Overview

overview

10

Static

static

3

2681e868e3...01.exe

windows10-2004-x64

10

446a34b8c4...be.exe

windows10-2004-x64

10

472b4c438a...4d.exe

windows7-x64

10

472b4c438a...4d.exe

windows10-2004-x64

10

4bd9740942...ae.exe

windows10-2004-x64

10

522ef7ed5d...cb.exe

windows10-2004-x64

7

8682bf8baa...91.exe

windows10-2004-x64

10

88242c8054...22.exe

windows10-2004-x64

10

8f02e0ba42...1b.exe

windows10-2004-x64

10

97f490d9d1...9d.exe

windows10-2004-x64

10

982ac80dc3...af.exe

windows10-2004-x64

10

9cef0fe263...ed.exe

windows10-2004-x64

10

a35e73743d...46.exe

windows10-2004-x64

10

abb426fc0b...a0.exe

windows10-2004-x64

7

b108a8edf9...f5.exe

windows10-2004-x64

10

b654b42011...45.exe

windows10-2004-x64

10

cb020fc0d9...1b.exe

windows10-2004-x64

10

d2da12ea26...83.exe

windows10-2004-x64

10

efd69f2941...a6.exe

windows10-2004-x64

10

f093fc4510...2a.exe

windows10-2004-x64

10

fde0e8258c...78.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r.zip

  • Size

    17.7MB

  • Sample

    240524-l2sfqadc56

  • MD5

    7e661ec71840027484db1e67a3731c3a

  • SHA1

    973f5c5de7843e8d4baed2a5f5589daa4419bafb

  • SHA256

    35fa914c6357cde578322016bb343396ee5cbe965e37dbbc27e58563c27f3d00

  • SHA512

    f80a692a59edca9f5c1e2f74af731700d47915805ab73485492b3f769af7c976e939cb97ff8617ead9611b3fb4d8ca0fb54d58d39c6bb6ba7f6503eab73e8869

  • SSDEEP

    393216:utw4yjfXDDCRry8k1hJyvOi0XfUenj/JnIYMW50:KKjPDDvXWOiaUaJIY0

Score
10/10
healermysticprivateloaderredlineriseprosmokeloaderbrehadartshordakedrukukishlutyrtaigavashabackdoorpaypaldropperevasioninfostealerloaderpersistencephishingstealertrojan

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

194.49.94.152

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

vasha

C2

77.91.124.82:19071

Attributes
  • auth_value

    42fc61786274daca54d589b85a2c1954

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Extracted

Family

mystic

C2

http://5.42.92.211/

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

darts

C2

77.91.124.82:19071

Attributes
  • auth_value

    3c8818da7045365845f15ec0946ebf11

Extracted

Family

redline

Botnet

kedru

C2

77.91.124.86:19084

Targets

    • Target

      2681e868e36ec912cf14855e552a41583eb47da1464ad71b64ddaae780d63101

    • Size

      633KB

    • MD5

      497349983098259f6c07c33d745f116a

    • SHA1

      0a428f49d309f05ea36a491441ee2ab866261c66

    • SHA256

      2681e868e36ec912cf14855e552a41583eb47da1464ad71b64ddaae780d63101

    • SHA512

      cd775e963e0e5a4f01b3b0df71a5ff49e9a1ae4e7af333c34692fe8bffe86d24a91e6ff8997cb91eccbf81df61ecf960d982bd91dc821838da2fd8be15b7d901

    • SSDEEP

      12288:9MrJy901A8GwkPAcdjvughyEr4j8I4jVnczSsxJZxz2W0ZhJ:cyoAPPAOygFrJFczLx1X0ZhJ

    Score
    10/10
    mysticsmokeloaderbackdoorpersistencestealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      446a34b8c4e3ca30c5f6c10a03580a59127ae30d85ec80832cfadf9d862cd1be

    • Size

      1.0MB

    • MD5

      c51058281df6130d5aca94b364a37ff9

    • SHA1

      5e6c0434b0813d9607a6dad81d8b091f90865593

    • SHA256

      446a34b8c4e3ca30c5f6c10a03580a59127ae30d85ec80832cfadf9d862cd1be

    • SHA512

      c49ef6acb8f3f0e371a422b87a126354283983843ee42cb06c9821be55e6bd4b023db0ee33ee4cee393770e913ed24319401df5176cb2cb3e102c53ec6f9ad87

