Overview

overview

10

Static

static

3

04079e5802...9d.exe

windows10-2004-x64

10

1c1f4eb981...3b.exe

windows10-2004-x64

10

2598a43559...cf.exe

windows10-2004-x64

10

3aa30d5528...5d.exe

windows10-2004-x64

10

46e0ffa2e7...59.exe

windows10-2004-x64

10

4cc86e1dc4...05.exe

windows10-2004-x64

10

61799398ea...0c.exe

windows10-2004-x64

10

6bfb353493...b4.exe

windows10-2004-x64

10

70f5b2bcd0...c3.exe

windows7-x64

10

70f5b2bcd0...c3.exe

windows10-2004-x64

10

7363065308...5d.exe

windows10-2004-x64

10

864fc02972...03.exe

windows10-2004-x64

10

979a085483...e6.exe

windows10-2004-x64

10

9bbc6ca861...5b.exe

windows10-2004-x64

10

a22013e24e...09.exe

windows10-2004-x64

10

c31e600a38...cd.exe

windows10-2004-x64

10

e2e852038c...e5.exe

windows10-2004-x64

10

ec4e6a678a...72.exe

windows10-2004-x64

10

f46c47981f...85.exe

windows10-2004-x64

10

f603ceb39f...6e.exe

windows10-2004-x64

10

fbe6d8ed22...1a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r1.zip

  • Size

    20.6MB

  • Sample

    240524-klqrhsbe89

  • MD5

    cc21953f033463dfd04e04a16428fbbb

  • SHA1

    542741ff47cd47d47b016540dc99866998a8bb11

  • SHA256

    be3323c3b2bd6ba736703199d528de6bf1396e8a7c6b9b58e4ca31fda43b00e0

  • SHA512

    30e5bf74af8916d32fa056913da38caf5c20ee1d23934d988a04b18973faa23174ce5bc2f5de6aa3b1e99c2bf588935dfdf424de5a666bc905a04c238a96fca4

  • SSDEEP

    393216:U2A/YlwgbQNBuScF+ra6AJkAvthSBGPllpn/xv/UE+LZAF:d1bQ7uScJ6AqAPntxv/UE+d0

Score
10/10
healermysticprivateloaderredlineriseprosmokeloader@pak_1111hordakukishlutyrmagiataigavashabackdoordropperevasioninfostealerloaderpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

193.233.132.51

Extracted

Family

redline

Botnet

@pak_1111

C2

45.15.156.167:80

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

vasha

C2

77.91.124.82:19071

Attributes
  • auth_value

    42fc61786274daca54d589b85a2c1954

Extracted

Family

redline

Botnet

magia

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Extracted

Family

mystic

C2

http://5.42.92.211/

Targets

    • Target

      04079e58020489439890f3d5d0980b8ad79ac8f655923829037345651f2f1b9d

    • Size

      1.1MB

    • MD5

      51bebc9c1c8f8395472baac3355b136e

    • SHA1

      6b04ab59ab7bb5b6c218d5233fd1c1bc64246fb9

    • SHA256

      04079e58020489439890f3d5d0980b8ad79ac8f655923829037345651f2f1b9d

    • SHA512

      b32221f514e8c61901fe485494a2b6effe4b8ab072defaaa560a84fda42d4a45e7a7d82849ade3997b58da2c158e55ff7345d638c3b245f7f939ccce471e64de

    • SSDEEP

      24576:3yhNmGHppy3h6sE+TQL09aMWUKwjfdODbGr57xrp/fn:CGGHpmh6AML39GOH2d/f

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      1c1f4eb981ff56766e6798073020add168a1f4134cf43e140302c7cec4a6763b

    • Size

      2.4MB

    • MD5

      4318bdec1083890925ec1993a5bfa5de

    • SHA1

      d121b261673cfd0e47e52f61a4ef837c7352afef

    • SHA256

      1c1f4eb981ff56766e6798073020add168a1f4134cf43e140302c7cec4a6763b

    • SHA512

      22195e6069371a8ffb2e2aca86ed07646a130cb0bf52fab5e2e1a2d869f94a87db42da02da120efa3ce890bbe100e153fde97ee8a676cc355a30472cfa09d531

