Overview

overview

10

Static

static

3

0314c3cf58...62.exe

windows10-2004-x64

10

142ed11f80...59.exe

windows10-2004-x64

10

1f54336cee...4f.exe

windows10-2004-x64

10

2470f02746...37.exe

windows10-2004-x64

10

357dca1dd0...e2.exe

windows7-x64

10

357dca1dd0...e2.exe

windows10-2004-x64

10

367729c840...03.exe

windows10-2004-x64

10

3ae8cc733e...e3.exe

windows10-2004-x64

10

3ff87c5bd0...30.exe

windows10-2004-x64

10

4157cda315...a6.exe

windows10-2004-x64

10

5f318080c6...ea.exe

windows10-2004-x64

10

620f9ee1b4...8f.exe

windows10-2004-x64

10

6817354347...3a.exe

windows10-2004-x64

10

753cdc12b9...91.exe

windows10-2004-x64

10

a4215d26b6...74.exe

windows10-2004-x64

10

a4375e040f...82.exe

windows10-2004-x64

10

a619ae77d5...2e.exe

windows10-2004-x64

10

aaab139650...12.exe

windows10-2004-x64

10

aefec08eba...49.exe

windows10-2004-x64

10

d12f5fa25c...70.exe

windows10-2004-x64

7

e5b42981fd...65.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    02cacf524527064e447c85bef406a6e5125d06b69bd35e10a813bf4a5659b985.zip

  • Size

    19.8MB

  • Sample

    240524-kzs4ssca68

  • MD5

    e10fb09ccd7ec4c89fe48ca785388202

  • SHA1

    0631152e4167cf94134e9d18b8f97e164fe49454

  • SHA256

    02cacf524527064e447c85bef406a6e5125d06b69bd35e10a813bf4a5659b985

  • SHA512

    e99ba6bc1e7e5e38fd8774300466eb711f14c4144fff1de2c50e1bc9d673e80c355a8dcfc44182a1d5dc57c12d47a02fef83085e8a2053c93e76071425eb250e

  • SSDEEP

    393216:5wKlONz4TfJIuKUHGqe2dzjBoY/lUhMacufS3hn2KDH7:GYpWd8ftBVlqMacFh2KDb

Score
10/10
healermysticprivateloaderredlineriseprosmokeloaderbrehagruhahordakukishlutyrmangobackdoorpaypaldropperevasioninfostealerloaderpersistencephishingstealertrojan

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

193.233.132.51

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Extracted

Family

mystic

C2

http://5.42.92.211/

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Targets

    • Target

      0314c3cf5875f5a348b62f28e53ec17a9180933fb126d66b7184ebbc62e3c362

    • Size

      1.6MB

    • MD5

      4072ebdbf10bdc65c81f939c356f0d2e

    • SHA1

      c3aacd751694f6980a973b895017247e5e29b29a

    • SHA256

      0314c3cf5875f5a348b62f28e53ec17a9180933fb126d66b7184ebbc62e3c362

    • SHA512

      214350c7f05426ae01ce87106b490fbd3ca5bc61ceb2ef243db73891d817529961e6f04344214d0179cbfe9482e6c25133d3f45e40bd72e328a89fc9f7bb70e6

    • SSDEEP

      49152:R77PcdeNyB5PESc74VbUR8v/OwLACT+jbU9g/:tzKeNyBiIZbKjbWg

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59

    • Size

      645KB

    • MD5

      ef0669622d6448e4556501afe1dad056

    • SHA1

      c85d621294c88c8050b202b0e20f62d7889a86c5

    • SHA256

      142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59

    • SHA512

      64f71711babea80de14ca75680b8abb38ce5326b86925f6121a3a3724739158930c09b6b077d473e08661b508ae585973c7e6dd31a848f06bf16b2eb67026b34

    • SSDEEP

      12288:aMray909okg/mJPJBxxSrCUHBayC0xzVN5Hn7uQQrzHWw:cy6HJ5UdhadGzVLHCr7Ww

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      1f54336ceed1489c1501366db5c3d0173f045faa248587b9e1d9d3669f84114f