    • SSDEEP

      24576:1yZR0bDq7NVaZfI4VPfiwotOVN0WwGUo8ggaf47wETK:Qcq7b9qP3VL//5w7wET

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d

    • Size

      413KB

    • MD5

      d9b1bbeef5c6848bd16a1818f6bf14d4

    • SHA1

      90935fd1d36a1317adc4925ab243bd2b6b3bdb8c

    • SHA256

      472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d

    • SHA512

      e06ccaeb983b83a3086c6bdbabbbad8e8e882c14beb14f3b289c98b096782a42c5f8800849c632873f5978afe513a7bc12a54597a582008c2420ec4c842c9279

    • SSDEEP

      6144:s2Cc1vkeamA7uqck0h6OjAOnHhfGRlk30YXljPVjjyjjLj4RjMjjcjjKj9mJ37:s2J1ceamvBVHhfGg30YXljW037

    Score
    10/10
    redlinedartsinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      4bd974094233a10e7da32c9aadcee1df6ea2adcf713f0732f2dd1d84d4252fae

    • Size

      383KB

    • MD5

      a4bd7b390a1aea0ac6b619a180b54da8

    • SHA1

      786b0029683758fb7e1636aa8cbf4e7ec450743e

    • SHA256

      4bd974094233a10e7da32c9aadcee1df6ea2adcf713f0732f2dd1d84d4252fae

    • SHA512

      e4b7500520e95111526b6065e075909e3035b6aeb8eab38d7cabdbfc367e909e8d7c37f58c279d8851e350fb54c4e4a735580fc28eade915cf767a35db09c8fa

    • SSDEEP

      6144:Kdy+bnr+Np0yN90QE6s8RLa+Uu+jhvDNmW+G1YqK9Fe9VJRspU58kMTi1tKCCBJ:jMrVy90os8RlUu+jhvZmpGaqIQC655P+

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      522ef7ed5dee9a88fd0e157cf30caee38b2797c64e4d3e150f0e618147156bcb

    • Size

      743KB

    • MD5

      428992dba52134bc4f24fef76b6deb00

    • SHA1

      f7ac3844b23d2ef68ce5abd29ae72e8c197404bc

    • SHA256

      522ef7ed5dee9a88fd0e157cf30caee38b2797c64e4d3e150f0e618147156bcb

    • SHA512

      81cab0e00fceccb1b9cb52e9102ca32c5821370f5293a1afc89c5f4c0ce4704114f44455f4e022c41e9f39abef338efbc55714d4a15ccbfb7d20f402cc482ba8

    • SSDEEP

      12288:FMrny902sofq/Zv6FIzBF/I6cJVVcz6qovPHcVIXJ9lwyrpr:myu1hvSIzBFg6c/VfqovvcVIZ/l

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      8682bf8baac5da4e90ff3187b5fc619cdce2926723cce0ce1ee89e8e97a5b391

    • Size

      633KB

    • MD5

      de169c9c1956a49bf744a98a67d51767

    • SHA1

      72eb52d5fc25712eff8b9a04f440dbc53c9621ce

    • SHA256

      8682bf8baac5da4e90ff3187b5fc619cdce2926723cce0ce1ee89e8e97a5b391

    • SHA512

      8c9854bee92963dbe890b5c765cadadfbe74e2c25668332c4e4bbe160f16e69b31174e205fe59d3e4713a91cb3f4c05b5414c11f00df0762842e16d33b0388e7

    • SSDEEP

      12288:UMrOy90pkla9O0oWr9zBoFwta0Rm0c4tZhoNSK/kLn8D/ThIxVrim65Bk3Q8Y:CyXlLu5taKjcyohzAokg3

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      88242c8054974baa356b72df09969ef7d9d50033497a8ec162fab5103a16aa22

    • Size

      1.5MB

    • MD5

      0fe2284542243f32ff3335d14cb3a1c1

    • SHA1

      d9bc23510c407ef9bb332b221ac74f34856d971d

    • SHA256

      88242c8054974baa356b72df09969ef7d9d50033497a8ec162fab5103a16aa22

    • SHA512

      e11a9ab4453e50b913d43a06ef7c37391169932e380354b6251dffd325c75a6c6cfe6324118e681e53c35f53938a8b7251fea0000cdc2cef5ee94a6efd5963fe