    • SSDEEP

      49152:0nVWJ5rjsk17x/62quYUDdA5DE46JQPyVSxEVo06LNo:qVWrjD1AmiDE4Es4S1L

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral2

    • Target

      2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf

    • Size

      1.3MB

    • MD5

      e19af8058d1c10695db59ff06382095c

    • SHA1

      74879eca322c96e26ccc9d52b87c3f47d54cedf4

    • SHA256

      2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf

    • SHA512

      2985aac9377a1d12090a1db16137338715ff9c5e857096f4b33b37f6f2af9463346e0ce859324c5c1f15eee83885f1c1d2ceb6ec9d3d00a6033e437d11af9dee

    • SSDEEP

      24576:0y4htUc734dBIbW67vwZTO5aS/Fg4PE5jPBgBUZKA7/lkk5EA:D4htv2y7g0g4cZRDjR5E

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      3aa30d5528ebe1b7856b26587d689c01c4a94547c022f9b29bb7c32708782f5d

    • Size

      789KB

    • MD5

      4509a9ed90c71db03304cd1974494162

    • SHA1

      3081dbb1ef14a1bdb33380c54fca4d61b41c7440

    • SHA256

      3aa30d5528ebe1b7856b26587d689c01c4a94547c022f9b29bb7c32708782f5d

    • SHA512

      981ab92063c4fc96cf995b410997770b309475f528b366d5c65115e600a5d69d48af747a832bc41d963bc4b3cac575128c6d76d302f9e97b6cbc9150898f80ba

    • SSDEEP

      24576:XyJ8dTBd9baS7QW7lkzSFuCyyz/XMFao1:iJuTBbvUW7lkzSFfi0o

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral4

    • Target

      46e0ffa2e7aeb3575c3fe8308892dec47716f852e6427bc2c8e904e9cad2c659

    • Size

      829KB

    • MD5

      da086bd413b2fb3f8311147d782bccc4

    • SHA1

      c78490af8811ecb11627b5ab10e1d6466ccdd45b

    • SHA256

      46e0ffa2e7aeb3575c3fe8308892dec47716f852e6427bc2c8e904e9cad2c659

    • SHA512

      97c12d0fc6a0e6f2f791f2659aea7397cc390c9e3555bcb8e33927def01bf4ff0f8ddd385fcbf83d7b0f4639e095611ed8a460b42c69cec0d55c07e45eb0fc25

    • SSDEEP

      24576:TycRdHoBf/o6noHZu574bAeS49Lnmzmmy34/uCr9:mI4bn+ZuV4Mel9Lnmzmmy3Qu

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      4cc86e1dc4a166b675f01f27f52e179d83773f43736e54f40427866d6708ef05

    • Size

      389KB

    • MD5

      cbc1bc876e032088ab512403204cc827

    • SHA1

      aa349b052ff18c150118965df111e3b9e256cfcc

    • SHA256

      4cc86e1dc4a166b675f01f27f52e179d83773f43736e54f40427866d6708ef05

    • SHA512

      cc78286a9dbf4ab59aa606c22097a97cd64309f6aac55b9fdf7c673ead1d6f1f9a1b16f99233639a6f811bc931d23627b06265c9304e80669bdee46e19bfb879

    • SSDEEP

      12288:tMr3y90HFeSD9i3YJTUs2Wug+4+wS7EFut60WtNV/c7FD:yyWFeSDM3YRz2WuHUSooI043qD

    Score
    10/10
    mysticredlinetaigainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c

    • Size

      1.2MB

    • MD5

      b98446b0f18286a42da76de220776baa

    • SHA1

      a71b450e1661dcde86def137230b3caa1b55e6a3

    • SHA256

      61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c

    • SHA512

      a3880d6f69705178d6847e326d54f30a2bd9f739946426af2125502ee32a494691cf0df1a1e55e34c17a9bd3db4291e98e67f7db8accdf50166e201299532e08

    • SSDEEP

      24576:iyEr/lyO4yJtpTven2JuR98YZ1uIEUs74Vlpu4yNkXPGLJpqYm:JELfVJtpnJuh1uJ374VXu4sEPGLJpqY

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      6bfb35349386611e3f965528901140a62ac938c2c926d82e7c9f31d498ae60b4

    • Size

      1.5MB

    • MD5

      6c897a3879043ccbab5e695cfe6a5bd1

    • SHA1

      35d1b8b5097a9fea72de3b14e54c7ab911b798d2

    • SHA256

      6bfb35349386611e3f965528901140a62ac938c2c926d82e7c9f31d498ae60b4

    • SHA512

      b849cf54fac1c49774904d68f9df27c271d9124857c2486684eef308a7731602aa8f6166b1c58c4cf47698da71fdcbf470123a4a731db60b1fc11d475181924b

    • SSDEEP

      24576:3yOLPlyv/2XMP7A9V02yvQKDU/spDChnT2Rokh/1WIvUHpGy3NiPXTBNSvh:COLPlVXMPmpyvBDU/4ehqR11vcEPXTB4

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      70f5b2bcd00d4e52e3ca12b277c6e1cf6e5f1d2359e7655daebb44704158a4c3

    • Size

      285KB

    • MD5

      421ff85e1ad3a04c83e0a69305fe86de

    • SHA1

      4da831e00dca7923f3077a1ddaae0b21e7bcbcc8

    • SHA256

      70f5b2bcd00d4e52e3ca12b277c6e1cf6e5f1d2359e7655daebb44704158a4c3

    • SHA512

      91f75cad0f7ffb9b6299cb55b7aceca39805e533529083151d31649629e0786319601fa95abe1759ebec4d9e96ba4faa1b9bb6d30779b23bb8b619e190e7d45e

    • SSDEEP

      3072:gJ5h+cJjNKyxPs788qtOV+juc2/hJgydZKt4q13MjAB6k90dppxCIDww674g:gllzPY88TV+jyhJpAwjAB6k9Wv69

    Score
    10/10
    redline@pak_1111infostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    behavioral10behavioral9

    • Target

      7363065308e9d849d49ab200817eb5d2d06c3616dc4e643be8502ff7eb2c0a5d

    • Size

      830KB

    • MD5

      79c8cf16dce99a95ba30db49a81c33fa

    • SHA1

      e7ac6ed98d5207315136c1b4e40c25ddcfd4b114

    • SHA256

      7363065308e9d849d49ab200817eb5d2d06c3616dc4e643be8502ff7eb2c0a5d

    • SHA512

      eec0acb3ae314573ec3fd45444c13a0683cd8ac8bd2926aa886aba22b32f49150dd989e8aaeb4c049d8725a6b0eccdfc5e309e8801f704c139e84e4287df4d34

    • SSDEEP

      12288:eMrLy90ne1BEOlsRuK5Ia0HVKixmDy8lu9PTJDiFQg9U56EXGnvs9lE8h7gXDr8F:pyXHHsnoHwi4w1DiH9U5zWvIVvUvWLD

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      864fc029724f0d9d2cbfc5469cf806bb3431fdde2ed473a19fbb890b3282bf03

    • Size

      605KB

    • MD5

      5232c11ee090fe4a8fbde69d1f452ba2

    • SHA1

      ad508a34f36f8f0d1bcd7b06fc3e79a829a1f374

    • SHA256

      864fc029724f0d9d2cbfc5469cf806bb3431fdde2ed473a19fbb890b3282bf03

    • SHA512

      76c8261dc7a2dc3c849c2b0e4f36751604a969b2ed29029552014d664e7342b11472421330e3181126c87ba0e5cd4f14597a1fe37c0a28da54a21433f9b95270

    • SSDEEP

      12288:LMr1y90+pMc0JJGdc9wvughyZh/rgUSt9F5vhz0Gz:ayOcU5zguFUvhwGz

    Score
    10/10
    mysticsmokeloaderbackdoorpersistencestealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      979a085483810f4b695eb3d0c531439887861b90277b6ede2d4f9eb7983065e6

    • Size

      2.1MB

    • MD5

      99a389c18760e665521f58e72b6d37c4

    • SHA1

      46b9a5f47d6f66a64154aade27a90155a620e07b

    • SHA256

      979a085483810f4b695eb3d0c531439887861b90277b6ede2d4f9eb7983065e6

    • SHA512

      3035ae1d0b67be4a03bddbb1b36cbe45b97a3d269bc23229875792d36abab0a09a9e0622911a8a8a275fca8ff04bb6e9ffd647203fdb8364d252d8f71a78758a

    • SSDEEP

      49152:D/VAh2zesgI2eCgRiMUusnboLVbnxcYzJGT+aJdTiP:jwaw+zW0VbnxcqJq1J1

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      9bbc6ca8610d7090cfeb2b3f3881a2526ac3f729f2cd3e749168fb38991b525b

    • Size

      1.3MB

    • MD5

      2225c03c5bb14e2e02f8d888252d3d12

    • SHA1

      326be1965a1539524141ea1a5707a157c7d4d5f5

    • SHA256

      9bbc6ca8610d7090cfeb2b3f3881a2526ac3f729f2cd3e749168fb38991b525b

    • SHA512

      3fa39ee0552ce33bad2327d2f4f59be2e11452b011292e3795db32b53a50a71b4350f8d92021b5fd068fa7dc2c12f93dd78487f3f24035ca420ddbe2a0391f92

    • SSDEEP

      24576:5y0LMN4FQFK9kCT0ROmvezfvKo3kqva6i3+V5O66s2kd9sR5gfyTBpTSMj68wM8W:s0LbFlqvBmr1kqyvslASSgfy9UMjHwD

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      a22013e24eeee6554ffcf19b609bfeede13c94b56b9432fbdd25b9cdebaab609

    • Size

      958KB

    • MD5

      4ad1e312b136f5dd68262f68956e8eb2

    • SHA1

      bf6029901839942b3becfcab9d2b40bb90b46aa2

    • SHA256

      a22013e24eeee6554ffcf19b609bfeede13c94b56b9432fbdd25b9cdebaab609

    • SHA512

      65daf9d1b3fe2b401fad5a89611bf33798feea6d701bb54852360593b16f39e94e502f2ccc5ddf7581929f069e511ce78f1a45b552e7638280e07829137302d4

    • SSDEEP

      12288:oMrfy909VUE3/HgdPY5VZEcVM3VFE481hDVaLldi52tiIDayvr/JOCvVvq9Qj0W6:3yAfHgdPY5/4P9AZ+ftibCvViC96

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      c31e600a3856d09e64628abdd37725398f02702f9310c85833d3184bc7be85cd

    • Size

      2.6MB

    • MD5

      f20395ac362a1d473b92b841ccc6463b

    • SHA1

      c25d1923e7bec213bf0d193732a7a652dceb1b0e

    • SHA256

      c31e600a3856d09e64628abdd37725398f02702f9310c85833d3184bc7be85cd

    • SHA512

      a7c15d4ecbc103a80f7f433235bba206198fdcbdbd162aaca6c200ab2b3ab1448609b69a61c11ebff6c95db10bf63b2cff115529c2ea2bb43b839ce8dc3e7b55

    • SSDEEP

      49152:DezaMnKMoQrSaRz95oZvmV48/3Uo3DeaBuD9kQV0igwkX121kvWp/+:StnKM1zog4O3U+ykCpvOc2G/

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral16

    • Target

      e2e852038c1504d54c9702b961095f0af961417103d2a5c8b10740dc188ac5e5

    • Size

      398KB

    • MD5

      1efa9b18a2563ebebae8a6eabad4db7b

    • SHA1

      b95bc070b14bbb19b209b2d4413db63f79272fbc

    • SHA256

      e2e852038c1504d54c9702b961095f0af961417103d2a5c8b10740dc188ac5e5

    • SHA512

      07bf09d5fa8798b9f0d40650c180275c78e201abd9d5ebfb37d2d37dcb55e0802d6c4e35467695aeec3c930add915d200847bd13ee41bc58762f067b553de5bb

    • SSDEEP

      6144:Kqy+bnr+Dp0yN90QEI5Ngt4Ybnu7poqS394ZhT0E9P9psh7I81firb:qMrny90S8jD5NIlxVpCUv

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      ec4e6a678a24fbc6072d65beb0203bf9dc01f768df9a7430ed0d827b8d290172

