Overview

overview

10

Static

static

3

4Lv706mV.exe

windows7-x64

10

4Lv706mV.exe

windows10-2004-x64

10

tV9ZS60.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bf7c303ed8a366cab19c94d7490195b9a4a59457d07e354a078ba143ad7ca0c8N

  • Size

    924KB

  • Sample

    240922-my61dawbml

  • MD5

    68730153b5113bd6e2df97ab0a4f65f0

  • SHA1

    699271c4c5721f1dbdcb1a224863ea69bfbd9bc6

  • SHA256

    bf7c303ed8a366cab19c94d7490195b9a4a59457d07e354a078ba143ad7ca0c8

  • SHA512

    1f861d1037b785b6170a100ba7403942e0200b2b7b7382281ee32ff152de630621cceaa2b6a84bb007a8f1b98445793d1ba9f80170807de36ac137becfe82c06

  • SSDEEP

    24576:FTeifliCzpUS0aC4Egqtz4nrli4ZZpVd6H8HIrKE+3Zg3:FTpfvIeJnJiupV8HTR

Score
10/10
mysticredlinesmokeloadergromebackdoordiscoveryevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Targets

    • Target

      4Lv706mV.exe

    • Size

      1.1MB

    • MD5

      c474cb24af058ec68f12ecedb0bd6087

    • SHA1

      ba1cdb7706fc2085052d82a3ed402aa443a164d7

    • SHA256

      8cbcd459d3ec3e02afb56c45998ee13d21a8cd608872d3a4b34a4e50271691e6

    • SHA512

      cd55dee64cdebd241f7c2346eb1a623c039efbcc2d692c779d7fbe7a6b398ac2650f3ce9a7b19d9f0e7ae1c297703161872fbef045c089b052ec97c09a6cccaa

    • SSDEEP

      12288:x6ygLhqezHWdgAw/26p6LTNzTnMtGbSFFgpulNNj8Bus897tz6Lz2nzTz/J15i:TShqeHWdgAw/26p6XytGbSaOcKt/

    Score
    10/10
    redlinegromediscoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      tV9ZS60.exe

    • Size

      650KB

    • MD5

      5ca40a98d4cd2fe05dc42edae5ad5e07

    • SHA1

      be88d9087b7b3f676fa358f7d6a8218b40323b74

    • SHA256

      145324d1c8cce92bd7ac91b493bcd25c4b8e98b42e4de4b956c83d9def2746ca

    • SHA512

      3a948050655ff3fbe64bfc8f86e94395b2b46cabba18e0aa6a4ebde86ad495e9f3b2dd82084c1e9ebf856c0392718fd73b2b1399027aa28fb622550486975c90

    • SSDEEP

      12288:5Mrfy90SE4KT2SiImyTv6U22E7R2pav4TakSZPTm2zEfiR48QzmDM:yyYjfiITraRKamaplZ3EMM

    Score
    10/10
    mysticsmokeloaderbackdoordiscoveryevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

MITRE ATT&CK Enterprise v15

Tasks