80

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Extracted

Family

redline

Botnet

vasha

77.91.124.82:19071

Attributes

auth_value
42fc61786274daca54d589b85a2c1954

Extracted

Family

redline

Botnet

magia

77.91.124.55:19071

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

mystic

http://5.42.92.211/

Targets

- Target
  
  04079e58020489439890f3d5d0980b8ad79ac8f655923829037345651f2f1b9d
- Size
  
  1.1MB
- MD5
  
  51bebc9c1c8f8395472baac3355b136e
- SHA1
  
  6b04ab59ab7bb5b6c218d5233fd1c1bc64246fb9
- SHA256
  
  04079e58020489439890f3d5d0980b8ad79ac8f655923829037345651f2f1b9d
- SHA512
  
  b32221f514e8c61901fe485494a2b6effe4b8ab072defaaa560a84fda42d4a45e7a7d82849ade3997b58da2c158e55ff7345d638c3b245f7f939ccce471e64de
- SSDEEP
  
  24576:3yhNmGHppy3h6sE+TQL09aMWUKwjfdODbGr57xrp/fn:CGGHpmh6AML39GOH2d/f
Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  1c1f4eb981ff56766e6798073020add168a1f4134cf43e140302c7cec4a6763b
- Size
  
  2.4MB
- MD5
  
  4318bdec1083890925ec1993a5bfa5de
- SHA1
  
  d121b261673cfd0e47e52f61a4ef837c7352afef
- SHA256
  
  1c1f4eb981ff56766e6798073020add168a1f4134cf43e140302c7cec4a6763b
- SHA512
  
  22195e6069371a8ffb2e2aca86ed07646a130cb0bf52fab5e2e1a2d869f94a87db42da02da120efa3ce890bbe100e153fde97ee8a676cc355a30472cfa09d531
- SSDEEP
  
  49152:0nVWJ5rjsk17x/62quYUDdA5DE46JQPyVSxEVo06LNo:qVWrjD1AmiDE4Es4S1L
Score

10^/10

privateloader risepro loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral2
- Target
  
  2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf
- Size
  
  1.3MB
- MD5
  
  e19af8058d1c10695db59ff06382095c
- SHA1
  
  74879eca322c96e26ccc9d52b87c3f47d54cedf4
- SHA256
  
  2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf
- SHA512
  
  2985aac9377a1d12090a1db16137338715ff9c5e857096f4b33b37f6f2af9463346e0ce859324c5c1f15eee83885f1c1d2ceb6ec9d3d00a6033e437d11af9dee
- SSDEEP
  
  24576:0y4htUc734dBIbW67vwZTO5aS/Fg4PE5jPBgBUZKA7/lkk5EA:D4htv2y7g0g4cZRDjR5E
Score

10^/10

mystic redline lutyr infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3
- Target
  
  3aa30d5528ebe1b7856b26587d689c01c4a94547c022f9b29bb7c32708782f5d
- Size
  
  789KB
- MD5
  
  4509a9ed90c71db03304cd1974494162
- SHA1
  
  3081dbb1ef14a1bdb33380c54fca4d61b41c7440
- SHA256
  
  3aa30d5528ebe1b7856b26587d689c01c4a94547c022f9b29bb7c32708782f5d
- SHA512
  
  981ab92063c4fc96cf995b410997770b309475f528b366d5c65115e600a5d69d48af747a832bc41d963bc4b3cac575128c6d76d302f9e97b6cbc9150898f80ba
- SSDEEP
  
  24576:XyJ8dTBd9baS7QW7lkzSFuCyyz/XMFao1:iJuTBbvUW7lkzSFfi0o
Score

10^/10

privateloader risepro loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral4
- Target
  
  46e0ffa2e7aeb3575c3fe8308892dec47716f852e6427bc2c8e904e9cad2c659
- Size
  
  829KB
- MD5
  
  da086bd413b2fb3f8311147d782bccc4
- SHA1
  
  c78490af8811ecb11627b5ab10e1d6466ccdd45b
- SHA256
  
  46e0ffa2e7aeb3575c3fe8308892dec47716f852e6427bc2c8e904e9cad2c659
- SHA512
  
  97c12d0fc6a0e6f2f791f2659aea7397cc390c9e3555bcb8e33927def01bf4ff0f8ddd385fcbf83d7b0f4639e095611ed8a460b42c69cec0d55c07e45eb0fc25
- SSDEEP
  
  24576:TycRdHoBf/o6noHZu574bAeS49Lnmzmmy34/uCr9:mI4bn+ZuV4Mel9Lnmzmmy3Qu
Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral5
- Target
  
  4cc86e1dc4a166b675f01f27f52e179d83773f43736e54f40427866d6708ef05
- Size
  
  389KB
- MD5
  
  cbc1bc876e032088ab512403204cc827
- SHA1
  
  aa349b052ff18c150118965df111e3b9e256cfcc
- SHA256
  
  4cc86e1dc4a166b675f01f27f52e179d83773f43736e54f40427866d6708ef05
- SHA512
  
  cc78286a9dbf4ab59aa606c22097a97cd64309f6aac55b9fdf7c673ead1d6f1f9a1b16f99233639a6f811bc931d23627b06265c9304e80669bdee46e19bfb879
- SSDEEP
  
  12288:tMr3y90HFeSD9i3YJTUs2Wug+4+wS7EFut60WtNV/c7FD:yyWFeSDM3YRz2WuHUSooI043qD
Score

10^/10

mystic redline taiga infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral6
- Target
  
  61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c
- Size
  
  1.2MB
- MD5
  
  b98446b0f18286a42da76de220776baa
- SHA1
  
  a71b450e1661dcde86def137230b3caa1b55e6a3
- SHA256
  
  61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c
- SHA512
  
  a3880d6f69705178d6847e326d54f30a2bd9f739946426af2125502ee32a494691cf0df1a1e55e34c17a9bd3db4291e98e67f7db8accdf50166e201299532e08
- SSDEEP
  
  24576:iyEr/lyO4yJtpTven2JuR98YZ1uIEUs74Vlpu4yNkXPGLJpqYm:JELfVJtpnJuh1uJ374VXu4sEPGLJpqY
Score

10^/10

mystic redline lutyr infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral7
- Target
  
  6bfb35349386611e3f965528901140a62ac938c2c926d82e7c9f31d498ae60b4
- Size
  
  1.5MB
- MD5
  
  6c897a3879043ccbab5e695cfe6a5bd1
- SHA1
  
  35d1b8b5097a9fea72de3b14e54c7ab911b798d2
- SHA256
  
  6bfb35349386611e3f965528901140a62ac938c2c926d82e7c9f31d498ae60b4
- SHA512
  
  b849cf54fac1c49774904d68f9df27c271d9124857c2486684eef308a7731602aa8f6166b1c58c4cf47698da71fdcbf470123a4a731db60b1fc11d475181924b
- SSDEEP
  
  24576:3yOLPlyv/2XMP7A9V02yvQKDU/spDChnT2Rokh/1WIvUHpGy3NiPXTBNSvh:COLPlVXMPmpyvBDU/4ehqR11vcEPXTB4
Score

10^/10

mystic redline kukish infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral8
- Target
  
  70f5b2bcd00d4e52e3ca12b277c6e1cf6e5f1d2359e7655daebb44704158a4c3
- Size
  
  285KB
- MD5
  
  421ff85e1ad3a04c83e0a69305fe86de
- SHA1
  
  4da831e00dca7923f3077a1ddaae0b21e7bcbcc8
- SHA256
  
  70f5b2bcd00d4e52e3ca12b277c6e1cf6e5f1d2359e7655daebb44704158a4c3
- SHA512
  
  91f75cad0f7ffb9b6299cb55b7aceca39805e533529083151d31649629e0786319601fa95abe1759ebec4d9e96ba4faa1b9bb6d30779b23bb8b619e190e7d45e
- SSDEEP
  
  3072:gJ5h+cJjNKyxPs788qtOV+juc2/hJgydZKt4q13MjAB6k90dppxCIDww674g:gllzPY88TV+jyhJpAwjAB6k9Wv69
Score

10^/10

redline @pak_1111 infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
behavioral10 behavioral9
- Target
  
  7363065308e9d849d49ab200817eb5d2d06c3616dc4e643be8502ff7eb2c0a5d
- Size
  
  830KB
- MD5
  
  79c8cf16dce99a95ba30db49a81c33fa
- SHA1
  
  e7ac6ed98d5207315136c1b4e40c25ddcfd4b114
- SHA256
  
  7363065308e9d849d49ab200817eb5d2d06c3616dc4e643be8502ff7eb2c0a5d
- SHA512
  
  eec0acb3ae314573ec3fd45444c13a0683cd8ac8bd2926aa886aba22b32f49150dd989e8aaeb4c049d8725a6b0eccdfc5e309e8801f704c139e84e4287df4d34
- SSDEEP
  
  12288:eMrLy90ne1BEOlsRuK5Ia0HVKixmDy8lu9PTJDiFQg9U56EXGnvs9lE8h7gXDr8F:pyXHHsnoHwi4w1DiH9U5zWvIVvUvWLD
Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral11
- Target
  
  864fc029724f0d9d2cbfc5469cf806bb3431fdde2ed473a19fbb890b3282bf03
- Size
  
  605KB
- MD5
  
  5232c11ee090fe4a8fbde69d1f452ba2
- SHA1
  
  ad508a34f36f8f0d1bcd7b06fc3e79a829a1f374
- SHA256
  
  864fc029724f0d9d2cbfc5469cf806bb3431fdde2ed473a19fbb890b3282bf03
- SHA512
  
  76c8261dc7a2dc3c849c2b0e4f36751604a969b2ed29029552014d664e7342b11472421330e3181126c87ba0e5cd4f14597a1fe37c0a28da54a21433f9b95270
- SSDEEP
  
  12288:LMr1y90+pMc0JJGdc9wvughyZh/rgUSt9F5vhz0Gz:ayOcU5zguFUvhwGz
Score

10^/10

mystic smokeloader backdoor persistence stealer trojan
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral12
- Target
  
  979a085483810f4b695eb3d0c531439887861b90277b6ede2d4f9eb7983065e6
- Size
  
  2.1MB
- MD5
  
  99a389c18760e665521f58e72b6d37c4
- SHA1
  
  46b9a5f47d6f66a64154aade27a90155a620e07b
- SHA256
  
  979a085483810f4b695eb3d0c531439887861b90277b6ede2d4f9eb7983065e6
- SHA512
  
  3035ae1d0b67be4a03bddbb1b36cbe45b97a3d269bc23229875792d36abab0a09a9e0622911a8a8a275fca8ff04bb6e9ffd647203fdb8364d252d8f71a78758a
- SSDEEP
  
  49152:D/VAh2zesgI2eCgRiMUusnboLVbnxcYzJGT+aJdTiP:jwaw+zW0VbnxcqJq1J1
Score

10^/10

privateloader risepro loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral13
- Target
  
  9bbc6ca8610d7090cfeb2b3f3881a2526ac3f729f2cd3e749168fb38991b525b
- Size
  
  1.3MB
- MD5
  
  2225c03c5bb14e2e02f8d888252d3d12
- SHA1
  
  326be1965a1539524141ea1a5707a157c7d4d5f5
- SHA256
  
  9bbc6ca8610d7090cfeb2b3f3881a2526ac3f729f2cd3e749168fb38991b525b
- SHA512
  
  3fa39ee0552ce33bad2327d2f4f59be2e11452b011292e3795db32b53a50a71b4350f8d92021b5fd068fa7dc2c12f93dd78487f3f24035ca420ddbe2a0391f92
- SSDEEP
  
  24576:5y0LMN4FQFK9kCT0ROmvezfvKo3kqva6i3+V5O66s2kd9sR5gfyTBpTSMj68wM8W:s0LbFlqvBmr1kqyvslASSgfy9UMjHwD
Score

10^/10

mystic redline lutyr infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral14
- Target
  
  a22013e24eeee6554ffcf19b609bfeede13c94b56b9432fbdd25b9cdebaab609
- Size
  
  958KB
- MD5
  
  4ad1e312b136f5dd68262f68956e8eb2
- SHA1
  
  bf6029901839942b3becfcab9d2b40bb90b46aa2
- SHA256
  
  a22013e24eeee6554ffcf19b609bfeede13c94b56b9432fbdd25b9cdebaab609
- SHA512
  
  65daf9d1b3fe2b401fad5a89611bf33798feea6d701bb54852360593b16f39e94e502f2ccc5ddf7581929f069e511ce78f1a45b552e7638280e07829137302d4
- SSDEEP
  
  12288:oMrfy909VUE3/HgdPY5VZEcVM3VFE481hDVaLldi52tiIDayvr/JOCvVvq9Qj0W6:3yAfHgdPY5/4P9AZ+ftibCvViC96
Score

10^/10

mystic redline kukish infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral15
- Target
  
  c31e600a3856d09e64628abdd37725398f02702f9310c85833d3184bc7be85cd
- Size
  
  2.6MB
- MD5
  
  f20395ac362a1d473b92b841ccc6463b
- SHA1
  
  c25d1923e7bec213bf0d193732a7a652dceb1b0e
- SHA256
  
  c31e600a3856d09e64628abdd37725398f02702f9310c85833d3184bc7be85cd
- SHA512
  
  a7c15d4ecbc103a80f7f433235bba206198fdcbdbd162aaca6c200ab2b3ab1448609b69a61c11ebff6c95db10bf63b2cff115529c2ea2bb43b839ce8dc3e7b55
- SSDEEP
  
  49152:DezaMnKMoQrSaRz95oZvmV48/3Uo3DeaBuD9kQV0igwkX121kvWp/+:StnKM1zog4O3U+ykCpvOc2G/
Score