    • Size

      640KB

    • MD5

      936d47f90f4943e9191cba496e128a28

    • SHA1

      74e03c3a3603048b6d43e84d0f1460fb8bcd5474

    • SHA256

      ec4e6a678a24fbc6072d65beb0203bf9dc01f768df9a7430ed0d827b8d290172

    • SHA512

      0db1c75b8decc83959fcc2c8bb3485bdefbc9b169b4aa0b05c33db78b1d4acdbfe4c41a75aa922de6694b0138a45706f789fd58e22da7c696318c0181b28a506

    • SSDEEP

      12288:GMrGy90ZxnbkSAVpVLg7qHwGUz5YcXkzf02XhXH:Qyal8jQb5YcXEfph3

    Score
    10/10
    mysticredlinelutyrinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      f46c47981f634979a00e1ca71c39dccb4d7b92874955d836798a907aa4fdbf85

    • Size

      935KB

    • MD5

      29f8033f3fbdf91c2e89357c4b49602e

    • SHA1

      d2d542baf9f23e26ba33885b633328e71e71f5c4

    • SHA256

      f46c47981f634979a00e1ca71c39dccb4d7b92874955d836798a907aa4fdbf85

    • SHA512

      a3132e83c71a98612b408ecbc985b0ad7680a16893e8016514b24ecf0dba4bb6ae781f0513daa3efb29498ae8985f94ae63c13be285c2eb8e22f928afd115d9e

    • SSDEEP

      24576:jyFWNEi4niX5JDHaWnqHbpoGkA4FJKMCGrru:2zJniXzaWnWt07pCGr

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      f603ceb39fc4d835e57a02751723a2eb0538b0f955a7772c30556e0e0d723f6e

    • Size

      465KB

    • MD5

      6a3c0aea2a20fed1b45c23055e90642e

    • SHA1

      a308101b32dc6df28aa0464ae6a0c4eaa3b93892

    • SHA256

      f603ceb39fc4d835e57a02751723a2eb0538b0f955a7772c30556e0e0d723f6e

    • SHA512

      3e1f0f410b68f854f9e0fa666d45b897768ec9fb11fcb63eb6eae58ba022f5b7d9b52f4ea01ff3f48ef8d3f48f0910913c8fb39e633476073f1baa637b3918c5

    • SSDEEP

      6144:Kdy+bnr+Lp0yN90QEC3A7NrAs9xe6LZwlsr08+eurk1weVhvh2KWE5Js+OB84SW:3MrXy90Y85ZwlbGuo1njJUE3sf84SW

    Score
    10/10
    healerredlinevashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      fbe6d8ed22a7fa2903b026b7f5d0dbb2b59b2353d1c24f6c73772b9226fa4d1a

    • Size

      1.1MB

    • MD5

      4655d83f05a711daa1a0fac0f24f28e0

    • SHA1

      d54783eafe3429717adc8d64808ba3537a7beae6

    • SHA256

      fbe6d8ed22a7fa2903b026b7f5d0dbb2b59b2353d1c24f6c73772b9226fa4d1a

    • SHA512

      206a85e710d9d89750683d97fd7469e9d121d04787546fb32fabda7aac654a7b7cca546a17468994515a3989640d92721a7213d397b495f2a435f2ffa9fedfd5

    • SSDEEP

      24576:ayiclaMfdhpiMRWuHBbdQk8xGN4l1P8Fanje9xGN:hHaMfxie55dMMNs11AxG

    Score
    10/10
    mysticredlinesmokeloadermagiabackdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral21

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

7
T1053

Persistence

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Scheduled Task/Job

7
T1053

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Scheduled Task/Job

7
T1053

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Modify Registry

22
T1112

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Credential Access

Discovery

System Information Discovery

12
T1082

Query Registry

4
T1012

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral2

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral3

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral4

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral5

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral6

mysticredlinetaigainfostealerpersistencestealer
Score
10/10

behavioral7

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral8

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral9

redline@pak_1111infostealer
Score
10/10

behavioral10

redline@pak_1111infostealer
Score
10/10

behavioral11

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral12

mysticsmokeloaderbackdoorpersistencestealertrojan
Score
10/10

behavioral13

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral14

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral15

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral16

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral17

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral18

mysticredlinelutyrinfostealerpersistencestealer
Score
10/10

behavioral19

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral20

healerredlinevashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

mysticredlinesmokeloadermagiabackdoorevasioninfostealerpersistencestealertrojan
Score
10/10