Overview

overview

10

Static

static

3

15dbe47ffc...c2.exe

windows10-2004-x64

10

259d304678...83.exe

windows10-2004-x64

10

2692caca2a...20.exe

windows10-2004-x64

10

28a50ab6e2...10.exe

windows10-2004-x64

10

4c05a0a402...f4.exe

windows10-2004-x64

10

5a9aed6661...2d.exe

windows10-2004-x64

10

5f5fe0dfe7...ca.exe

windows10-2004-x64

10

6b5a910219...c6.exe

windows10-2004-x64

10

6d91ecfeed...9b.exe

windows7-x64

10

6d91ecfeed...9b.exe

windows10-2004-x64

10

6ffb586f67...d9.exe

windows10-2004-x64

10

73c6d3d5d7...90.exe

windows10-2004-x64

10

75b625c13b...07.exe

windows10-2004-x64

10

8a4cf22002...f5.exe

windows7-x64

10

8a4cf22002...f5.exe

windows10-2004-x64

10

aa03da34a3...c3.exe

windows10-2004-x64

10

c4259cbbbe...3b.exe

windows10-2004-x64

10

c71d93f739...fb.exe

windows10-2004-x64

10

c98c961b6f...67.exe

windows10-2004-x64

10

d76ee17b4a...b8.exe

windows10-2004-x64

7

ec3af3633a...54.exe

windows10-2004-x64

10

fbb293bc8b...e5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r1.zip

  • Size

    17.0MB

  • Sample

    240524-mb2gdade3y

  • MD5

    78d1c98142e7a1a0cb5d23b055f60b7c

  • SHA1

    818d4d217cdbdde29476ff4ebbb52419a745767a

  • SHA256

    dd599a6bab1a1dabfa1fca35b3aa571004102301666e21fec5316076b068ab55

  • SHA512

    5326adba87e5a331b782a9c3d9605cbab1335014b17a274e7517c5d6b0defa30bb37432bd49ff3884e014ff8dfce1048030cf2d2635926dfeefa3e8e19a0ad91

  • SSDEEP

    393216:hqGSHp9cz+ExDpX/76jfVueP94oMRJnnv0jDduqEqTUAT:kfpdExdXj+fVuePORZv03dEpAT

Score
10/10
mysticprivateloaderredlineriseprosmokeloaderbrehakukishlutyrmagiaplosttaigabackdoorpaypalevasioninfostealerloaderpersistencephishingstealertrojan

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Extracted

Family

redline

Botnet

magia

C2

77.91.124.55:19071

Extracted

Family

risepro

C2

193.233.132.51

194.49.94.152

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

smokeloader

Version

2022

C2

http://194.49.94.210/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

plost

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Targets

    • Target

      15dbe47ffc282036b5b74c9775a05b1985197b01705a5e5240936b02f6f8c2c2

    • Size

      878KB

    • MD5

      430d4ddd9926c78ec33815c6a675c127

    • SHA1

      9928ac37f6349c30fc35fd71404f9d61c9e534b7

    • SHA256

      15dbe47ffc282036b5b74c9775a05b1985197b01705a5e5240936b02f6f8c2c2

    • SHA512

      f15900a68de711c481c5c6858817fce486dc78e6c4142ee67e5063e0b132c9ee0825186e74e9e745a1823351c2ab7032eaeed93ee425c29491871e83e8012c2e

    • SSDEEP

      24576:gyb/PaeUIs8CtGEPYDVUBGE4evvuchgujj:nbKezhiGL5E4eng

    Score
    10/10
    mysticredlinetaigapaypalinfostealerpersistencephishingstealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      259d304678a712b51f1187d33ecd946f12224f4900cad091b3a39900d04e9d83

    • Size

      782KB

    • MD5

      a6f4f009430e3d9254d86583cc3b8b30

    • SHA1

      f27c4206c15f52751fc099bb272c7c489b1170d6

    • SHA256

      259d304678a712b51f1187d33ecd946f12224f4900cad091b3a39900d04e9d83

    • SHA512

      72f4d39b63f3efa257ae72ff958f49ee2957ee1ddc3a4e965702deb84c43bfa7283fa55ffa23a935522e0347c9233bb13ab3a40eb8f9be82b2622e4a340e2fdd

    • SSDEEP

      12288:wMrGy90Fa9hT6A2bABaex4IC5GpCPHGVdPLvTMXiYQdDR+ADtHgNDnwCxVYcXbN7:mybOAEwaeuIsSC/G3LYDoZIwCVpb9X

    Score
    10/10
    mysticsmokeloaderbackdoorpaypalpersistencephishingstealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      2692caca2a880cb62bad959791f7e78945d5e600364901df7fc8de45a268a520

    • Size

      479KB

    • MD5

      d499e2f474c8e4d29c388869829a7596

    • SHA1

      4fa5039317f8eccfcf961c7185e64e01623a73ce

    • SHA256

      2692caca2a880cb62bad959791f7e78945d5e600364901df7fc8de45a268a520

    • SHA512

      be84929c9b98f3a7158666e2df339f10552c32978eecd8382f36f9b142343f1db69318a35f0862da19258379bbf71ba99f03c81a2542612d63ab04cddd96d535

    • SSDEEP

      12288:LMrZy90Id12LTOXvJRUZDstpVEbwgRnO54pnqLRr:iyoTOXvK0pOlRhnqFr

    Score
    10/10
    mysticevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      28a50ab6e2f0c1302196528ba89864cb218567116ae9f4a7ff25ad2517acf510

    • Size

      881KB

    • MD5

      cc2e5e7ffc0133fc14e8654b0804bcec

    • SHA1

      b3d0700fcb7934976388d2c0c17895e9e3f14bcb

    • SHA256

      28a50ab6e2f0c1302196528ba89864cb218567116ae9f4a7ff25ad2517acf510

    • SHA512

      c2e0d2c2fc35044475361a2778c589df7e15d621944d9d044f27face34a0d1a2e280cbeb378022431b3cd60b7ca9c2044f54d30a033f94c271f321f876e2ae84

    • SSDEEP

      12288:3MrBy90z7T5xy2dMxJv2TMhvDddoEOHU3M6VndV8TgwlinSVb8YHIES0Vj3sS:yyQ5nyJkMhI503nVIiw4YHIlIj3sS

    Score
    10/10
    mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      4c05a0a402e12dd4248772fa3577f38e1fc9b8b060c219cf8a4890bfce5439f4

    • Size

      819KB

    • MD5

      87669b0b3386f233e60d07ec9d7a4076

    • SHA1

      7a5f0671f950acc0140ce7403151f659a3079926

    • SHA256

      4c05a0a402e12dd4248772fa3577f38e1fc9b8b060c219cf8a4890bfce5439f4

    • SHA512

      db587a5b1e30be1abb0f4cd35c8e15766371a0fada39e610588bb7f96fd237b58344af6c0af0387b032fc3bc1830eeddb8bc4b222e7793ce4ada776f541e6da9

    • SSDEEP

      12288:SMruy90Vnypgv7Q5k9VIcYRzL+dEC8lufg0WQFwm7zY+sOR2M2/SLSgxGwmCtp7o:IyBl1V56b8lsvFwm3zsOZgeLp/k

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      5a9aed66614843df861e1716ffa1565f310d3f61f384e45ac0468be8b6bc162d

    • Size

      591KB

    • MD5

      aa53efb806f4884fc8c93a3cbd9c060d

    • SHA1

      9815cb95ebc875b9dd4bf3c711941fb02b272686

    • SHA256

      5a9aed66614843df861e1716ffa1565f310d3f61f384e45ac0468be8b6bc162d

    • SHA512

      e3e944a5579bae8e139a85e32708bf4071dd188da05ac592fbfb60c0a312830e0230eb07952702a05b228e8cd7c0dedefe3f850006bde525b1ec1250fff19855

    • SSDEEP

      12288:FMrNy9038LNERyDpyHzz6szWZ9F/QnRtS2HU7giJj:syH2yQHzu3fQn+RUiJj

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      5f5fe0dfe7abbcda9826593f0816a3b72630e87a3d058a3382b48820dfc0f3ca

    • Size

      334KB

    • MD5

      028bb2836faeb4ed911711bbae9ad27d

    • SHA1

      bd16951419c1a78c8e23f0e1666249ca3e50c409

    • SHA256

      5f5fe0dfe7abbcda9826593f0816a3b72630e87a3d058a3382b48820dfc0f3ca

    • SHA512

      7bf790bc6aaa9663817770a418bc96c7738d4efd2433dcff9c616cb0c37bf42d7db10b4019b510ed2d069cb38374cb2faa2a0bd0b2f3adf5e82b0da1f2adf170

    • SSDEEP

      6144:Kby+bnr+4p0yN90QEpQ4eSEo9i3CbxJTUHMh8WZP0g+4+WHSWp3WdnYK:NMr0y90bFeSD9i3YJTUs2Wug+4+wS9j

    Score
    10/10
    mysticsmokeloaderbackdoorpersistencestealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      6b5a910219dbef3059255fe4700c0b661a248a20051c4624275c60fcb969a4c6

    • Size

      1.1MB

    • MD5

      d0d194be51a5db58d5a70d55a11f2a4f

    • SHA1

      874dd824189eab5d48557bf6c86f9bea8fece28c

    • SHA256

      6b5a910219dbef3059255fe4700c0b661a248a20051c4624275c60fcb969a4c6

    • SHA512

      4d1e6fef7b8233791e46e51e2f0a21c2a7ba6c85f1b25f7f994b5692f0f7a53f27ce6a15ed8364e12842b176a50ef6df4a93322807bb4350a49d98c61913c7a3

    • SSDEEP

      24576:oyheIf0FTqJGh5A+cexouCaqGDT5C2uVG6TDI:vheq2T8+cXJ5GD9JuVGe

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b

    • Size

      461KB

    • MD5

      dd419151f00f410c2e9f6b5a355851ff

    • SHA1

      5eda780b952b3e7904ee5fb94c7fc462dcc9f4b6

    • SHA256

      6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b

    • SHA512

      6dc62e99f3b4872283746fa23fbb925b6a486c72410838e11b02a2789251abc335c246e4616536e3a3199136b851acccb1ebbae07af3963b233f02e5c7ea3641

    • SSDEEP

      12288:29Ov1xnszhKWlFCCCCCCCCCCCCCCCCCCCCCCC+CCCCCCCCCCCCCCCCCCCCCCCUfc:29O9xn8/CCCCCCCCCCCCCCCCCCCCCCCP

    Score
    10/10
    redlinemagiainfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      6ffb586f674fda7588cfb5e9ebac49e43e607069c4c43597e624fc42ac70b8d9

    • Size

      2.6MB

    • MD5

      1a1058c701c5810b3adfe782a470c0e3

    • SHA1

      97265e29f0f085bcb621f89ad13f195fcdd9dacc

    • SHA256

      6ffb586f674fda7588cfb5e9ebac49e43e607069c4c43597e624fc42ac70b8d9

    • SHA512

      02d7a68186d8a2df2e5546d7708409011e58476bccd4f4ec72e051c165bd9801b4532bc0d50eb4a486139dd735d818a6b5da65a3828eb72c52504c962a987065

    • SSDEEP

      49152:t/GsV1Sg5cxkVxWe7zpi14cUgveujfcHopu2ijp0mUrJa7dgc4upkwD3:xGsvSgiGFA3veYfc6Cn/dcup3D

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral11

    • Target

      73c6d3d5d789b4c1b22119cf829a0a27609d598ad9afb0d622c8abb66982bf90

    • Size

      2.6MB

    • MD5

      d21f9567d6dda14a5e3e3ae7a66b06c0

    • SHA1

      87ac62ba9d060d485d6b415b0a62eb5dafe7551c

    • SHA256

      73c6d3d5d789b4c1b22119cf829a0a27609d598ad9afb0d622c8abb66982bf90

    • SHA512

      fa63ef01801903182b3aca8cebecca0117a2ae0db22148591c4f6abb5a4df1f612def10e6f07d435bd678722430fc02de92cf9a183417533368a242551d92a8e

    • SSDEEP

      49152:KGonaL0kNsEzseJ8vVP3dk/vKj/ElTdd921W4M5AMCa0UU7Wd+RfylY7R4:zoaNenvVfdkHKj/mxX0cAd5UU7C2yy7O

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral12

    • Target

      75b625c13b24d7458adfc514723864292401468613eaedafdba252e90b3f5707

    • Size

      578KB

    • MD5

      e839203e1658c8119fb1e3aa12bdcb83

    • SHA1

      16f93463c445b1059c954ef2f756393eba6d91a3

    • SHA256

      75b625c13b24d7458adfc514723864292401468613eaedafdba252e90b3f5707

    • SHA512

      80c1c67114e162187daa55d8d750e6d1f968ebf1df49e15e251ebcc3ceca84341ab049dd185fa243cfe3843c22b5e9138560477eaaf930e944fe6386bab864e8

    • SSDEEP

      12288:7MrBy90CRVUaLCHFbwEyZft7zaU+RohaPvFab/Oheyg7oPfmKfe:iyHRVUCCHChZF7zaU+RohdOtmge

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      8a4cf2200249c16ad339a708d70a7a76427cc48fe52e324e22cb2b14c043a4f5

    • Size

      944KB

    • MD5

      c6207a8cd7aab76783c2c6fd9be2a94d

    • SHA1

      157b2a427951969ed6bd375451bd04d93d8f6ea1

    • SHA256

      8a4cf2200249c16ad339a708d70a7a76427cc48fe52e324e22cb2b14c043a4f5

    • SHA512

      a80609861bc0aa812f08ce6a06466fe54070a6da8fd8d349150ee5cc0a3d4b495b9c1122f90c4f84f31969791cfb28d8804d069a6da43199004e04e6f28197ce

    • SSDEEP

      12288:ldsHXaWChEJ1kEEHM64Yz3cKIP+IkPVx4nQ0XyDF7uJk8gnboDIiJ:K2hEJdEHM64cmPFsL4nwDFkj06

    Score
    10/10
    smokeloaderbackdoortrojan
    behavioral14behavioral15

    • Target

      aa03da34a3df5ccd4a8378896e723e73365b3d7713664fcafe751f873108dcc3

    • Size

      1.0MB

    • MD5

      9f6c04bd0bbcf415ffa42768e2183a73

    • SHA1

      a44f938d1c7ad1fc21882a00da4d2f35af3174b6

    • SHA256

      aa03da34a3df5ccd4a8378896e723e73365b3d7713664fcafe751f873108dcc3

    • SHA512

      a7075b29cb0a85620f641ed5d72acf198554a0083925a66e0ee2313edf169321c8167058c94004077c31f94cbc2b7a1a5c9d094cb27e26925dcafd6e08788f5f

    • SSDEEP

      24576:Kyv+2Lx/11SMH1d7yboNDkwZmaujBRgSbRBl9Srlb2NP:Rv+K/CavNY4+zgq3srlC

    Score
    10/10
    mysticredlinesmokeloaderplostbackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      c4259cbbbeecc45ba6b72e216489e0c0f668de9a18069a255c88f5440350243b

    • Size

      866KB

    • MD5

      41d169aaef9f27d00b12c4a01e989c8d

    • SHA1

      273f77db02efdf7d56b50240bc80beb927a64425

    • SHA256

      c4259cbbbeecc45ba6b72e216489e0c0f668de9a18069a255c88f5440350243b

    • SHA512

      7910c97b3461ab117164a18fc60e7a1febea420221476d017c4c34dc271e3c0bba8a0af3e2505c85bdc7ea3e3b45ea619e46d226ef4579aa8c666c26a688f2ef

    • SSDEEP

      24576:r0yOXtYjSDrBNRzGDFv1JkyKbo+2VV+OvCvB:POXtY+5NwDVDrK8+22OvC

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      c71d93f73909af1aaed89e205cf18f3305701f5725a7f73bc47959ec2fe389fb

    • Size

      866KB

    • MD5

      cfeb8f03e651eaf7107e1b6b559cb8d6

    • SHA1

      7a6c302d6add428b448a7e4ad688001227046d62

    • SHA256

      c71d93f73909af1aaed89e205cf18f3305701f5725a7f73bc47959ec2fe389fb

    • SHA512

      d8bb37554f97c09afb0a0055ab99715f653387cd1299dc20cf40c4b68db51307d9f5513ea3525c29f900598c881fe2e4494032e3c7e58d8d20e73bb7d8b83ba9

    • SSDEEP

      24576:W0yaXtYjSDrBNRzGDFv1JkyKbo+2VV+OMVqTxwn7T:maXtY+5NwDVDrK8+22OMVqun7

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      c98c961b6fafcd423b7f00c273b1de0344bce9a806fb75483a3ed9f8f686a467

    • Size

      1005KB

    • MD5

      2f7a5b2d59577659c9f080663409717c

    • SHA1

      a98855facd4097093341b6e4f1a896661cf9cbd0

    • SHA256

      c98c961b6fafcd423b7f00c273b1de0344bce9a806fb75483a3ed9f8f686a467

    • SHA512

      ad2c86f149cb756c89a3325526845dfa1b3be20bc5fbc7a2db5bfef1c7910fec36fb1eefb72fbf5fdcfe85e8decac2eb4e02423f8ec9cf6e1db5922ece1b1f72

    • SSDEEP

      24576:7y4fy2UEUYhiAFoXAvwOCP+sy0aX3DcsbrkBoV:u4fy2XUYhiAFpvwvGsy0aX37Hv

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      d76ee17b4a6047aa98a5b0abc7a035b345706ef3087c8b527b238db6e24fdbb8

    • Size

      398KB

    • MD5

      08e1645bc9a8eae739f244b825bfe1ce

    • SHA1

      e66004d3e1cfa6522d69501c568619f42188102d

    • SHA256

      d76ee17b4a6047aa98a5b0abc7a035b345706ef3087c8b527b238db6e24fdbb8

    • SHA512

      b4c686911c46f84210917a3fd3dbce0497cc9c113110e6e60e8dcc244dfa703c14d1bb5cf17d86244edfc19bf2e85d0cf34cfae0ffd112c0ae430cafb89dc754

    • SSDEEP

      12288:CMrry90dBJ/gL9NbUPqkDEkbu9Ct5rRhJnak9w:hy4BJIR9UCkgJQzP9w

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      ec3af3633a52750aaf806f34de5b8fb483a77417b0a8182b5cd0f8fe892b0c54

    • Size

      991KB

    • MD5

      f68673838cfdf0022d6c83718855e777

    • SHA1

      e6f2d528fd01636b01e25e9d13820d2ee98e6685

    • SHA256

      ec3af3633a52750aaf806f34de5b8fb483a77417b0a8182b5cd0f8fe892b0c54

    • SHA512

      913477ffae714db951880d9097d310cdaf6c440db34d13c6bb48b7ac2e5afe3fc27bb20cbce8f7fe65374a3c6911b3ee389b47b4749764774eacf353734f3215

    • SSDEEP

      24576:cybquWadjzZbfJ0bQlr8RVFiMB2ahB/Vbtys:Lp1djFbfJG0BMvf

    Score
    10/10
    mysticredlinesmokeloadermagiabackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral21

    • Target

      fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5

    • Size

      644KB

    • MD5

      a119f408d6f9327beb89d3d0567775eb

    • SHA1

      0a2087df9196da35d1ab399859bb1b0686f334b3

    • SHA256

      fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5

    • SHA512

      f3dbf32f8aabb589f736cddca2ad9f209ad10d06eb51c2334bceb6a17b93f1d18412366d87cc81bc8bf33b0f2cab04651f8703d0b9fc1d5b0cd440d840a3079e

    • SSDEEP

      12288:NMrOy909b5rILTLw/aztAjCM603Ss6Uv5zu4mcxvflBxg+CUb:fy+b9oTc/QWjq0Vzvp9DC2

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral22

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

mysticredlinetaigapaypalinfostealerpersistencephishingstealer
Score
10/10

behavioral2

mysticsmokeloaderbackdoorpaypalpersistencephishingstealertrojan
Score
10/10

behavioral3

mysticevasionpersistencestealertrojan
Score
10/10

behavioral4

mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral5

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral6

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral7

mysticsmokeloaderbackdoorpersistencestealertrojan
Score
10/10

behavioral8

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral9

redlinemagiainfostealer
Score
10/10

behavioral10

redlinemagiainfostealer
Score
10/10

behavioral11

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral12

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral13

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral14

smokeloaderbackdoortrojan
Score
10/10

behavioral15

smokeloaderbackdoortrojan
Score
10/10

behavioral16

mysticredlinesmokeloaderplostbackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral17

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral18

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral19

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral20

persistence
Score
7/10

behavioral21

mysticredlinesmokeloadermagiabackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral22

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10