Overview

overview

10

Static

static

3

18b5f5ec44...05.exe

windows10-2004-x64

10

246983943f...51.exe

windows10-2004-x64

10

733ef926ae...74.exe

windows10-2004-x64

10

81efe73b97...49.exe

windows10-2004-x64

10

85d15c9234...a9.exe

windows10-2004-x64

10

869bcbfd03...c1.exe

windows10-2004-x64

10

88bcbe8e48...0e.exe

windows10-2004-x64

10

8e3b7e61aa...83.exe

windows10-2004-x64

10

95ebfb1a5d...7b.exe

windows10-2004-x64

10

a14a0df7d6...b5.exe

windows10-2004-x64

10

a7de715d1e...f4.exe

windows10-2004-x64

10

a95d0a23b0...b5.exe

windows10-2004-x64

10

acced6c53e...9e.exe

windows10-2004-x64

10

ad4ff817f4...f4.exe

windows10-2004-x64

7

b5f2197dc6...dc.exe

windows10-2004-x64

10

c354814644...fc.exe

windows10-2004-x64

10

d12b0975bf...82.exe

windows10-2004-x64

10

d49cc2c525...f0.exe

windows10-2004-x64

10

e48626da66...e6.exe

windows10-2004-x64

10

e622b46224...bc.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r1.zip

  • Size

    19.8MB

  • Sample

    240524-m15kbsee68

  • MD5

    814b97994d1a5ce4e917976bb6a0234c

  • SHA1

    38690881727dc7f5c7901b612cff90c0ed7a2bf1

  • SHA256

    dcf4e78aa4f4a43375e6c66a708f11e84986bd1f7bacc1564324e028fcba76f4

  • SHA512

    6304fa1b2e1b44dae297ead526ea98d10c128addf9d7abbb629f0c20ae41d82980d34d0deade734e6cdfddb859279d373a2434d9fbe1df10556c0871ac1cdfe1

  • SSDEEP

    393216:y/yezmIQSKnQb3qwuHk/XtzjkNQRTW9yNt6Yjh62RmxKvh4vxVHs0ejSo:ReSIQbnQbuHIdzjkiC9yWYjgfKJAxmJ

Score
10/10
mysticprivateloaderredlineriseprosmokeloaderbrehahordakedrukukishtaigabackdoorpaypalevasioninfostealerloaderpersistencephishingstealertrojan

Malware Config

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

193.233.132.51

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

mystic

C2

http://5.42.92.211/

Extracted

Family

redline

Botnet

kedru

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      18b5f5ec443576ad4102d53a0366fc22c8cffc5e42177408ed6e4752ad377905

    • Size

      829KB

    • MD5

      b4d249a2e9975c57a66c06eb596c0617

    • SHA1

      567fbed16a3f02fb43c91df049b01fb81a4b4a43

    • SHA256

      18b5f5ec443576ad4102d53a0366fc22c8cffc5e42177408ed6e4752ad377905

    • SHA512

      dcf2374970097d87eb460d6c146299240b9985fd3529df776643639b807bd390256ce88a47f771148f565ba89c86820ec0428f70f067aaca7984f706a110d821

    • SSDEEP

      24576:ryz3vIQ49axlLm2n8gYaetlEhQNemoNBn:ebvIQe2NYB2mm

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      246983943f6bf8c738f3eb566fd198a2b627f5e62bc85a048e9cb05fa064ab51

    • Size

      1.6MB

    • MD5

      08dd4f1a04331e7f482a48785648dbb6

    • SHA1

      50060e856725b20d75fec4466019961caafcfcc7

    • SHA256

      246983943f6bf8c738f3eb566fd198a2b627f5e62bc85a048e9cb05fa064ab51

    • SHA512

      e0ad56ac549196cadbed4c4c2aa8d0dbd79a2754c12625ddc43ad47cb05eba2eef5f94b666107548111efce436143cbce886d445941b351128b8c3090e7af149

    • SSDEEP

      49152:eDQwiy/LlaKjlA/DUKWbNVuTYnAWbvQizMaa:V6/LlnMUnAIvwaa

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      733ef926aecde5ac2059782a5f2fb64f8fbbf625f2beb3ca397e8b56c0b4a574

    • Size

      753KB

    • MD5

      1a507f9cd10a20f8bc00027529053e1d

    • SHA1

      cc3ed1132b3fe01ed67e9ee04dc6feafcaec6825

    • SHA256

      733ef926aecde5ac2059782a5f2fb64f8fbbf625f2beb3ca397e8b56c0b4a574

    • SHA512

      32f3e6840383bd9ffd42653527984adb21126d2a3cf905d74e7ef00ac32baf44edb90ba060db7ca5a4d51608c47d86ebc4bd91b33f013710a03e9462ebd0a70d

    • SSDEEP

      12288:kMrcy90KVoZhIe/nre3W0wHKdz7FrBgW2GpRolzKuhrGFTEaHIzqYsoZQu:AyZoZhIe/nrediKh7FdxTpGZ3JGTIzF9

    Score
    10/10
    mysticredlinekedruinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      81efe73b978b0562c9e65634dc76439053942720aa56e6ff1e4cfc01f3ec0c49

    • Size

      1.1MB

    • MD5

      68bc4e67bc272c0efd4dc2ae3c71bdec

    • SHA1

      210e2c7dd26a28f613b0159d07ef6c2bdbf05f3b

    • SHA256

      81efe73b978b0562c9e65634dc76439053942720aa56e6ff1e4cfc01f3ec0c49

    • SHA512

      3b954a625c5d92f8903108df8af5758f093357831089488f436a06f32c04329bac6711f710cfb67e641394de6e53ea0273618a8c8463d92ebc5cea80b0930832

    • SSDEEP

      24576:byUaBtMhoZZpzkSeSKEBGzsrGS6wiAYivOM0vG+MHD:OUaB1eS5GzcGn5ED0a

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      85d15c923467e5894a2f36bf8563a0591dc6653d4ebd713eac8de5f3a57655a9

    • Size

      1.1MB

    • MD5

      08bd73921a30f3e8b3a83ccd0c7f1902

    • SHA1

      17256e6dbf837b38b5935b1e006223fe779e0eb1

    • SHA256

      85d15c923467e5894a2f36bf8563a0591dc6653d4ebd713eac8de5f3a57655a9

    • SHA512

      db843555bf73dc1e1c822f1226ba0db5093845ca7a6d8a1f2dac61364540f332417fdd9d90d5530ec8aa2f8439e004ac1bc3868e64f01b87fd4c0124c088ca21

    • SSDEEP

      24576:AyWuMnYwIGk/9hIEIeoGc3nvlRdmtEkrTsHr7:HGZIpz5IeoT3ndmqOC

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      869bcbfd039d3500134922f4d0ada9e8c16892c8167d8dfe873bf3063d0ef1c1

    • Size

      642KB

    • MD5

      68ba92e8a25094909f917df7529250b9

    • SHA1

      dce2e66744525105b2f3ae80eb1f3ab2c3133918

    • SHA256

      869bcbfd039d3500134922f4d0ada9e8c16892c8167d8dfe873bf3063d0ef1c1

    • SHA512

      000be4531b85fe06922d7182a4ca22099a677ba19d49bf7b69a4ea7bcf993fa7c13659b03b397082bb374c10f6db578f4d3c998babdfbe152cc4f64750081655

    • SSDEEP

      12288:+Mriy907x3OTU9T2AOonWUoeoKelFZM8sgbyvRDUz2uDuYQC9K:Qy8x+TUx4j3FAgby5Iz2I8

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      88bcbe8e48f13c79125efeaff65fe5dcb719586f4683dca74f0287cdab35e40e

    • Size

      866KB

    • MD5

      f94941b2ca66a0ae87817fb5ad749f7b

    • SHA1

      91c9dd2c75a47fb1d58df141f02be82ceddaeac2

    • SHA256

      88bcbe8e48f13c79125efeaff65fe5dcb719586f4683dca74f0287cdab35e40e

    • SHA512

      375d636000a9fdfbde9ca152b353f054256ed1ce5a0826f57889a1b92f384b105926140e5fa1f82e4636e83f003d381b64f618cc334ec01fe522f68efbd38d41

    • SSDEEP

      24576:9ybXtYjSDrBNRzGDFv1JkyKbo+2VV+OnG/G:YbXtY+5NwDVDrK8+22OnG

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      8e3b7e61aa74a089a79cac60eb4ab68e048ad684cd4c79b7d000b22321106983

    • Size

      764KB

    • MD5

      aba2e6f1ae6d20b017b9362dde517f52

    • SHA1

      99b4a3db453e1e559aac628607fa2cd749446144

    • SHA256

      8e3b7e61aa74a089a79cac60eb4ab68e048ad684cd4c79b7d000b22321106983

    • SHA512

      77335886cc12be820fea5a46428835913dd9da761589652ea8ecc5084dcc391625f90b9412fc42c2f171e85d1b36f940f9089fb963173580bac96c907ddfddba

    • SSDEEP

      12288:hMrJy90ZkO5d14gjHIO6mLRqUADkf5P4+9ApiJJjN2E6HFAOJZ29fy+k1:cyGtd1UQRqUAD45g+9TJJMLHWOJ89fTU

    Score
    10/10
    mysticredlinekedruinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      95ebfb1a5d55b902b4834a06e334e1b7810e32d19a0d5e6890b33312d33dac7b

    • Size

      866KB

    • MD5

      5dbdaaa2b2e75404e9f5266e8f454724

    • SHA1

      9bf3a8b06027c71a48fab868074f0e029ae47432

    • SHA256

      95ebfb1a5d55b902b4834a06e334e1b7810e32d19a0d5e6890b33312d33dac7b

    • SHA512

      da5fb40ad210b375f7de85c2989484e9ad22c184dfe5e2aad13697b237e6ac13adf83f6e12a049a3c018f85e0d601b253b734f88b7504f559ae632b253d3ef7e

    • SSDEEP

      24576:iyLXtYjSDrBNRzGDFv1JkyKbo+2VV+ONUTz6r:JLXtY+5NwDVDrK8+22ONUTz6

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      a14a0df7d62e3ee59ef076859a5922aba2949e201ebcaa2313a20715aad1fab5

    • Size

      1.1MB

    • MD5

      257b7a3fbfab4302100f94e1b7cf3582

    • SHA1

      e3fcf617c24c32d802c5a25f102ce12e7c9d57a8

    • SHA256

      a14a0df7d62e3ee59ef076859a5922aba2949e201ebcaa2313a20715aad1fab5

    • SHA512

      0e603c7584bfcf8ef6c9b91b6dea7bb1d905e4ff4f8f43cadea9c17f6a4132e5acb41b8953d87e440409c1d92367512596c71b4a93658e1c36ee16b137cb9659

    • SSDEEP

      24576:tyw0R9Gr2IlzEM7WeQPUu0Adk3jZQ63S5HTGsITFVsu0Urt7rxpl:Iw89GaItZQcAy3jW6C5HTGsYVBrt/xp

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      a7de715d1ee0762a29e3132e9fda5b98002750ef8ee53571208fe8b92f6225f4

    • Size

      2.2MB

    • MD5

      6605a2632bb83652e92d35f921000a8f

    • SHA1

      caf8df90019c136baeaa723a3d2eaac31a845532

    • SHA256

      a7de715d1ee0762a29e3132e9fda5b98002750ef8ee53571208fe8b92f6225f4

    • SHA512

      9784135f09746f879fd95f4b028dfe9936736d63e12aba90cc2f97f73a6d0ccb2ab2137e8a2215d4ab95f8f337802aedf508736671a2fa9a5a2aaa6eed80cc46

    • SSDEEP

      24576:nyjlfVvtJc9EK8bWMw6WT0DsnpwCNeY3o7RaIRgmp0C/YN+ce5Zyakgd2/cOjVrk:ypf9SZ9MjxCECeRgmx/rX5QWSN5n9a

    Score
    10/10
    privateloaderredlineriseprosmokeloaderhordabackdoorpaypalinfostealerloaderpersistencephishingstealertrojan

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      a95d0a23b0c5bde5da2656477d19360bb7e1014fc2da653fed9ec6dd0b31cfb5

    • Size

      515KB

    • MD5

      5f070576d61ba1ed306f4d7cc7b04623

    • SHA1

      4b5bbf436410a471f30e5d57c61320baaab2eabd

    • SHA256

      a95d0a23b0c5bde5da2656477d19360bb7e1014fc2da653fed9ec6dd0b31cfb5

    • SHA512

      a2e2d8f6130d38a26503dc76bc6629fb28f21d8a673a189b2adeb7fdce7dc50c49f079eed7bb9df5d193adde52dece7303d6f47178559edb13b983e8f79370fb

    • SSDEEP

      12288:8Mrvy90vNkAXNmiI9rjbt7PofGEEITEpSzdGYT1rvH5A:ryod4/FtQdTEIz3FvH5A

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      acced6c53e1b934a83d5078e487974940fb30074e0dc4027f969dbab9ca9539e

    • Size

      1.4MB

    • MD5

      5adfe625ce0b9acb6f2fcfb7ddb93ed1

    • SHA1

      bae77070ad159af4a47d9f002c9242ab5a046203

    • SHA256

      acced6c53e1b934a83d5078e487974940fb30074e0dc4027f969dbab9ca9539e

    • SHA512

      4bf3c5b513e8c92eb3d749922ad755f732e3e1808177519575dd308b5869ae190496b028c020331a2d09dd09de774843f4bed27351fa195c412e6afa1f1d50df

    • SSDEEP

      24576:HygAMt/9IiF58aP+3j9v9sjVcPJ+6Zg6lTLxw6xarOO/p/VKVncZJW56R1L:SdX88q+3jRGVE86Zg6hy6xarlxEnc5

    Score
    10/10
    mysticredlinesmokeloaderbrehabackdoorinfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      ad4ff817f44ff7266fb94f8757fc6afe62664e7c937dabddb1878c1ca9407cf4

    • Size

      430KB

    • MD5

      fc7df24f11e087d817e2abee603f906f

    • SHA1

      566e926835f33aa194eee9faba8f12010abdef85

    • SHA256

      ad4ff817f44ff7266fb94f8757fc6afe62664e7c937dabddb1878c1ca9407cf4

    • SHA512

      5bbc81b096941272c6400b939c5715ca2d570a3e395a389af8c7c365c10adb54152bbe3f9f49939cbe617d0ad666ddebe2d7394f3c0126c256310b88641d0143

    • SSDEEP

      6144:KHy+bnr+Dp0yN90QECGagwOJbG6eYFJSj0X7DVCXGrLVZOxnZY16fWb6p8Zhq8R:JMrLy90oGagZJIOxXtCMZ6ZmTc8/Rzs

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      b5f2197dc65f7c8ffbd0e39caf14248edd08aa46f69db02db370ce1daa32ebdc

    • Size

      761KB

    • MD5

      61065f9fbf46c0861e8c3ecbaa9e81bc

    • SHA1

      739dea869c300661557b9fcd417ca8479d8b2cd3

    • SHA256

      b5f2197dc65f7c8ffbd0e39caf14248edd08aa46f69db02db370ce1daa32ebdc

    • SHA512

      6864f2e7bd6804cc6e81180a21647adad8cd607f4a4c5e1606d061442aab399e232e6318dae9b310a0fb423244ce017db8fe80824845ce9cfc20b61be2fb6408

    • SSDEEP

      12288:8MrBy90jw58pcXVJUADdTtRFm7Eb9Bnsv1I1Xv9dVqtsjzymJft2swEaTE7Tie:dyIw531xtXnBnsvilnrjzftzUE7We

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      c35481464455ec62b97d08f9bcb8ac75eadf87ffc4cfef30c3c3fd9edaa597fc

    • Size

      1.9MB

    • MD5

      c42921cb8c80153f6b5f5d65f8f85618

    • SHA1

      4205f3f556b840eece3fd1562bd5aef0b425f791

    • SHA256

      c35481464455ec62b97d08f9bcb8ac75eadf87ffc4cfef30c3c3fd9edaa597fc

    • SHA512

      0816afe793ae9a22faf85e9a7df3a388c8e37f163a36e0aa0de82f17c04e74454f4cbe806c82769fa12222f35a1e2a184b8be88a9b9c2b9e1d1c3aba1d07a900

