Overview

overview

10

Static

static

3

05b48b2909...29.exe

windows10-2004-x64

10

18c3050e5a...e4.exe

windows10-2004-x64

10

2577bd2a22...1d.exe

windows10-2004-x64

10

28839ba22b...c4.exe

windows10-2004-x64

10

4efca8805f...a2.exe

windows10-2004-x64

10

6603f1832a...ef.exe

windows10-2004-x64

10

6ba0db3b66...b3.exe

windows10-2004-x64

10

74fe770b34...18.exe

windows10-2004-x64

10

b6b53c7022...c9.exe

windows10-2004-x64

10

eedc883713...91.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    7.0MB

  • Sample

    240509-mqdnvsdc5x

  • MD5

    78fdccdea5689bb923dd43b865bf91c5

  • SHA1

    41d1b9ab54030f345fa6c2028924663fca424c18

  • SHA256

    35e871ce220fc8db7bbac31d6083ac0873febff3510d2de8583011aedee458e0

  • SHA512

    c28afee10c353aba7f95eebb02a1f355d6dd9c9d2a6e2cca04f143995c0a72be465b67fd0960faeb86079aa608bfc0ef26962cf0272633ef349281df3625db96

  • SSDEEP

    196608:l2bw6Quq/fzgOk3dnDaiF9CL5AXC1Yn0Hg7+GC:bXRUzdRF9Ct9O0HgyGC

Score
10/10
amadeyhealermysticredlinesmokeloadergenakirakrastkukishlamplandenasanewsbackdoordropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

amadey

Version

3.87

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

gena

C2

77.91.124.82:19071

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Targets

    • Target

      05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729

    • Size

      515KB

    • MD5

      311bcc98621f1612a7a0bae8b412dd21

    • SHA1

      e6208f01069780dfb69fc831895e3b97cd900842

    • SHA256

      05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729

    • SHA512

      84aaeae41c97293674a99209e67e09ee915f6c533ef735792493981f7ce8cb6e66b69fa403c6d7fb9a0b9d8041af71484affe045c6582ce98337a4479d596059

    • SSDEEP

      12288:LMrhy90ADACn1dQ4Hr1nEb3crjgrngFOW:Syf1dQ4Hreb3crsr0OW

    Score
    10/10
    amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      18c3050e5ad727d8fc6d2b16a53db9904ba34d7413ce2abfe2cd0baa2cd5dce4

    • Size

      1.5MB

    • MD5

      31b4770f88df8120e96a134063dd67b7

    • SHA1

      63fbc1a43a69a5138e50a602623095532c93761e

    • SHA256

      18c3050e5ad727d8fc6d2b16a53db9904ba34d7413ce2abfe2cd0baa2cd5dce4

    • SHA512

      ff9a5cf569978b8a1bcc9fc10719d7747c48f971217fdc6ac268074d4673f6d9df790778c03b51246df2548669aa3e296147af71576f0826652ef9c0b9a38330

    • SSDEEP

      49152:sivfIzpTOUKDcfhQrToZAyTpnDWA0lGkblMKiIY:/wpTKDcfmrMSMtDv0lRblnir

    Score
    10/10
    amadeymysticredlinegenainfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      2577bd2a22a0df03082a3d61b193668ccfa94a1aef60cb7bb0a7a5123c552c1d

    • Size

      514KB

    • MD5

      324e67d87fccefb7e75f2985c9367bd7

    • SHA1

      38e78535b68963f5ddbd4723affd083eb88505e0

    • SHA256

      2577bd2a22a0df03082a3d61b193668ccfa94a1aef60cb7bb0a7a5123c552c1d

    • SHA512

      69a8de32e220af90f71e63aca80268d761cf22b5b83b5790caf9eb62fb5d916e41a33a9639f808772f2c4de7306ecbb86f14154ab3084d7c91fe277ca5c17d5f

    • SSDEEP

      12288:UMrvy90CUJ2Myz3olrn+6SPVCL0Hk4mLgZlh4:jyLMuoljSPuWnmLgZD4

    Score
    10/10
    amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      28839ba22be16cab09b3664b34397e918be834c1459cde49048ffd421d2876c4

    • Size

      514KB

    • MD5

      319bd25cccb75fc18a1fe19c7beaf3e8

    • SHA1

      fc22a7d780f89b6ca0e1b449871fd3392fb16ba5

    • SHA256

      28839ba22be16cab09b3664b34397e918be834c1459cde49048ffd421d2876c4

    • SHA512

      50d2ad696cb60b2de8452c6556b0ccf938c131ad170c4981fd3cbaba172afc2833a4ecddd7829f98bb2bd80758b698d6ef5a2d65e6930dd2e92872dbb02d0089

