Overview

overview

10

Static

static

3

05b48b2909...29.exe

windows10-2004-x64

10

18c3050e5a...e4.exe

windows10-2004-x64

10

2577bd2a22...1d.exe

windows10-2004-x64

10

28839ba22b...c4.exe

windows10-2004-x64

10

4efca8805f...a2.exe

windows10-2004-x64

10

6603f1832a...ef.exe

windows10-2004-x64

10

6ba0db3b66...b3.exe

windows10-2004-x64

10

74fe770b34...18.exe

windows10-2004-x64

10

b6b53c7022...c9.exe

windows10-2004-x64

10

eedc883713...91.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    7.0MB

  • Sample

    240509-mqdnvsdc5x

  • MD5

    78fdccdea5689bb923dd43b865bf91c5

  • SHA1

    41d1b9ab54030f345fa6c2028924663fca424c18

  • SHA256

    35e871ce220fc8db7bbac31d6083ac0873febff3510d2de8583011aedee458e0

  • SHA512

    c28afee10c353aba7f95eebb02a1f355d6dd9c9d2a6e2cca04f143995c0a72be465b67fd0960faeb86079aa608bfc0ef26962cf0272633ef349281df3625db96

  • SSDEEP

    196608:l2bw6Quq/fzgOk3dnDaiF9CL5AXC1Yn0Hg7+GC:bXRUzdRF9Ct9O0HgyGC

Score
10/10
amadeyhealermysticredlinesmokeloadergenakirakrastkukishlamplandenasanewsbackdoordropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

amadey

Version

3.87

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

gena

C2

77.91.124.82:19071

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Targets

    • Target

      05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729

    • Size

      515KB

    • MD5

      311bcc98621f1612a7a0bae8b412dd21

    • SHA1

      e6208f01069780dfb69fc831895e3b97cd900842

    • SHA256

      05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729

    • SHA512

      84aaeae41c97293674a99209e67e09ee915f6c533ef735792493981f7ce8cb6e66b69fa403c6d7fb9a0b9d8041af71484affe045c6582ce98337a4479d596059

    • SSDEEP

      12288:LMrhy90ADACn1dQ4Hr1nEb3crjgrngFOW:Syf1dQ4Hreb3crsr0OW

    Score
    10/10
    amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      18c3050e5ad727d8fc6d2b16a53db9904ba34d7413ce2abfe2cd0baa2cd5dce4

    • Size

      1.5MB

    • MD5

      31b4770f88df8120e96a134063dd67b7

    • SHA1

      63fbc1a43a69a5138e50a602623095532c93761e

    • SHA256

      18c3050e5ad727d8fc6d2b16a53db9904ba34d7413ce2abfe2cd0baa2cd5dce4

    • SHA512

      ff9a5cf569978b8a1bcc9fc10719d7747c48f971217fdc6ac268074d4673f6d9df790778c03b51246df2548669aa3e296147af71576f0826652ef9c0b9a38330

    • SSDEEP

      49152:sivfIzpTOUKDcfhQrToZAyTpnDWA0lGkblMKiIY:/wpTKDcfmrMSMtDv0lRblnir

    Score
    10/10
    amadeymysticredlinegenainfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      2577bd2a22a0df03082a3d61b193668ccfa94a1aef60cb7bb0a7a5123c552c1d

    • Size

      514KB

    • MD5

      324e67d87fccefb7e75f2985c9367bd7

    • SHA1

      38e78535b68963f5ddbd4723affd083eb88505e0

    • SHA256

      2577bd2a22a0df03082a3d61b193668ccfa94a1aef60cb7bb0a7a5123c552c1d

    • SHA512

      69a8de32e220af90f71e63aca80268d761cf22b5b83b5790caf9eb62fb5d916e41a33a9639f808772f2c4de7306ecbb86f14154ab3084d7c91fe277ca5c17d5f

    • SSDEEP

      12288:UMrvy90CUJ2Myz3olrn+6SPVCL0Hk4mLgZlh4:jyLMuoljSPuWnmLgZD4

    Score
    10/10
    amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      28839ba22be16cab09b3664b34397e918be834c1459cde49048ffd421d2876c4

    • Size

      514KB

    • MD5

      319bd25cccb75fc18a1fe19c7beaf3e8

    • SHA1

      fc22a7d780f89b6ca0e1b449871fd3392fb16ba5

    • SHA256

      28839ba22be16cab09b3664b34397e918be834c1459cde49048ffd421d2876c4

    • SHA512

      50d2ad696cb60b2de8452c6556b0ccf938c131ad170c4981fd3cbaba172afc2833a4ecddd7829f98bb2bd80758b698d6ef5a2d65e6930dd2e92872dbb02d0089

    • SSDEEP

      12288:JMrOy90iUBwxKnDbdDEPT9iOhjRBu0h0PrwjWh:ry5UBwQnXd4PpiQRBywjWh

    Score
    10/10
    amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      4efca8805f96c16e636fc6f51197b43215b96da00409608d7658fea7ee155ea2

    • Size

      920KB

    • MD5

      324cb7ed10920e1912c6c390c5179a1d

    • SHA1

      2cb736bf107171b3047cb7b0ae7085a09704e68f

    • SHA256

      4efca8805f96c16e636fc6f51197b43215b96da00409608d7658fea7ee155ea2

    • SHA512

      7575bdf3c2e403de7deae4f0fc663fb6ccd612365da6c59b98fc47f37d42c1bda0aef9b272edd10ea4105a9fb17c992af21ea38c2acf1ca527620e17d795a6cf

    • SSDEEP

      12288:8Mr5y90BC08ZhZRpWsDWMuTYKrTDcVl4JRh/+pnKuLp611/cNOaK+oyrfYGzfD+Q:lyTn/qMnHAhWpKuLM7B+VrfvpaG

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      6603f1832a5054b7e8305ef7814111e74fc6f8356ae86cc81f0bd306722236ef

    • Size

      584KB

    • MD5

      31ce9a49141437fb448fab38300b7e7b

    • SHA1

      653cf066c5eb2fd5b1b1e664a1890ff6d98ad37e

    • SHA256

      6603f1832a5054b7e8305ef7814111e74fc6f8356ae86cc81f0bd306722236ef

    • SHA512

      87d40d1d5af991eb0ba75d55b9900ea886b0e806c9ac7fb6355032a8fec7c2c1daa9f9bbbfa11c8b25c45e79c67aa34d56fc3296b0b2141d1cb835f4126543cd

    • SSDEEP

      12288:XMrNy90X7lPtx1KI6xQVx51L9/ErNwIujDiwu:uy6KI/Vp+BfujD9u

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3

    • Size

      515KB

    • MD5

      3133d51b9cb5dff2ffb1eb479a3a8197

    • SHA1

      c7751780b417509447b6374f2044c4a70bd3aea2

    • SHA256

      6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3

    • SHA512

      4d0249966b11f4933be1aa3126d2ebd6d93700ff22f858457c0cde49a6e691f89d6480068f00d26b5aaa07b48f71ec0ec67f6ad6951d92815777801153789ae2

    • SSDEEP

      12288:2Mr3y90Mp419rk/h+B4egjTgl+ZP3SFgHEgD/r17DZ:ByDp4vg+uegjTgl6PQeESr91

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      74fe770b3414b7af5432877eaaf1d2520b875a38c461d63983c77f7c1b39d918

    • Size

      390KB

    • MD5

      325cf030f204adc01a731f61f8e9b38c

    • SHA1

      7eab8b15f3f6476230c6cc4832f2b1b205844cdc

    • SHA256

      74fe770b3414b7af5432877eaaf1d2520b875a38c461d63983c77f7c1b39d918

    • SHA512

      9846de1792ea3737cfbc7fd81768e6d7a5bf33f22dbedac02085100f622612b7dfc0cb9fd01da11282971061f23f2fed5acb5ae0b6bedad778fe3861c1713f06

    • SSDEEP

      6144:KFy+bnr+Mp0yN90QEpkWGjZNJFp7w1giO7oSWrMguQmCdGgAW+lCQbX:3MrYy90iieiO7oSWFXGf1D

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9

    • Size

      1.2MB

    • MD5

      3084e5a05ec994a172379bb42d1f4a6e

    • SHA1

      d5705086a050a075520d1e19aa047f924e079ba5

    • SHA256

      b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9

    • SHA512

      7988b8ced595a143db70f1e668bb0e645fa19621e363061379cd5b042ec6444bf8f9a14184bd65afb126a851e8acfb23eee6f71bce930d135c9eab36d87e06a0

    • SSDEEP

      24576:my9QoTLxsXrQ8m0Y3lsvmLEBXibYVetVVosYmmL9hK:19Qwss8ytLqqYjsJmJh

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      eedc883713775fd0c74224f0bedec2b1e88a105737c823318fc8ba819901d991

    • Size

      857KB

    • MD5

      327d4c708883a33864d87e20fe338e4e

    • SHA1

      113fd0267f24bbce914cc6c40946666f949e71e2

    • SHA256

      eedc883713775fd0c74224f0bedec2b1e88a105737c823318fc8ba819901d991

    • SHA512

      0eaf67c2f43322a3078c09930b4824bd57d6550cb37f5685e328a110a0c858e20ca8a099c6edd92ceae3ec1028077439c341cb8a8ba5c8774152a47479ecac51

    • SSDEEP

      24576:Gyes+XVnvEZEwluVaizN/nbr+pr72IbKJZz:VesgvEZcVa+hnbKp3KJZ

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral10

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

6
T1053

Persistence

Create or Modify System Process

7
T1543

Windows Service

7
T1543.003

Boot or Logon Autostart Execution

10
T1547

Registry Run Keys / Startup Folder

10
T1547.001

Scheduled Task/Job

6
T1053

Privilege Escalation

Create or Modify System Process

7
T1543

Windows Service

7
T1543.003

Boot or Logon Autostart Execution

10
T1547

Registry Run Keys / Startup Folder

10
T1547.001

Scheduled Task/Job

6
T1053

Defense Evasion

Modify Registry

24
T1112

Impair Defenses

14
T1562

Disable or Modify Tools

14
T1562.001

Credential Access

Discovery

Query Registry

10
T1012

System Information Discovery

16
T1082

Peripheral Device Discovery

4
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeymysticredlinegenainfostealerpersistencestealertrojan
Score
10/10

behavioral3

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral7

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

redlinekirainfostealerpersistence
Score
10/10