    • SSDEEP

      49152:RqgBPPawUWEUczq9ltHy2OG6ZDGq4f5Yrd62eKUXu:cWPPPHlHy2O9DG6rsu

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral16

    • Target

      d12b0975bf0eb912d5ace8ceb5f38f447f87b501a227b5fd3273e9392afb0c82

    • Size

      1.4MB

    • MD5

      d124366ab9ab93de3da5489c9ea6b92d

    • SHA1

      cd39f187e6df38d35d54e3015e8d4a75bcee4ecb

    • SHA256

      d12b0975bf0eb912d5ace8ceb5f38f447f87b501a227b5fd3273e9392afb0c82

    • SHA512

      dbfe9497d6b5bd6fef782e3d42e4b4927fb0007c3def129bc96efbe9e065dbce5043dcd72f11c178ee2bc92c93792ed9d705e8984f511a9a475c9c78dad278d9

    • SSDEEP

      24576:FyYD7grTJKqXHTw/ruN4HY5+siC6DjwwuDs0jba+rR:g27grXXoruN4HY5qC6fY

    Score
    10/10
    mysticredlinekedruinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      d49cc2c52587d7ccfff0f04de2d9313a7352fee098cd64deb7bb55ca2cecd7f0

    • Size

      866KB

    • MD5

      74f2c581520aee44124d1ecdf3aa6d9a

    • SHA1

      5d5304e9b23009acfe9781b20a1c50ae23c8907f

    • SHA256

      d49cc2c52587d7ccfff0f04de2d9313a7352fee098cd64deb7bb55ca2cecd7f0

    • SHA512

      9236fda581b9c547bec956533044e16fd174d3a6462136f6a64c56e882f1b6f6c489001b80b7a3b05b76c84540dbfba2231dd238ddd2c90bc6943575fd1c13d3

    • SSDEEP

      24576:XyYXtYjSDrBNRzGDFv1JkyKbo+2VV+O08/c:iYXtY+5NwDVDrK8+22O0G

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      e48626da66ef50a0f8bd4d374f7aaa4931cc35197cb2826a4f29047dce4edfe6

    • Size

      511KB

    • MD5

      ae9b91adcf67c2bd0ac2a681f05c0adc

    • SHA1

      0da2417ee4c5358398e349e185ab4da6424abef3

    • SHA256

      e48626da66ef50a0f8bd4d374f7aaa4931cc35197cb2826a4f29047dce4edfe6

    • SHA512

      25b43617236d4e9b65bb0ab17b3aeb80ec68420dcf44a43f43844ee41eb38e7b1ab7fa5baff83d68b125bb79168b12a09efda0719f0d6809c83bf5abb8c74712

    • SSDEEP

      12288:IMrNy90+79pyDHwaEmfFr+dJY8TUs2Vum+4+wSR1Fdsjh2h:1y3pBlUFGYSz2VuRUSnYjh2h

    Score
    10/10
    mysticredlinetaigainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      e622b4622421bb1baa18a66801c5d86fb7ae8872788326cfc9670abde556f2bc

    • Size

      1.2MB

    • MD5

      532e3b016db6a24e80c0f70e8eb4b82d

    • SHA1

      a8c81845d2f59a7ef48710a63718f2d24d91d4f8

    • SHA256

      e622b4622421bb1baa18a66801c5d86fb7ae8872788326cfc9670abde556f2bc

    • SHA512

      075716fdba9f8df325bfbcfd1835cace75bb91bf2d667ea35701f935da7749261e51294d913432783a7e55f8ad878887bfefacf8edebb305bfa6b812f0dd05ee

    • SSDEEP

      24576:Ry8RQQD9AD0gB0UQuouSXT50qdmMizV6146hQVNs:E8RQY9AogB0UQuo90qdmMJ146h

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral20

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral2

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral3

mysticredlinekedruinfostealerpersistencestealer
Score
10/10

behavioral4

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral5

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral6

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral7

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral8

mysticredlinekedruinfostealerpersistencestealer
Score
10/10

behavioral9

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral10

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral11

privateloaderredlineriseprosmokeloaderhordabackdoorpaypalinfostealerloaderpersistencephishingstealertrojan
Score
10/10

behavioral12

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral13

mysticredlinesmokeloaderbrehabackdoorinfostealerpersistencestealertrojan
Score
10/10

behavioral14

persistence
Score
7/10

behavioral15

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral16

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral17

mysticredlinekedruinfostealerpersistencestealer
Score
10/10

behavioral18

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral19

mysticredlinetaigainfostealerpersistencestealer
Score
10/10

behavioral20

privateloaderriseproloaderpersistencestealer
Score
10/10