    • SSDEEP

      24576:CyeiDORu08MXvlRVDaMlGhfPhgjsp5tBB/W/sbrEzk3Xse:pdD8u082rdtQJPhtp57B+sbwK

    Score
    10/10
    mysticredlinekedruinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      8f02e0ba4295116b4506be32206118a19a6184f5b2d4d67ce0083cc2c5a6da1b

    • Size

      608KB

    • MD5

      1f518ef039d2a698f64f5a6c1105f825

    • SHA1

      c9691253d74e204ec795808adfc8b6b3395e9d40

    • SHA256

      8f02e0ba4295116b4506be32206118a19a6184f5b2d4d67ce0083cc2c5a6da1b

    • SHA512

      abc844ff4fb6b481cbc0fea297544311ebea272ee64ce67f777fa34b1c217b788f207087c13239b507cc8b90e2279e3c5835cd0e408daf94714c72bbddb7c192

    • SSDEEP

      12288:sMrOy90eK4sPqZRUcvuEhyxbAI7eszmAx8bK8pNnhhRLmBUAe4w:6yMPqZG/Ey7eEVObK8PnhTqUMw

    Score
    10/10
    mysticsmokeloaderbackdoorpersistencestealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      97f490d9d1c823988c616ede167b8b5d5f9889ef21b76a0949bcce168c71839d

    • Size

      2.3MB

    • MD5

      511ee23720d62a9cc14a08e82baea253

    • SHA1

      b576656b34a7c822f0ed2f172cc50ce33d83b2d2

    • SHA256

      97f490d9d1c823988c616ede167b8b5d5f9889ef21b76a0949bcce168c71839d

    • SHA512

      3459c02b5deb08871b1ff2952592f2091dadfd77976eee6976ba9d0b6f7b69d292101336cd4a88477bb1d4eaa0ecdd0ec0239cc5f841a2cb35843e52d56fa726

    • SSDEEP

      49152:FObYzPXd0EgEzs9EM/K5ivGULWeSOUIOsel5uBonB6LHnH:ms25w5dcdSOL4lwonYLH

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral10

    • Target

      982ac80dc3c29453250a0bd0e8cb19fcf14d9871dfc2fc8d4363fb7dad5533af

    • Size

      844KB

    • MD5

      67619038243c3ca7ef31f0f8083ed899

    • SHA1

      35c712d03c386f634071082592ec1cda12407ce4

    • SHA256

      982ac80dc3c29453250a0bd0e8cb19fcf14d9871dfc2fc8d4363fb7dad5533af

    • SHA512

      04e9ba958fcd880ac913d869fc07253c3c7e4f7b5a9f74b8090ea03774565643f8cae187e2ae34d20a4a5059325a92168641db67edf81d03af573d794a715109

    • SSDEEP

      24576:yySzsY8Js10a3SA62+QzFy9l25fYFUxbhDbDVMaX0YEZr:ZSAU+aY21zkJUxbx3VkT

    Score
    10/10
    mysticredlinesmokeloaderbrehabackdoorinfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      9cef0fe263b3b13bc92f18dffbc2e953559059a4fe8a44f0d4f1697e6d96b2ed

    • Size

      650KB

    • MD5

      914273c715ac1acda82c53cf7bbdaf87

    • SHA1

      534eca5011af43b168a239dd8aee1b3bebe69f7b

    • SHA256

      9cef0fe263b3b13bc92f18dffbc2e953559059a4fe8a44f0d4f1697e6d96b2ed

    • SHA512

      3bca57af9f19c4550897b88772cf0db27baee3c4e82b77bcdc6fdaf7934e2d548d6e6f096d7388f7bd957435e06fd9a6d84766552d2ab568e7d6118847381253

    • SSDEEP

      12288:4Mrqy90XmFM4OQNwllWWDPHjnUEisfr4S0DbMECaNv:CysmFMxQ8lWWDPHLntT4jbNCaN

    Score
    10/10
    healerredlinevashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      a35e73743d1c4e1fc0961c56137fb8d5b74b8a9eb7287318325f458bcc36a546

    • Size

      1.1MB

    • MD5

      7db592e10da1185fdda4eb02563708fc

    • SHA1

      8d2a3b604d8bbf44c44079249eaefe26b0098f24

    • SHA256

      a35e73743d1c4e1fc0961c56137fb8d5b74b8a9eb7287318325f458bcc36a546

    • SHA512

      379743136ec723ec66d5032089f5b4e647f95d008ef4124aeed1f4d14817456f76299358367f24d112e0c0fbd718fca3f3d2921afdfd10bbad10cbecbe1b739d

    • SSDEEP

      24576:VyEGUV7+MTHaZJ0jnUzctOX6qmHHGIJKnCZtgNR75qy394mB7:w3ECMjaZqozKXhHm578yXB

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      abb426fc0b0227ef36280f0fdd020d1002e8fc1cf2fb7ca9671fc228e16a02a0

    • Size

      880KB

    • MD5

      f783635cd6721f6c5c4a6c79d3443ab1

    • SHA1

      69f411458830d2f75681f6a60afd99904bd650b6

    • SHA256

      abb426fc0b0227ef36280f0fdd020d1002e8fc1cf2fb7ca9671fc228e16a02a0

    • SHA512

      45242fecc70b344ef5fe54d3283769463b33634e0f7cbbff74bb3a974022af8df6750168dc1c8f3f7dfe1f21ae2b5ae01a5dbdb88eea4d58e4ca7761b31682bc

    • SSDEEP

      24576:nyHAdQ2N3QCaeUIskCtG8PYD17xI/Dp5u:ygd9ALezXiGjcr

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral14

    • Target

      b108a8edf956b42b12ea1c64e4706dd94bb85d9796bbc155ff54e0cc26578df5

    • Size

      781KB

    • MD5

      3a159d3beb7777641ab405302ccba736

    • SHA1

      b6a12d0f32715e58738f68fa9c35d2a3d72c644a

    • SHA256

      b108a8edf956b42b12ea1c64e4706dd94bb85d9796bbc155ff54e0cc26578df5

    • SHA512

      47990c1d4cd78861cec2d317eb556aacd3bd7c8d33db68e9d2dc3eab5eaa89bb874faca7a97447a36dbd553df4acda4f41d487c2175cf5325297e10a7e6738ca

    • SSDEEP

      24576:dyYQnSunE/aeuIsSC/GRLYD3kYUiTPMtXXV:4zn+ietDEGKQGQtX

    Score
    10/10
    mysticsmokeloaderbackdoorpaypalpersistencephishingstealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      b654b420110d68633e1d1bfec8f7c1721db51174713f79737cd5cbbef252d545

    • Size

      389KB

    • MD5

      7b2538e4166434beba6464390ca828d4

    • SHA1

      0594276066b13c610d5d860d7a3cf419255b1cd6

    • SHA256

      b654b420110d68633e1d1bfec8f7c1721db51174713f79737cd5cbbef252d545

    • SHA512

      5ded06a6f79f3c3f67e0a7c345bc16b746149cf3b30eed735a10e368961773feec3c08e2004340f7bdda0ceab360e2cd163359ab61ca439161f8c5de5bc08eb9

    • SSDEEP

      12288:3Mrfy90hFeSD9i3YJTUs2Wug+4+wS7EFut60WtNV/c7Fy:AyAFeSDM3YRz2WuHUSooI043qy

    Score
    10/10
    mysticredlinetaigainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      cb020fc0d9bc2f1a1038f879535d484db85fe92edd2562e714b41c91bcabf01b

    • Size

      1.3MB

    • MD5

      5c66f7308c599fa90fa4b91c937fe140

    • SHA1

      6305658ffed1ef86dcafbb70f142bd71469aa703

    • SHA256

      cb020fc0d9bc2f1a1038f879535d484db85fe92edd2562e714b41c91bcabf01b

    • SHA512

      3bcde0bd89baceb953a86c0cf09cde33d541bcc77041f558188dff2956eb0374db90eae5064d171e40469dd3c029f6f632ff2cf99b67394a77e353e80d6abee6

    • SSDEEP

      24576:dyZySQLGn6yF7jc7iDI50GGCyADX6MOlNgpUJpIP9dD1S1CQ8+g8li1YQ9:4ZcHyNjguEgCyCqpJ21DZAi

    Score
    10/10
    mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      d2da12ea26f60abee3e9f52ebc6e9f23f98b160617869929d39c982b93a45483