    • Size

      1.5MB

    • MD5

      a40e62a544268214b09a8bafb68847b3

    • SHA1

      9f388d46aed84dde179dc1e7c037d4a2a2cfadd4

    • SHA256

      1f54336ceed1489c1501366db5c3d0173f045faa248587b9e1d9d3669f84114f

    • SHA512

      11a2ca05e5b202af547b8ff9960346100477e9fac8089ab467edde417b0f8c2b2ce3c5234118f1e34cc6d3abbd32a19513430505767118b1c2ef7daed5694741

    • SSDEEP

      24576:SyF/ldc9xGt1TuqHUtf/bo1JtIANdz3esqRTqzred7WEB2w6FR26Ph4e3lu:5Fj/tsqmM1J9zeGzrg7WaoFR265

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      2470f02746e0ace28b3f21135e43ca5574a20964c1ebe76b4d37e025bc74cf37

    • Size

      702KB

    • MD5

      3551b070d8f8c5788e7a26b7eb3e2167

    • SHA1

      c4f2f2a5e1534aa6745a4fa10cd33082e796a449

    • SHA256

      2470f02746e0ace28b3f21135e43ca5574a20964c1ebe76b4d37e025bc74cf37

    • SHA512

      8cf570cae3fe1afcde148277a893bbd95711709792adda13b74132ed4374542999cd4e2a7bca1e35ebf6f4fce1b86a55d8d32d978016d3e70402ba5badc44723

    • SSDEEP

      12288:mMr4y90EPnLmwuetmnJuSDno0t3Iu2FKZmtQVpzIZpFCMq48YdavcJynY4y5d:ay9LmwuetmncSDnh3IubZmipzzMq/YOw

    Score
    10/10
    healerredlinemangodropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      357dca1dd0b140db9468cb0bea91da2504a032397de5a581bd04f96d59e430e2

    • Size

      1.1MB

    • MD5

      0c3c542480b366c4937a6a352723cff2

    • SHA1

      7e4a1a89113a6fe0eb21e7b0d5640933095d035c

    • SHA256

      357dca1dd0b140db9468cb0bea91da2504a032397de5a581bd04f96d59e430e2

    • SHA512

      6f922448fb2512643a14154e6f6b6aaf6cac4a1af9cad3e818ad87b5cad4d56beb1a0848b005c75938853f0d74f6bd094332f695da0bda9e55997a7b1c2d032f

    • SSDEEP

      12288:2Q1Ud1yTt0OFYtMeTVRq6zlXO4iIEbJGHaKwCugkgqaWxFnE+iOPW5kYg3meJ:Gdgh0OFYtMeTVRfBxIJGwcunE+IkYA

    Score
    10/10
    redlinehordainfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103

    • Size

      1.0MB

    • MD5

      b8c8a180572fa9f5d2abc29e8f5225de

    • SHA1

      70b0b356bc4a0bf194d6cc8dc2b000ac7e49c1b7

    • SHA256

      367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103

    • SHA512

      fd90da55beae0cc7727900aff75d39a03d7986db109beb32ef5f0303cca309768e6ecbe2db25a32a6cb64eb7f3ee7209143a60fbde957182b1ddf5b58aba9162

    • SSDEEP

      24576:Kylv3LOmDlvjAHW7XNs5uCq3bMKgMjUlP6wSCzLw+:Rlv3LOejLNsB5KvUlPyx

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3

    • Size

      956KB

    • MD5

      c7d606e2c52cb54347c035c4f20385af

    • SHA1

      fd14a9789a5cb3291a9fc9a21fc6a7011df32cfc

    • SHA256

      3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3

    • SHA512

      c3a07f6ef78ffdf38fee9613b451476e0c17aceebe9115bfd63c02350989197b15426fc854a3cc7a59878a3baa274c1a55b988374003389ee3ccbfa346ebce22

