Overview

overview

10

Static

static

3

d5548231bc...09.exe

windows7-x64

10

d5548231bc...09.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d5548231bcd8aa72b541ea173b3e186a14338caae1d74db3649326e9168b7209

  • Size

    1.0MB

  • Sample

    231011-rmxd1see65

  • MD5

    c2e8e2e4e38ff2d900554d8e70a20db8

  • SHA1

    b2d2674f70fd0dcebf8276d85d1c8ebf05e800dc

  • SHA256

    5b4fc6c7ee5931ae3a64c2fcd99351a7e528bd6f5bf1741bbb70349c2b231841

  • SHA512

    8efffb22e3e9f9515dc466e4dd2bd5a058e7779aeb3094ba3f90a5cd94c6bba536f0662c4a29695dcdf1932d14dbfb53ae5ada8240a2938a8c66795fbda248cc

  • SSDEEP

    12288:ggL58Oy90pg+1nEErgHypYMjhTSXZbSZT62DNC7z7LCSXQXx5a4Cl5MjMGZek6Wb:+OyoP1EE9FhI202DNCj+SIbCsPiu

Score
10/10
amadeyhealermysticredlinedartsdropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

darts

C2

77.91.124.82:19071

Attributes
  • auth_value

    3c8818da7045365845f15ec0946ebf11

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php
Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

rc4.plain
rc4.plain

Targets

    • Target

      d5548231bcd8aa72b541ea173b3e186a14338caae1d74db3649326e9168b7209

    • Size

      1.1MB

    • MD5

      c1dc64e77db822294671750564678439

    • SHA1

      b7f771f4ae0cfabe24f7f1a3386222f9b83937e3

    • SHA256

      d5548231bcd8aa72b541ea173b3e186a14338caae1d74db3649326e9168b7209

    • SHA512

      65d807eb0b1dfdcc47e25eec9afcd47c580bea8dfaca19d8b5ab5ceeae7ffecef7077c70770c8a8ded054820825a7b0e03594b6affa32635bfb585e8583adf73

    • SSDEEP

      12288:9MrZy90E31nsErgH6XYSzufmHSXZdSZ1621NCrb7lUSXQZ15G8gZj/JqMGQvg2WR:4yt1sEf/zufmkEW21NCziSkdg14QRu

    Score
    10/10
    healerdropperevasionpersistencetrojanamadeymysticredlinedartsinfostealerstealer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks