healer

Sharing

Copy URL

Twitter E-mail

General

Target

02cacf524527064e447c85bef406a6e5125d06b69bd35e10a813bf4a5659b985.zip
Size

19.8MB
Sample

240524-kzs4ssca68
MD5

e10fb09ccd7ec4c89fe48ca785388202
SHA1

0631152e4167cf94134e9d18b8f97e164fe49454
SHA256

02cacf524527064e447c85bef406a6e5125d06b69bd35e10a813bf4a5659b985
SHA512

e99ba6bc1e7e5e38fd8774300466eb711f14c4144fff1de2c50e1bc9d673e80c355a8dcfc44182a1d5dc57c12d47a02fef83085e8a2053c93e76071425eb250e
SSDEEP

393216:5wKlONz4TfJIuKUHGqe2dzjBoY/lUhMacufS3hn2KDH7:GYpWd8ftBVlqMacFh2KDb

Malware Config

Extracted

Family

risepro

194.49.94.152

193.233.132.51

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Extracted

Family

redline

Botnet

mango

193.233.20.28:4125

Attributes

auth_value
ecf79d7f5227d998a3501c972d915d23

Extracted

Family

mystic

http://5.42.92.211/

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Targets

- Target
  
  0314c3cf5875f5a348b62f28e53ec17a9180933fb126d66b7184ebbc62e3c362
- Size
  
  1.6MB
- MD5
  
  4072ebdbf10bdc65c81f939c356f0d2e
- SHA1
  
  c3aacd751694f6980a973b895017247e5e29b29a
- SHA256
  
  0314c3cf5875f5a348b62f28e53ec17a9180933fb126d66b7184ebbc62e3c362
- SHA512
  
  214350c7f05426ae01ce87106b490fbd3ca5bc61ceb2ef243db73891d817529961e6f04344214d0179cbfe9482e6c25133d3f45e40bd72e328a89fc9f7bb70e6
- SSDEEP
  
  49152:R77PcdeNyB5PESc74VbUR8v/OwLACT+jbU9g/:tzKeNyBiIZbKjbWg
Score

10^/10

privateloader risepro loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1
- Target
  
  142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59
- Size
  
  645KB
- MD5
  
  ef0669622d6448e4556501afe1dad056
- SHA1
  
  c85d621294c88c8050b202b0e20f62d7889a86c5
- SHA256
  
  142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59
- SHA512
  
  64f71711babea80de14ca75680b8abb38ce5326b86925f6121a3a3724739158930c09b6b077d473e08661b508ae585973c7e6dd31a848f06bf16b2eb67026b34
- SSDEEP
  
  12288:aMray909okg/mJPJBxxSrCUHBayC0xzVN5Hn7uQQrzHWw:cy6HJ5UdhadGzVLHCr7Ww
Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  1f54336ceed1489c1501366db5c3d0173f045faa248587b9e1d9d3669f84114f
- Size
  
  1.5MB
- MD5
  
  a40e62a544268214b09a8bafb68847b3
- SHA1
  
  9f388d46aed84dde179dc1e7c037d4a2a2cfadd4
- SHA256
  
  1f54336ceed1489c1501366db5c3d0173f045faa248587b9e1d9d3669f84114f
- SHA512
  
  11a2ca05e5b202af547b8ff9960346100477e9fac8089ab467edde417b0f8c2b2ce3c5234118f1e34cc6d3abbd32a19513430505767118b1c2ef7daed5694741
- SSDEEP
  
  24576:SyF/ldc9xGt1TuqHUtf/bo1JtIANdz3esqRTqzred7WEB2w6FR26Ph4e3lu:5Fj/tsqmM1J9zeGzrg7WaoFR265
Score

10^/10

mystic redline kukish infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3
- Target
  
  2470f02746e0ace28b3f21135e43ca5574a20964c1ebe76b4d37e025bc74cf37
- Size
  
  702KB
- MD5
  
  3551b070d8f8c5788e7a26b7eb3e2167
- SHA1
  
  c4f2f2a5e1534aa6745a4fa10cd33082e796a449
- SHA256
  
  2470f02746e0ace28b3f21135e43ca5574a20964c1ebe76b4d37e025bc74cf37
- SHA512
  
  8cf570cae3fe1afcde148277a893bbd95711709792adda13b74132ed4374542999cd4e2a7bca1e35ebf6f4fce1b86a55d8d32d978016d3e70402ba5badc44723
- SSDEEP
  
  12288:mMr4y90EPnLmwuetmnJuSDno0t3Iu2FKZmtQVpzIZpFCMq48YdavcJynY4y5d:ay9LmwuetmncSDnh3IubZmipzzMq/YOw
Score

10^/10

healer redline mango dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral4
- Target
  
  357dca1dd0b140db9468cb0bea91da2504a032397de5a581bd04f96d59e430e2
- Size
  
  1.1MB
- MD5
  
  0c3c542480b366c4937a6a352723cff2
- SHA1
  
  7e4a1a89113a6fe0eb21e7b0d5640933095d035c
- SHA256
  
  357dca1dd0b140db9468cb0bea91da2504a032397de5a581bd04f96d59e430e2
- SHA512
  
  6f922448fb2512643a14154e6f6b6aaf6cac4a1af9cad3e818ad87b5cad4d56beb1a0848b005c75938853f0d74f6bd094332f695da0bda9e55997a7b1c2d032f
- SSDEEP
  
  12288:2Q1Ud1yTt0OFYtMeTVRq6zlXO4iIEbJGHaKwCugkgqaWxFnE+iOPW5kYg3meJ:Gdgh0OFYtMeTVRfBxIJGwcunE+IkYA
Score

10^/10

redline horda infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103
- Size
  
  1.0MB
- MD5
  
  b8c8a180572fa9f5d2abc29e8f5225de
- SHA1
  
  70b0b356bc4a0bf194d6cc8dc2b000ac7e49c1b7
- SHA256
  
  367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103
- SHA512
  
  fd90da55beae0cc7727900aff75d39a03d7986db109beb32ef5f0303cca309768e6ecbe2db25a32a6cb64eb7f3ee7209143a60fbde957182b1ddf5b58aba9162
- SSDEEP
  
  24576:Kylv3LOmDlvjAHW7XNs5uCq3bMKgMjUlP6wSCzLw+:Rlv3LOejLNsB5KvUlPyx
Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral7
- Target
  
  3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3
- Size
  
  956KB
- MD5
  
  c7d606e2c52cb54347c035c4f20385af
- SHA1
  
  fd14a9789a5cb3291a9fc9a21fc6a7011df32cfc
- SHA256
  
  3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3
- SHA512
  
  c3a07f6ef78ffdf38fee9613b451476e0c17aceebe9115bfd63c02350989197b15426fc854a3cc7a59878a3baa274c1a55b988374003389ee3ccbfa346ebce22
- SSDEEP
  
  24576:IyjahTARFOjnPlTRpSQ4Mh51NLlCTmBqqJj/vieOyO:P8TcIjnPlUOlwoqw3R
Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral8
- Target
  
  3ff87c5bd0d476dfc954d3706672474698d1e412030e6189e037c2474b97b730
- Size
  
  1.1MB
- MD5
  
  280ae5fee193835043a57b5858575e88
- SHA1
  
  864a3e1354257f7f027de1fb6a57c8f250522e27
- SHA256
  
  3ff87c5bd0d476dfc954d3706672474698d1e412030e6189e037c2474b97b730
- SHA512
  
  35031ee7e036a0ef439281b3ab83cfac1f63fede1b314ccd0950c13c6deb2acc93889690aed3a60409f40b98fb353f93cacdb45119c2af503b34e91911be60a5
- SSDEEP
  
  24576:uyT+eJNyRY6bWbYcd8v04KzKWzZcO8mMvd7g6FvjqmllVGTZZmWfnIH4C:9T++V6b/XKxZcOxmrLgVPQ
Score

10^/10

mystic redline kukish infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral9
- Target
  
  4157cda3159c7d2c99d18138d2e023dd1d821d09ae77e78901a80b26492981a6
- Size
  
  935KB
- MD5
  
  7f171f4b73978e234b3e114830d4b2f2
- SHA1
  
  2ea3e0030d87fb10bbd138f3ae220b2413d9820a
- SHA256
  
  4157cda3159c7d2c99d18138d2e023dd1d821d09ae77e78901a80b26492981a6
- SHA512
  
  b363282cdf599dd82accd283b3a10acc97108588c16696cfb7c361a02a29cb4b7c65366836bb897cb00881b3d75b4d7fa575befd19eb1009bab7130cd798e2af
- SSDEEP
  
  12288:TMrby90gdqx5IqPURHad0qOH81g42fAhjMQFzlzqUagnaioMpkQFU/i+VGq7af9C:Qy3qxVXhv1XhxVagnbpkRxVGyafKZMo
Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral10
- Target
  
  5f318080c6c0aef583c575f49bd61e9b4e8b6784f4c52b512e9c07090e4cedea
- Size
  
  2.3MB
- MD5
  
  665d982ca7f55392948abb118b2c6b3d
- SHA1
  
  76b7c096dae1f20041e7e55e3d863ec35cb4fd2d
- SHA256
  
  5f318080c6c0aef583c575f49bd61e9b4e8b6784f4c52b512e9c07090e4cedea
- SHA512
  
  8f7d99ef72b0fff0c0a758f28a948b9c4c2387f5e9a9b7f0ac3a8971d963d457d58cbd8368bc55809196c21daea956dc1a6eba664efa2b91567057ad22a19723
- SSDEEP
  
  49152:tsOzsGwNJp72gr0XQZ/8VM+giH+pmGj1DrGpc85Rwxh:9fwnEg4hVvNCm6GpR5Rw
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral11
- Target
  
  620f9ee1b442855f9904f5108cf7185b16d0acbacad9aaa076f02e0ffd4f588f
- Size
  
  421KB
- MD5
  
  f43e85202791e82c59b8e07f76dabbfa
- SHA1
  
  cf80bc8a656390e4e9ed061fd84a155f0665237f
- SHA256
  
  620f9ee1b442855f9904f5108cf7185b16d0acbacad9aaa076f02e0ffd4f588f
- SHA512
  
  5c8dd89131b27eb110b9ec35d7e0686c7cffed62d4257d0d506d93154eeacc0f8e14733ba4ebc4a5616e7c1fff02cbdc52eaa6f1e662ec857d94532084b360ff
- SSDEEP
  
  12288:YMrhy90F+08qFUvu2hyW1eKFnTA9BKXjEARJfz7IU:pyX08qF32lIKFLEAl
Score

10^/10

mystic persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral12
- Target
  
  68173543479d737f5e883a0bf3bd569d09813666a895a805fd53a18f3a96df3a
- Size
  
  633KB
- MD5
  
  ade1582c6f516a251b48126cd5f22f55
- SHA1
  
  8f2dbe7998b7ca7090eb7b0ad8192ae798b5d488
- SHA256
  
  68173543479d737f5e883a0bf3bd569d09813666a895a805fd53a18f3a96df3a
- SHA512
  
  96f1f614d8b2092a16ee69003c1340e9623e5742e09d8956deb368b47078b1be6d1a5a6952e90002732537efc6c6032311fbf66dda0fe79c379704d200f1e1fe
- SSDEEP
  
  12288:bMrjy90C6QjVHg1WhG2w6jE9l3bfr0M4rI6pvIlIE4uXIU1/s:oyP6YVHO0G2K/LzoVDE4uXIU1/s
Score

10^/10

healer mystic redline gruha dropper evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral13
- Target
  
  753cdc12b984ece991f2018329d37985ee627640895e2d9b9a43a13a6dd6fb91
- Size
  
  641KB
- MD5
  
  a2fb087405549d4844da7621326d7bc6
- SHA1
  
  41722d07ff394bb88e681e8cb55acdc420fbc696
- SHA256
  
  753cdc12b984ece991f2018329d37985ee627640895e2d9b9a43a13a6dd6fb91
- SHA512
  
  deac27f5aab4250178ca108607e59b275edccdf556fe2ddfe2f2bc51a302a985cab0408e6261f1459fecf19b8331bc959a0e30921103816e46686b617549dfa3
- SSDEEP
  
  12288:nMr9y90yHagkaQMkfPlNgEkJa1j6shpaH8UPGDTVqT3kUt90fnAr:ayaXnHrf1jS3uTVqrkUcK
Score

10^/10

mystic redline lutyr infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral14
- Target
  
  a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74
- Size
  
  954KB
- MD5
  
  2007fd745de85725bd3c50bc100af3dc
- SHA1
  
  be0942dfed4466f4181936016cc020ed72918fb6
- SHA256
  
  a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74
- SHA512
  
  ca2e84396e623838f7900a2c73f28d5a5675c179a462878232c618234c7f68f1f3e4eb6003f9c9fdacc0bcb7849d2385e63422aa640d6fe3244db49481cc9973
- SSDEEP
  
  24576:Ky0CNEQDcgkWfaKBfZh59btIafN7V9joSiS5nYI:RSqjflZttIaV7V9ESR1
Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral15
- Target
  
  a4375e040f13128a4dc747d845dd82b7204008c71beb526483b369eea30d2582
- Size
  
  1.7MB
- MD5
  
  dfe9bb1f434b2c4274b25c55f4c357fd
- SHA1
  
  26174ece060175ac42687ac2bbbda5ad8b486972
- SHA256
  
  a4375e040f13128a4dc747d845dd82b7204008c71beb526483b369eea30d2582
- SHA512
  
  81d7b36b5ee84df38237fcbd7b5b8c8714a079e07bbab5098d44a486d63803b4d054fa9e04e35c6c56af4c8b492ed06e11f2d6d1c161efe2edd18328047064e8
- SSDEEP
  
  24576:4yCr4tXdUADDqI0NqpWTUczJqcswysxoJVJgRtmO0pO9j+30JwYEXpUZCwQU/4e:/CctXhDsIWTUczJq/JlgD50pOV+PbqQ
Score

10^/10

privateloader risepro loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral16
- Target
  
  a619ae77d542717361e631ceb6fe3fab295af4ccef45ae4774b92a9355b6bb2e
- Size
  
  934KB
- MD5
  
  9323def24c82bcce18472272f2fd5647
- SHA1
  
  f09e0e7cbf11b9afa48a1cdb5d7d67065a46da8d
- SHA256
  
  a619ae77d542717361e631ceb6fe3fab295af4ccef45ae4774b92a9355b6bb2e
- SHA512
  
  98896fcab67a61d7d42629f3062054984a32712b668fa986272c14427394727c522ee9562a7d243e9627ff88f1825444dacb3b8a14dd270a5a3b755502271e7a
- SSDEEP
  
  24576:QyZyKWABDnuKRODayze5PfWeD+XH0WdXBPo:XEKWQnuKRoe5HlDyH0Yx
Score

10^/10

mystic redline lutyr infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral17
- Target
  
  aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12
- Size
  
  2.1MB
- MD5
  
  e1bb0f18d53291edb6b6b8c8bcbe60f4
- SHA1
  
  8354cb2797fbc00c57f193a6d0929dabd34e6981
- SHA256
  
  aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12
- SHA512
  
  dd5e7dbc48010a5057e20b0d056e03584600362a259dce65c5ab8d118b67e3f731243a65732b84d31f74d55d603f38532911e387946912431e99d7f9c17bb322
- SSDEEP
  
  49152:/nIg6uBuXvfZ7xjfgZGKAusjt5M1JVzxVgXDaQxlxz3H8OZBnCcpa:AgZuXLMBqkRveuk33ceB9p
Score

10^/10

privateloader risepro loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral18
- Target
  
  aefec08ebaf1c6b975dbf83df5257e52d7efcbaf569ea4b633cec392af828049
- Size
  
  401KB
- MD5
  
  c70da63f44a116fe349e06b38cafb3fa
- SHA1
  
  cb0d169c46a5e96d933da8ff43d1e057ea2d5ced
- SHA256
  
  aefec08ebaf1c6b975dbf83df5257e52d7efcbaf569ea4b633cec392af828049
- SHA512
  
  d558fa35f52738065c6d4602f968f22dae8dc33f900d71afb69fb52705e105befee8e786926c174cca498af2e55a109fae972acb3ab5ccc4dd26ff41e5066993
- SSDEEP
  
  6144:KUy+bnr+sp0yN90QEHbTG8sXOfBZjC+qn5gwV4y5P08f7DjWLMRPPq2knPEVowLc:kMrAy90tbXsOjFKFrOMti21awLc
Score

10^/10

mystic redline kukish infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral19
- Target
  
  d12f5fa25c8ef0ae322be4daa1b08acf499c9d1be60c2f8d6f6b5a65c28f0a70
- Size
  
  642KB
- MD5
  
  3495f027cf0f5fc3e066f6d1e5ae17f6
- SHA1
  
  787b0eef35f80738a55247d6acd4d49a0f5d3f07
- SHA256
  
  d12f5fa25c8ef0ae322be4daa1b08acf499c9d1be60c2f8d6f6b5a65c28f0a70
- SHA512
  
  c8b9ccde6c7e26800badc673214b4a79871b528d2e02faa07458279155edd9171781d38db17da5fb623389be7ca5cb134f560b49d93b07c95a3a9a13ba37db26
- SSDEEP
  
  12288:XMr0y90J0NA0H7Gae/4IC50pCCHGN0PLvYMXiYQbDL6Nxb2jHV:nyEiaaewIsgCQGIgYDFb2j1
Score

7^/10

paypal persistence phishing
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Detected potential entity reuse from brand paypal.
  phishing paypal
behavioral20
- Target
  
  e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65
- Size
  
  1.1MB
- MD5
  
  db790b8be6c16299ccf7f1dccd680b89
- SHA1
  
  4d13d834f004cdb6c836eb0f9d7343fea266069c
- SHA256
  
  e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65
- SHA512
  
  63518a7fd2471ed7c678e650ff45939b86d9264cf175f6d3e5e3cf6662fd54a1dbc0063b5e97707d247046d982feaff164728d7267543622c66e5394427a988f
- SSDEEP
  
  24576:UyMQBHbtypH1KhYSPs1h4Gur9/pok9ULO0Rtlz01EjUdkr5eM:jMAbtypH1HFajr9/6jpI52
Score

10^/10

mystic redline kukish infostealer persistence stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral21

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

PrivateLoader

RisePro

Drops startup file

Executes dropped EXE

Adds Run key to start application

Detect Mystic stealer payload

Modifies Windows Defender Real-time Protection settings

Mystic

SmokeLoader

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

RedLine

RedLine payload

Suspicious use of SetThreadContext

PrivateLoader

RedLine

RedLine payload

RisePro

Drops startup file

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Modifies Windows Defender Real-time Protection settings

Mystic

RedLine

RedLine payload

SmokeLoader

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

PrivateLoader

RedLine

RedLine payload

RisePro

Drops startup file

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

SmokeLoader

Executes dropped EXE

Adds Run key to start application

Detect Mystic stealer payload

Mystic

.NET Reactor proctector