    • SSDEEP

      24576:IyjahTARFOjnPlTRpSQ4Mh51NLlCTmBqqJj/vieOyO:P8TcIjnPlUOlwoqw3R

    Score
    10/10
    mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      3ff87c5bd0d476dfc954d3706672474698d1e412030e6189e037c2474b97b730

    • Size

      1.1MB

    • MD5

      280ae5fee193835043a57b5858575e88

    • SHA1

      864a3e1354257f7f027de1fb6a57c8f250522e27

    • SHA256

      3ff87c5bd0d476dfc954d3706672474698d1e412030e6189e037c2474b97b730

    • SHA512

      35031ee7e036a0ef439281b3ab83cfac1f63fede1b314ccd0950c13c6deb2acc93889690aed3a60409f40b98fb353f93cacdb45119c2af503b34e91911be60a5

    • SSDEEP

      24576:uyT+eJNyRY6bWbYcd8v04KzKWzZcO8mMvd7g6FvjqmllVGTZZmWfnIH4C:9T++V6b/XKxZcOxmrLgVPQ

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      4157cda3159c7d2c99d18138d2e023dd1d821d09ae77e78901a80b26492981a6

    • Size

      935KB

    • MD5

      7f171f4b73978e234b3e114830d4b2f2

    • SHA1

      2ea3e0030d87fb10bbd138f3ae220b2413d9820a

    • SHA256

      4157cda3159c7d2c99d18138d2e023dd1d821d09ae77e78901a80b26492981a6

    • SHA512

      b363282cdf599dd82accd283b3a10acc97108588c16696cfb7c361a02a29cb4b7c65366836bb897cb00881b3d75b4d7fa575befd19eb1009bab7130cd798e2af

    • SSDEEP

      12288:TMrby90gdqx5IqPURHad0qOH81g42fAhjMQFzlzqUagnaioMpkQFU/i+VGq7af9C:Qy3qxVXhv1XhxVagnbpkRxVGyafKZMo

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      5f318080c6c0aef583c575f49bd61e9b4e8b6784f4c52b512e9c07090e4cedea

    • Size

      2.3MB

    • MD5

      665d982ca7f55392948abb118b2c6b3d

    • SHA1

      76b7c096dae1f20041e7e55e3d863ec35cb4fd2d

    • SHA256

      5f318080c6c0aef583c575f49bd61e9b4e8b6784f4c52b512e9c07090e4cedea

    • SHA512

      8f7d99ef72b0fff0c0a758f28a948b9c4c2387f5e9a9b7f0ac3a8971d963d457d58cbd8368bc55809196c21daea956dc1a6eba664efa2b91567057ad22a19723

    • SSDEEP

      49152:tsOzsGwNJp72gr0XQZ/8VM+giH+pmGj1DrGpc85Rwxh:9fwnEg4hVvNCm6GpR5Rw

    Score
    10/10
    smokeloaderbackdoorpersistencetrojan
    behavioral11

    • Target

      620f9ee1b442855f9904f5108cf7185b16d0acbacad9aaa076f02e0ffd4f588f

    • Size

      421KB

    • MD5

      f43e85202791e82c59b8e07f76dabbfa

    • SHA1

      cf80bc8a656390e4e9ed061fd84a155f0665237f

    • SHA256

      620f9ee1b442855f9904f5108cf7185b16d0acbacad9aaa076f02e0ffd4f588f

    • SHA512

      5c8dd89131b27eb110b9ec35d7e0686c7cffed62d4257d0d506d93154eeacc0f8e14733ba4ebc4a5616e7c1fff02cbdc52eaa6f1e662ec857d94532084b360ff

    • SSDEEP

      12288:YMrhy90F+08qFUvu2hyW1eKFnTA9BKXjEARJfz7IU:pyX08qF32lIKFLEAl

    Score
    10/10
    mysticpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      68173543479d737f5e883a0bf3bd569d09813666a895a805fd53a18f3a96df3a