10^/10

privateloader risepro loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral16
- Target
  
  e2e852038c1504d54c9702b961095f0af961417103d2a5c8b10740dc188ac5e5
- Size
  
  398KB
- MD5
  
  1efa9b18a2563ebebae8a6eabad4db7b
- SHA1
  
  b95bc070b14bbb19b209b2d4413db63f79272fbc
- SHA256
  
  e2e852038c1504d54c9702b961095f0af961417103d2a5c8b10740dc188ac5e5
- SHA512
  
  07bf09d5fa8798b9f0d40650c180275c78e201abd9d5ebfb37d2d37dcb55e0802d6c4e35467695aeec3c930add915d200847bd13ee41bc58762f067b553de5bb
- SSDEEP
  
  6144:Kqy+bnr+Dp0yN90QEI5Ngt4Ybnu7poqS394ZhT0E9P9psh7I81firb:qMrny90S8jD5NIlxVpCUv
Score

10^/10

mystic redline kukish infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral17
- Target
  
  ec4e6a678a24fbc6072d65beb0203bf9dc01f768df9a7430ed0d827b8d290172
- Size
  
  640KB
- MD5
  
  936d47f90f4943e9191cba496e128a28
- SHA1
  
  74e03c3a3603048b6d43e84d0f1460fb8bcd5474
- SHA256
  
  ec4e6a678a24fbc6072d65beb0203bf9dc01f768df9a7430ed0d827b8d290172
- SHA512
  
  0db1c75b8decc83959fcc2c8bb3485bdefbc9b169b4aa0b05c33db78b1d4acdbfe4c41a75aa922de6694b0138a45706f789fd58e22da7c696318c0181b28a506
- SSDEEP
  
  12288:GMrGy90ZxnbkSAVpVLg7qHwGUz5YcXkzf02XhXH:Qyal8jQb5YcXEfph3
Score

10^/10

mystic redline lutyr infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral18
- Target
  
  f46c47981f634979a00e1ca71c39dccb4d7b92874955d836798a907aa4fdbf85
- Size
  
  935KB
- MD5
  
  29f8033f3fbdf91c2e89357c4b49602e
- SHA1
  
  d2d542baf9f23e26ba33885b633328e71e71f5c4
- SHA256
  
  f46c47981f634979a00e1ca71c39dccb4d7b92874955d836798a907aa4fdbf85
- SHA512
  
  a3132e83c71a98612b408ecbc985b0ad7680a16893e8016514b24ecf0dba4bb6ae781f0513daa3efb29498ae8985f94ae63c13be285c2eb8e22f928afd115d9e
- SSDEEP
  
  24576:jyFWNEi4niX5JDHaWnqHbpoGkA4FJKMCGrru:2zJniXzaWnWt07pCGr
Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral19
- Target
  
  f603ceb39fc4d835e57a02751723a2eb0538b0f955a7772c30556e0e0d723f6e
- Size
  
  465KB
- MD5
  
  6a3c0aea2a20fed1b45c23055e90642e
- SHA1
  
  a308101b32dc6df28aa0464ae6a0c4eaa3b93892
- SHA256
  
  f603ceb39fc4d835e57a02751723a2eb0538b0f955a7772c30556e0e0d723f6e
- SHA512
  
  3e1f0f410b68f854f9e0fa666d45b897768ec9fb11fcb63eb6eae58ba022f5b7d9b52f4ea01ff3f48ef8d3f48f0910913c8fb39e633476073f1baa637b3918c5
- SSDEEP
  
  6144:Kdy+bnr+Lp0yN90QEC3A7NrAs9xe6LZwlsr08+eurk1weVhvh2KWE5Js+OB84SW:3MrXy90Y85ZwlbGuo1njJUE3sf84SW
Score

10^/10

healer redline vasha dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral20
- Target
  
  fbe6d8ed22a7fa2903b026b7f5d0dbb2b59b2353d1c24f6c73772b9226fa4d1a
- Size
  
  1.1MB
- MD5
  
  4655d83f05a711daa1a0fac0f24f28e0
- SHA1
  
  d54783eafe3429717adc8d64808ba3537a7beae6
- SHA256
  
  fbe6d8ed22a7fa2903b026b7f5d0dbb2b59b2353d1c24f6c73772b9226fa4d1a
- SHA512
  
  206a85e710d9d89750683d97fd7469e9d121d04787546fb32fabda7aac654a7b7cca546a17468994515a3989640d92721a7213d397b495f2a435f2ffa9fedfd5
- SSDEEP
  
  24576:ayiclaMfdhpiMRWuHBbdQk8xGN4l1P8Fanje9xGN:hHaMfxie55dMMNs11AxG
Score

10^/10

mystic redline smokeloader magia backdoor evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral21

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

PrivateLoader

RedLine

RedLine payload

RisePro

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

PrivateLoader

RisePro

Drops startup file

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

PrivateLoader

RisePro

Drops startup file

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

PrivateLoader

RedLine

RedLine payload

RisePro

Drops startup file

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

RedLine

RedLine payload

PrivateLoader

RedLine

RedLine payload

RisePro

Drops startup file

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic