Overview

overview

10

Static

static

3

0eb0accf09...b2.exe

windows10-2004-x64

10

24941336d0...72.exe

windows10-2004-x64

10

26a2cda7a1...98.exe

windows10-2004-x64

10

29d3a95944...db.exe

windows10-2004-x64

10

2d75908c07...9b.exe

windows10-2004-x64

7

33aed805e1...e6.exe

windows10-2004-x64

10

40d8e0aa1d...18.exe

windows10-2004-x64

7

48cb6f7d0b...c9.exe

windows10-2004-x64

10

542eb4afaa...9a.exe

windows10-2004-x64

7

6f328c3e1d...2a.exe

windows10-2004-x64

10

74692ca9aa...ea.exe

windows10-2004-x64

10

759eb38c21...de.exe

windows10-2004-x64

10

858cb57de5...0c.exe

windows10-2004-x64

10

9bd29cf05e...27.exe

windows10-2004-x64

10

b0555f3c53...33.exe

windows10-2004-x64

7

bde148bc51...21.exe

windows10-2004-x64

10

c7e81c0377...b0.exe

windows7-x64

10

c7e81c0377...b0.exe

windows10-2004-x64

10

d0c5f5c327...0e.exe

windows10-2004-x64

10

d165dd7703...70.exe

windows7-x64

10

d165dd7703...70.exe

windows10-2004-x64

10

d9645ca9ce...5b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rr.zip

  • Size

    30.5MB

  • Sample

    240524-nfxveseh8y

  • MD5

    8c65780877dcee2eeb50f5424c999e7a

  • SHA1

    c87aaa0d426c64b2996ef2caba1f61c67fce7a05

  • SHA256

    5eb722b1af29eaaa64b029ffc54dddae92acbb9c1b778b6bc51551329ed241e8

  • SHA512

    34941a6c84ad908f79fe2cdf4bc1455ba2462230a952fdd12fa3b6e37c62ea0aaf4ce4326d1a568604e686024df5016c72e7031014c8a62adb6d9bc48fd10ccf

  • SSDEEP

    786432:pYawNE5N0WMw1obq/GCoLxW6OSFy6zlPes6TfjM4M8:plwNEVPHn6Oiy6URLjDM8

Score
10/10
amadeymysticprivateloaderredlineriseprosmokeloader04d170hordakukishlutyrplostbackdoorpaypalevasioninfostealerloaderpersistencephishingstealertrojan

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

194.49.94.152

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

amadey

Version

3.89

Botnet

04d170

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

plost

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Targets

    • Target

      0eb0accf09d83ec290b068c81be5e6c35e15cd72f8c10f74ea2ed429b7fcc8b2

    • Size

      2.2MB

    • MD5

      b4c3f77e4969034efe656de8074b807a

    • SHA1

      69f25a7302e9136a6cabddaf887400da77396cbd

    • SHA256

      0eb0accf09d83ec290b068c81be5e6c35e15cd72f8c10f74ea2ed429b7fcc8b2

    • SHA512

      03f82abda501ed46c71c4f30f42b8f5da1c786af2335109ffcf6143b2738ce54b65f0114866c33ce983f15e2db50db01938a1484b9f2c123cd30f69efa61ad33

    • SSDEEP

      49152:rl+1gFaedI3UP14VGoijicHYgZLsKNYtSxRY4jMIvPM+:2wI3UdaxGD4SxRBtPM

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1

    • Target

      24941336d0128a7ae974066981d3a1f75cc9af91a69a49b292688943f69afa72

    • Size

      1.0MB

    • MD5

      bb9900689940b2154b9b395fce9ad47b

    • SHA1

      79d1ae33512de00466f9d94ad218c14db69aaea8

    • SHA256

      24941336d0128a7ae974066981d3a1f75cc9af91a69a49b292688943f69afa72

    • SHA512

      c1dd079b33cb55034d77baf46a34710ad737c5c59796b2394c252749e937e1039e5a82f79afd805d019f29647b726bb46a295231bd6142f5cfb24facd625e52b

    • SSDEEP

      24576:9yeBW5OU02BlbIchjvrU//0Zsfi0EJ3uiS2sTRqJ:YeBbCscBw/4sq0EJ3uiSh

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      26a2cda7a1e823b15014df6457ead29cc24ca1e9d7348e5f7ce65fac3e640998