    • Size

      633KB

    • MD5

      ade1582c6f516a251b48126cd5f22f55

    • SHA1

      8f2dbe7998b7ca7090eb7b0ad8192ae798b5d488

    • SHA256

      68173543479d737f5e883a0bf3bd569d09813666a895a805fd53a18f3a96df3a

    • SHA512

      96f1f614d8b2092a16ee69003c1340e9623e5742e09d8956deb368b47078b1be6d1a5a6952e90002732537efc6c6032311fbf66dda0fe79c379704d200f1e1fe

    • SSDEEP

      12288:bMrjy90C6QjVHg1WhG2w6jE9l3bfr0M4rI6pvIlIE4uXIU1/s:oyP6YVHO0G2K/LzoVDE4uXIU1/s

    Score
    10/10
    healermysticredlinegruhadropperevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      753cdc12b984ece991f2018329d37985ee627640895e2d9b9a43a13a6dd6fb91

    • Size

      641KB

    • MD5

      a2fb087405549d4844da7621326d7bc6

    • SHA1

      41722d07ff394bb88e681e8cb55acdc420fbc696

    • SHA256

      753cdc12b984ece991f2018329d37985ee627640895e2d9b9a43a13a6dd6fb91

    • SHA512

      deac27f5aab4250178ca108607e59b275edccdf556fe2ddfe2f2bc51a302a985cab0408e6261f1459fecf19b8331bc959a0e30921103816e46686b617549dfa3

    • SSDEEP

      12288:nMr9y90yHagkaQMkfPlNgEkJa1j6shpaH8UPGDTVqT3kUt90fnAr:ayaXnHrf1jS3uTVqrkUcK

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74

    • Size

      954KB

    • MD5

      2007fd745de85725bd3c50bc100af3dc

    • SHA1

      be0942dfed4466f4181936016cc020ed72918fb6

    • SHA256

      a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74

    • SHA512

      ca2e84396e623838f7900a2c73f28d5a5675c179a462878232c618234c7f68f1f3e4eb6003f9c9fdacc0bcb7849d2385e63422aa640d6fe3244db49481cc9973

    • SSDEEP

      24576:Ky0CNEQDcgkWfaKBfZh59btIafN7V9joSiS5nYI:RSqjflZttIaV7V9ESR1

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      a4375e040f13128a4dc747d845dd82b7204008c71beb526483b369eea30d2582

    • Size

      1.7MB

    • MD5

      dfe9bb1f434b2c4274b25c55f4c357fd

    • SHA1

      26174ece060175ac42687ac2bbbda5ad8b486972

    • SHA256

      a4375e040f13128a4dc747d845dd82b7204008c71beb526483b369eea30d2582

    • SHA512

      81d7b36b5ee84df38237fcbd7b5b8c8714a079e07bbab5098d44a486d63803b4d054fa9e04e35c6c56af4c8b492ed06e11f2d6d1c161efe2edd18328047064e8

    • SSDEEP

      24576:4yCr4tXdUADDqI0NqpWTUczJqcswysxoJVJgRtmO0pO9j+30JwYEXpUZCwQU/4e:/CctXhDsIWTUczJq/JlgD50pOV+PbqQ

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral16

    • Target

      a619ae77d542717361e631ceb6fe3fab295af4ccef45ae4774b92a9355b6bb2e

    • Size

      934KB

    • MD5

      9323def24c82bcce18472272f2fd5647

    • SHA1

      f09e0e7cbf11b9afa48a1cdb5d7d67065a46da8d

    • SHA256

      a619ae77d542717361e631ceb6fe3fab295af4ccef45ae4774b92a9355b6bb2e

    • SHA512

      98896fcab67a61d7d42629f3062054984a32712b668fa986272c14427394727c522ee9562a7d243e9627ff88f1825444dacb3b8a14dd270a5a3b755502271e7a

    • SSDEEP

      24576:QyZyKWABDnuKRODayze5PfWeD+XH0WdXBPo:XEKWQnuKRoe5HlDyH0Yx

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12

    • Size

      2.1MB

    • MD5

      e1bb0f18d53291edb6b6b8c8bcbe60f4

    • SHA1

      8354cb2797fbc00c57f193a6d0929dabd34e6981

    • SHA256

      aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12

    • SHA512

      dd5e7dbc48010a5057e20b0d056e03584600362a259dce65c5ab8d118b67e3f731243a65732b84d31f74d55d603f38532911e387946912431e99d7f9c17bb322

    • SSDEEP

      49152:/nIg6uBuXvfZ7xjfgZGKAusjt5M1JVzxVgXDaQxlxz3H8OZBnCcpa:AgZuXLMBqkRveuk33ceB9p

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      aefec08ebaf1c6b975dbf83df5257e52d7efcbaf569ea4b633cec392af828049

    • Size

      401KB

    • MD5

      c70da63f44a116fe349e06b38cafb3fa

    • SHA1

      cb0d169c46a5e96d933da8ff43d1e057ea2d5ced

    • SHA256

      aefec08ebaf1c6b975dbf83df5257e52d7efcbaf569ea4b633cec392af828049

    • SHA512

      d558fa35f52738065c6d4602f968f22dae8dc33f900d71afb69fb52705e105befee8e786926c174cca498af2e55a109fae972acb3ab5ccc4dd26ff41e5066993

    • SSDEEP

      6144:KUy+bnr+sp0yN90QEHbTG8sXOfBZjC+qn5gwV4y5P08f7DjWLMRPPq2knPEVowLc:kMrAy90tbXsOjFKFrOMti21awLc

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      d12f5fa25c8ef0ae322be4daa1b08acf499c9d1be60c2f8d6f6b5a65c28f0a70

    • Size

      642KB

    • MD5

      3495f027cf0f5fc3e066f6d1e5ae17f6

    • SHA1

      787b0eef35f80738a55247d6acd4d49a0f5d3f07

    • SHA256

      d12f5fa25c8ef0ae322be4daa1b08acf499c9d1be60c2f8d6f6b5a65c28f0a70

    • SHA512

      c8b9ccde6c7e26800badc673214b4a79871b528d2e02faa07458279155edd9171781d38db17da5fb623389be7ca5cb134f560b49d93b07c95a3a9a13ba37db26

    • SSDEEP

      12288:XMr0y90J0NA0H7Gae/4IC50pCCHGN0PLvYMXiYQbDL6Nxb2jHV:nyEiaaewIsgCQGIgYDFb2j1

    Score
    7/10
    paypalpersistencephishing

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

      phishingpaypal
    behavioral20

    • Target

      e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65

    • Size

      1.1MB

    • MD5

      db790b8be6c16299ccf7f1dccd680b89

    • SHA1

      4d13d834f004cdb6c836eb0f9d7343fea266069c

    • SHA256

      e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65

    • SHA512

      63518a7fd2471ed7c678e650ff45939b86d9264cf175f6d3e5e3cf6662fd54a1dbc0063b5e97707d247046d982feaff164728d7267543622c66e5394427a988f

    • SSDEEP

      24576:UyMQBHbtypH1KhYSPs1h4Gur9/pok9ULO0Rtlz01EjUdkr5eM:jMAbtypH1HFajr9/6jpI52

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral21

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

6
T1053

Persistence

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Scheduled Task/Job

6
T1053

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Scheduled Task/Job

6
T1053

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Defense Evasion

Modify Registry

24
T1112

Impair Defenses

5
T1562

Disable or Modify Tools

5
T1562.001

Credential Access

Discovery

System Information Discovery

11
T1082

Query Registry

4
T1012

Peripheral Device Discovery

3
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral2

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral3

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral4

healerredlinemangodropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

redlinehordainfostealer
Score
10/10

behavioral6

redlinehordainfostealer
Score
10/10

behavioral7

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral8

mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral9

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral10

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral11

smokeloaderbackdoorpersistencetrojan
Score
10/10

behavioral12

mysticpersistencestealer
Score
10/10

behavioral13

healermysticredlinegruhadropperevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral14

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral15

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral16

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral17

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral18

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral19

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral20

paypalpersistencephishing
Score
7/10

behavioral21

mysticredlinekukishinfostealerpersistencestealer
Score
10/10