    • Size

      828KB

    • MD5

      d75596b453d0032f6b0b4765d22a5092

    • SHA1

      ace14c0cd9e15da6638762266cdccfe7f1f192e3

    • SHA256

      d2da12ea26f60abee3e9f52ebc6e9f23f98b160617869929d39c982b93a45483

    • SHA512

      90351906bbfb4e40efad08ad952e548d9d86dd35e85cce0ea406ee1895ec38dcc52c94790f69ad12bfae8f4077532c2327d90be2d4b4e039007dfc04e403b12a

    • SSDEEP

      24576:9y2o2X7jKLje3R5omy/Qam8YQUKLt0kWF/7:Y2xUQov/VHUKxe/

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      efd69f29417bb970bec5a1d5dfc3e5df6b59d154e0f68a0c8d05cc37a6e6d0a6

    • Size

      1.7MB

    • MD5

      ab5f297515c9bc7e9e68c100aaf3def1

    • SHA1

      d3c6730d3e72bcb09792301bbb6557dc58944490

    • SHA256

      efd69f29417bb970bec5a1d5dfc3e5df6b59d154e0f68a0c8d05cc37a6e6d0a6

    • SHA512

      a4f25fd775c94cc1a1b8dac79263d514f94c7268277df001ebfc5f4284a2e8e7469beb6cef93780ffc3f2d6e3c9fe3ad2e7353a005515cc3ce5ce3496375434a

    • SSDEEP

      49152:Ad9uXDz2NBWIUezGVZtWd//R6VQflA0zXa+:XwoLP3ZZ

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral19

    • Target

      f093fc45108d6daee0e2bbf5016feeaad7009b841c3db1005b2e45a282ee932a

    • Size

      1.4MB

    • MD5

      05e9aee0c4730498f92a4b4260383e2d

    • SHA1

      fdadeca4f0b56a82cbedfa6f1909bf5aeb488030

    • SHA256

      f093fc45108d6daee0e2bbf5016feeaad7009b841c3db1005b2e45a282ee932a

    • SHA512

      e0011b04e3ef5551c0c26dfedddc6b6d6ebcdf540671d770db9da28aec4becc21fbf122cfe2ba978b662e53cf7c570ce64a93141f4bf41b93a6bed2eee6640fb

    • SSDEEP

      24576:PyTWwygpGP9IF+QDSBNXzGY5Ywd8BNbSmGuf+HPhjDW9FlDS8g:aTriIEQ0NqYGMUN+mGrHPhjc8

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      fde0e8258ce7f85dd1a300cd7964ca02580d162769083c1df9c9dcbbe96d9678

    • Size

      640KB

    • MD5

      5d02cc2cafd8d15fe7d9332511fd154b

    • SHA1

      19fd38f620c5238c4f077afad97392541b20ebbe

    • SHA256

      fde0e8258ce7f85dd1a300cd7964ca02580d162769083c1df9c9dcbbe96d9678

    • SHA512

      6ff1639be7a478f7a3a335f03612d500d469b27c653b3016cff79b3ce14a224bac4deadcbc2c057f37d1c66159191dbfd08bf9a8dd273cb75dc794d95743770e

    • SSDEEP

      12288:/MrJy90iMpEEp5yKTLK3uJv/stegD79NkaUEvGAke/JLEFeBgq+ZXqw15:qyTsnXAuqDDRN41TWJgeZ+9qwv

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral21

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

5
T1053

Persistence

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Scheduled Task/Job

5
T1053

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Scheduled Task/Job

5
T1053

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Modify Registry

21
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Query Registry

6
T1012

Peripheral Device Discovery

5
T1120

System Information Discovery

13
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

mysticsmokeloaderbackdoorpersistencestealertrojan
Score
10/10

behavioral2

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral3

redlinedartsinfostealer
Score
10/10

behavioral4

redlinedartsinfostealer
Score
10/10

behavioral5

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral6

persistence
Score
7/10

behavioral7

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral8

mysticredlinekedruinfostealerpersistencestealer
Score
10/10

behavioral9

mysticsmokeloaderbackdoorpersistencestealertrojan
Score
10/10

behavioral10

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral11

mysticredlinesmokeloaderbrehabackdoorinfostealerpersistencestealertrojan
Score
10/10

behavioral12

healerredlinevashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral14

persistence
Score
7/10

behavioral15

mysticsmokeloaderbackdoorpaypalpersistencephishingstealertrojan
Score
10/10

behavioral16

mysticredlinetaigainfostealerpersistencestealer
Score
10/10

behavioral17

mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral18

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral19

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral20

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral21

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10