    • Size

      1.3MB

    • MD5

      86cbb67c990eec1b056fb82f113bebbf

    • SHA1

      dc1ffa43dc573d580c698f8a350f33fbb7704a93

    • SHA256

      26a2cda7a1e823b15014df6457ead29cc24ca1e9d7348e5f7ce65fac3e640998

    • SHA512

      9f0752b57f62dd6f397c24c92d9efa143e603e10347f6114fbf41cfdeed0906f88eef1d6a8cdbcd88ca6e2e0c7b91ab6d897ca89830c4ff1ececaaf0df05e249

    • SSDEEP

      24576:cyY2jqXwFqvrXZsVeppEX0tywAQWg+UZGfRhwcLXvRMKUPR:LxjqXwirSWY0tymRGdXpMLP

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      29d3a95944732180e7b649fa96bb2f15636a9658a83828117964eea5a39c72db

    • Size

      1.1MB

    • MD5

      65f3094287ecabb93243414da30c83fb

    • SHA1

      618b22115bae825725f7e9544060ab66ac1a889b

    • SHA256

      29d3a95944732180e7b649fa96bb2f15636a9658a83828117964eea5a39c72db

    • SHA512

      deb98c2947fd3a84cd4461c712394c00ebbaf5317c3969bcc3fcd8ffda4d58dc78b24992dc9f0d933302a57937d1cdc84749fa55f311ed3ca6ed6a29bc7c406f

    • SSDEEP

      24576:JyIlMs03q2/LvDsuZTe+tCbubF+KSSguGnS:8yMarCTgSbZ3x

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      2d75908c0774dcb3f45e676b4c83554e0c2c94a1e96fd64e163484e0dbbf359b

    • Size

      1.5MB

    • MD5

      c8ac1db7f2f53e0694220cb03abc8272

    • SHA1

      b4cdc41ef7aea4375f230bd070b1a10e2dcac88a

    • SHA256

      2d75908c0774dcb3f45e676b4c83554e0c2c94a1e96fd64e163484e0dbbf359b

    • SHA512

      62ce61598936aebbc62fa07e1b361658156e30a27960b1f61f0a595a4548ea1d4c03c1135433c37a24bc7fa1c2d64434be8dc0c5600c796bdfd4f3093490f75b

    • SSDEEP

      24576:8yDJ1g7XSiYHKHSZWbh7cwf+iGDJtYt4WjLfGxeVFlmjURMjxbkr1sibIkx:rDJe7XS/KHcWFAwf6DJtY5L+xeVFzMjN

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6

    • Size

      2.3MB

    • MD5

      c3d5c7226492ba7e93bbd9ad9276d679

    • SHA1

      f10dc42f76340c27d7c11324f2906ebc8dafcacb

    • SHA256

      33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6

    • SHA512

      b469ab72e1f552476d4f1c4fa99a6084677e064ffa00e675083fdb35cb835d107729fb3b5143dd54b1aca11a3fea406d5704de3ae2c755d886c557e1a38329cf

    • SSDEEP

      49152:EzrKxn0THgvqeQre2p7A9TwDMxoZnsrcsGuRA:ue1egiDemMGMxcZm

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral6

    • Target

      40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918

    • Size

      903KB

    • MD5

      468625bfbc5b9c6f04d805bfa3e1546a

    • SHA1

      c39e0852f79372afd720d45fada6fb3906d8fc35

    • SHA256

      40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918

    • SHA512

      24a8e52c281133cdc127f7e8e1ea23e0ecf57ae38247e6b63115159e11b746050b405d7d7626b2fd79283bff59ebdf3c390c2df40ca5965e0c7d0344ef98250f

    • SSDEEP

      24576:Iydo+8kfdQKKtL/CJNyci1baTTnXT11Lp1ftA:PdB8kiKCL/CJAP1bafnXDpJt

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      48cb6f7d0b36f2bddf99dded0256c01e0ed197a5ea74b14bf98bf561c0cf49c9

    • Size

      2.4MB

    • MD5

      8c2e55dd1044f4892380ce8657f5a600

    • SHA1

      75a534869704df93d70fe71086b3777fb9a39a5d

    • SHA256

      48cb6f7d0b36f2bddf99dded0256c01e0ed197a5ea74b14bf98bf561c0cf49c9

    • SHA512

      37b4266fe184fae9a7898b37286f5d9871067bbf80a771b2576c3a44a0a202278ed260ba9468f368e8a2d41cdfed51c567304e261c2c9de40b3fc0c07cbe31f3

    • SSDEEP

      49152:6snSWMa6fYkSgV2kfXah4MMd1n/4UDtNnKe3t6JkO8o1P3f2p:1l6fYfg4EayBFDznKa6/8kP+

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral8

    • Target

      542eb4afaab2b90e95d070cb150ef76e8faa23f3afdd12ab49978cbb72dd389a

    • Size

      430KB

    • MD5

      73f7d4e8343709104d395f26489cc42b

    • SHA1

      3647210a37ca4eb97210721a09470ae5c2023985

    • SHA256

      542eb4afaab2b90e95d070cb150ef76e8faa23f3afdd12ab49978cbb72dd389a

    • SHA512

      38c32d8eec98525618c1fa38f65e080f065b9dcf64093b88f88d9bc9ddc821c4e3b25a60b7fc8612cffca4446c7c79433be9f17b596de7e9610db8c0ce867cb3

    • SSDEEP

      12288:aMrHy90uY55c5go2JKza1OfB3JlEy3+mzS:tyzAigJqaofnqyul

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      6f328c3e1d2f3ad40a09cd133e1964bbc4fc21dcbb7af8520e97006992426b2a

    • Size

      936KB

    • MD5

      384142bba3fe5feebabb59a1013abf4e

    • SHA1

      63005b7752afd90117e435958a088af26189f279

    • SHA256

      6f328c3e1d2f3ad40a09cd133e1964bbc4fc21dcbb7af8520e97006992426b2a

    • SHA512

      ef57a899e63b4311e98810cc9e998d8c3571699a959bb0b381905dc8313364c93ed7c051511078d4aa65d800ae5fc5ef0f81861adc423ecf889521979d097f4d

    • SSDEEP

      24576:ky/TRNN+q1jO/oCxkTtJepAZU/4eWGgkQAdT0:z/F6ql/6kT7epAZUQwQ

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      74692ca9aa25e702576e835faf8a87d99d208bf02a87a5cd0cca52088e2e27ea

    • Size

      1.8MB

    • MD5

      3c48d87b5cd6967b58c746fc78e70624

    • SHA1

      544da193b8ac757c57059cc657e3f128869c96d0

    • SHA256

      74692ca9aa25e702576e835faf8a87d99d208bf02a87a5cd0cca52088e2e27ea

    • SHA512

      3606e207e8895ed36a387083256d485e997cbf4f4691ae91ae16c1c80cabab505af6b46c521647a69dccec8a0db6fbc62c48ab72f543eb89fb43953ac55cc225

    • SSDEEP

      49152:sB90j4GlIcJysiUv3lWsK8EeCqdTGl8tF:k0EWl91Wsdj4l4F

    Score
    10/10
    amadeymysticredlinesmokeloader04d170plostbackdoorevasioninfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      759eb38c21f37bb8710a051f23e7ca3b1fca3fafe197b70c2714bc36c21e87de

    • Size

      2.6MB

    • MD5

      2f237df56b0d9a34018f8194c7930bb2

    • SHA1

      0a910da14ff438217323d219e65ac7f5ccc162e2

    • SHA256

      759eb38c21f37bb8710a051f23e7ca3b1fca3fafe197b70c2714bc36c21e87de

    • SHA512

      b92fdbd542ef639bba2707ecf8e82182bc5f0394c4f0107ba6dbbc89225fce401d9665a18bd3bf48b4666d5ddacb2dd2cccb768da50e93e222ec13514d927d3b

    • SSDEEP

      49152:v+Coe9XEDMEUkQSmGzVDprZBO7Eze6y4YCaT1+ousBNLiZ6+eC:WCo6rN70QcyrfR/+0+

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral12

    • Target

      858cb57de5b9461a30d4dfd6c797315d00f9582d8210518ba989d761e6fb490c

    • Size

      2.1MB

    • MD5

      640cf51ca743fca3bace6bee7259a7b6

    • SHA1

      98cd5880e72e0468dce7132d38d104a974d63466

    • SHA256

      858cb57de5b9461a30d4dfd6c797315d00f9582d8210518ba989d761e6fb490c

    • SHA512

      f42d2ab641a0da50f8dc61d7da4c500b222f0361b310b55d5dda037be1dc331d7c009da99a02e6b0ec3a67c6fdcebe73b1a8ec911673fd7ae603a6ad41dd2e6e

    • SSDEEP

      49152:FkyMH+ZmK931igX4Yqua48YEo6aT3wmzMSZyd4LlSLwrfuasumyGfnZn0Ee2:OyMelZZs1o6bmISZyKLl642a2yGfnO7

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      9bd29cf05e48e1f9b5f02750f58864848d24e66aab5b629f9133b674bc59b527

    • Size

      2.2MB

    • MD5

      41a5588669b0b38da40a5930eb6425bc

    • SHA1

      d3f879a49d16a82b0deba11f61f651776e926a9c

    • SHA256

      9bd29cf05e48e1f9b5f02750f58864848d24e66aab5b629f9133b674bc59b527

    • SHA512

      d3c8004487b9b7d752e1128f6d0f7e01bd893f21fda77e1c46fa4799a70bafa5457d5e8c91d802c05022968f2dc8d25ac21d4045853a0b7558e1cd2d04234828

    • SSDEEP

      49152:xlyS7Fm/SvrozpOg0vs71TFrRAPmtftq+1PY8Ou:fySFXo1Lx7T1APUk+1ww

    Score
    10/10
    privateloaderredlineriseprosmokeloaderhordabackdoorpaypalinfostealerloaderpersistencephishingstealertrojan

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      b0555f3c536302c5af72051c3c2bc10649a88011e7aa16d3c661971df2866f33

    • Size

      2.2MB

    • MD5

      d8f85c5678c771d84881968f99f3c04c

    • SHA1

      fe95664a320a6abb2949428bdc77d19a8c0928de

    • SHA256

      b0555f3c536302c5af72051c3c2bc10649a88011e7aa16d3c661971df2866f33

    • SHA512

      6cc5e3d3d6e5abaa725f3001ac75042ca9e93b03195d941cfc656686ec66e0ceb187187f90eda35d22d74ee7776338ed586aee9969ef25dd9eeb910b357e59cd

    • SSDEEP

      49152:CeDgvI3FXI9haKZZ+sFYQ+tukBn9oJbsXyWgx1MboUQXE+/UEe+f:EQ3tI3aKZZEtuk59ubsXyFjUQX1Us

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      bde148bc512eb25836030bebc3cbfd472cef53289015dbf4126dd1366b1c6421

    • Size

      1.7MB

    • MD5

      0dff0349176285873256809ebac6eca1

    • SHA1

      0e1209726d6f571e4a706bd43ee345bdd15bb6d5

    • SHA256

      bde148bc512eb25836030bebc3cbfd472cef53289015dbf4126dd1366b1c6421

    • SHA512

      b292b3dd5cc13a3fdbff8bbb76392a1d66598a597bb4a7896f7d8d3341d5c3f03a2d5fdfb9499702a2b2ed49e4d6e347ac8d2fd09010125374adffe16b6fa37b

    • SSDEEP

      49152:GACYh7JW4zNxiDnbrM9wgZhh10mT7sPf4Z:JW2R1aPfs

    Score
    10/10
    privateloaderriseprosmokeloaderbackdoorpaypalloaderpersistencephishingstealertrojan

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Drops file in System32 directory

    behavioral16

    • Target

      c7e81c037737d5a821cf236c8453b7b00607cd99d42863e39e0d703c731be6b0

    • Size

      1.3MB

    • MD5

      4238760d892c63a0ef06aa4561983522

    • SHA1

      502cdab869323baf4da5309cb3274c8e2e6a4f4f

    • SHA256

      c7e81c037737d5a821cf236c8453b7b00607cd99d42863e39e0d703c731be6b0

    • SHA512

      6d930eb6e09119383c762e70d3f5f1b86a9e2c821b771a5cea76df11b181102700abce9fc4b8c293ecce6567b0c785350e98231319fd5842e981e09afb6c3170

    • SSDEEP

      24576:/xRwZZKMoGR1usORnA64Qa7C10zLwJOYfmSYb:/cKMoGR1usa3aW10fwJON

    Score
    10/10
    redlineinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e

    • Size

      2.7MB

    • MD5

      f67f35ac7610cbe97a565edb1bb21888

    • SHA1

      b1e29296bf2ce79986ce6a6e838cec54674b41a6

    • SHA256

      d0c5f5c327d3c5cad19261fe1e5c8af4374da45c48236a7064c548a425e23a0e

    • SHA512

      51cbe2476a144e6627ba4b255e34356474a5b8767bf3771a452bb2842149d04fa77332165e42bbce8868d70d7e9336332456efbcb21c725c10c8d9d728a8513a

    • SSDEEP

      49152:XDCyB8KcRG7A2LrmPovoLFXU44EMT7OGxV8vFamCkRyNo+n8a:ZO1G7A2LcowLqPEC7Oe8vAmCkwn9

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      d165dd77039589d5d25d898e400cb1806ef4225f7b6af17c51cc83c2ec12d070

    • Size

      1.1MB

    • MD5

      21a0e0b082b60ee185eb74abf010f342

    • SHA1

      b0ec7b5c9f40dddca80cec545081cdc3c5cc8c18

    • SHA256

      d165dd77039589d5d25d898e400cb1806ef4225f7b6af17c51cc83c2ec12d070

    • SHA512

      8a24cb408b62274ec3dcc0720694fb4a0bd565563d40e436bc78419d737cbfd2679fdd2077959b80a9ca79bc36e79cb08f419221b42a624eb2c1102a024b2807

    • SSDEEP

      12288:XQCUd1yjt0OFYsMeTVRq6zlXO4iIEbJGHaKwCugkgqawdpPlZ09TOoWtY4ogvZGn:Cdgx0OFYsMeTVRfBxIJGwceje

    Score
    10/10
    redlinehordainfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral20behavioral21

    • Target

      d9645ca9ce715a28ec2e2bfb66f661e256335f09bba61c0b86d73a530dacb15b

    • Size

      1.1MB

    • MD5

      d92888066793d326a49b21e7a091d25a

    • SHA1

      e08eeaf2c76508e1fbced904177ad68f055d1344

    • SHA256

      d9645ca9ce715a28ec2e2bfb66f661e256335f09bba61c0b86d73a530dacb15b

    • SHA512

      3595c349657597fcc1e692226c9e5675486de21075b94d452e8729754aa1687489b5cf65f74d17f53b07f988072de09fe81a9db2c844e1f52342e988f6a9bce4

    • SSDEEP

      24576:1yzt5x6zpWENBhJ60yaE8zyJq1h/yLj1IhU1fS8DhnGR04l2IjdeSiRA5:Qzt5xEWIbyGN1sNLhl4lDJ8R

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral22

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

12
T1053

Persistence

Boot or Logon Autostart Execution

18
T1547

Registry Run Keys / Startup Folder

18
T1547.001

Scheduled Task/Job

12
T1053

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

18
T1547

Registry Run Keys / Startup Folder

18
T1547.001

Scheduled Task/Job

12
T1053

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

19
T1112

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Credential Access

Discovery

System Information Discovery

18
T1082

Query Registry

6
T1012

Peripheral Device Discovery

3
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral2

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral3

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral4

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral5

persistence
Score
7/10

behavioral6

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral7

persistence
Score
7/10

behavioral8

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral9

persistence
Score
7/10

behavioral10

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral11

amadeymysticredlinesmokeloader04d170plostbackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral12

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral13

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral14

privateloaderredlineriseprosmokeloaderhordabackdoorpaypalinfostealerloaderpersistencephishingstealertrojan
Score
10/10

behavioral15

persistence
Score
7/10

behavioral16

privateloaderriseprosmokeloaderbackdoorpaypalloaderpersistencephishingstealertrojan
Score
10/10

behavioral17

redlineinfostealer
Score
10/10

behavioral18

redlineinfostealer
Score
10/10

behavioral19

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral20

redlinehordainfostealer
Score
10/10

behavioral21

redlinehordainfostealer
Score
10/10

behavioral22

mysticredlinekukishinfostealerpersistencestealer
Score
10/10