    • SSDEEP

      12288:JMrOy90iUBwxKnDbdDEPT9iOhjRBu0h0PrwjWh:ry5UBwQnXd4PpiQRBywjWh

    Score
    10/10
    amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      4efca8805f96c16e636fc6f51197b43215b96da00409608d7658fea7ee155ea2

    • Size

      920KB

    • MD5

      324cb7ed10920e1912c6c390c5179a1d

    • SHA1

      2cb736bf107171b3047cb7b0ae7085a09704e68f

    • SHA256

      4efca8805f96c16e636fc6f51197b43215b96da00409608d7658fea7ee155ea2

    • SHA512

      7575bdf3c2e403de7deae4f0fc663fb6ccd612365da6c59b98fc47f37d42c1bda0aef9b272edd10ea4105a9fb17c992af21ea38c2acf1ca527620e17d795a6cf

    • SSDEEP

      12288:8Mr5y90BC08ZhZRpWsDWMuTYKrTDcVl4JRh/+pnKuLp611/cNOaK+oyrfYGzfD+Q:lyTn/qMnHAhWpKuLM7B+VrfvpaG

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      6603f1832a5054b7e8305ef7814111e74fc6f8356ae86cc81f0bd306722236ef

    • Size

      584KB

    • MD5

      31ce9a49141437fb448fab38300b7e7b

    • SHA1

      653cf066c5eb2fd5b1b1e664a1890ff6d98ad37e

    • SHA256

      6603f1832a5054b7e8305ef7814111e74fc6f8356ae86cc81f0bd306722236ef

    • SHA512

      87d40d1d5af991eb0ba75d55b9900ea886b0e806c9ac7fb6355032a8fec7c2c1daa9f9bbbfa11c8b25c45e79c67aa34d56fc3296b0b2141d1cb835f4126543cd

    • SSDEEP

      12288:XMrNy90X7lPtx1KI6xQVx51L9/ErNwIujDiwu:uy6KI/Vp+BfujD9u

    Score
    10/10
    mysticredlinekukishinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3

    • Size

      515KB

    • MD5

      3133d51b9cb5dff2ffb1eb479a3a8197

    • SHA1

      c7751780b417509447b6374f2044c4a70bd3aea2

    • SHA256

      6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3

    • SHA512

      4d0249966b11f4933be1aa3126d2ebd6d93700ff22f858457c0cde49a6e691f89d6480068f00d26b5aaa07b48f71ec0ec67f6ad6951d92815777801153789ae2

    • SSDEEP

      12288:2Mr3y90Mp419rk/h+B4egjTgl+ZP3SFgHEgD/r17DZ:ByDp4vg+uegjTgl6PQeESr91

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      74fe770b3414b7af5432877eaaf1d2520b875a38c461d63983c77f7c1b39d918

    • Size

      390KB

    • MD5

      325cf030f204adc01a731f61f8e9b38c

    • SHA1

      7eab8b15f3f6476230c6cc4832f2b1b205844cdc

    • SHA256

      74fe770b3414b7af5432877eaaf1d2520b875a38c461d63983c77f7c1b39d918

    • SHA512

      9846de1792ea3737cfbc7fd81768e6d7a5bf33f22dbedac02085100f622612b7dfc0cb9fd01da11282971061f23f2fed5acb5ae0b6bedad778fe3861c1713f06

    • SSDEEP

      6144:KFy+bnr+Mp0yN90QEpkWGjZNJFp7w1giO7oSWrMguQmCdGgAW+lCQbX:3MrYy90iieiO7oSWFXGf1D

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9

    • Size

      1.2MB

    • MD5

      3084e5a05ec994a172379bb42d1f4a6e

    • SHA1

      d5705086a050a075520d1e19aa047f924e079ba5

    • SHA256

      b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9

    • SHA512

      7988b8ced595a143db70f1e668bb0e645fa19621e363061379cd5b042ec6444bf8f9a14184bd65afb126a851e8acfb23eee6f71bce930d135c9eab36d87e06a0

    • SSDEEP

      24576:my9QoTLxsXrQ8m0Y3lsvmLEBXibYVetVVosYmmL9hK:19Qwss8ytLqqYjsJmJh

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      eedc883713775fd0c74224f0bedec2b1e88a105737c823318fc8ba819901d991

    • Size

      857KB

    • MD5

      327d4c708883a33864d87e20fe338e4e

    • SHA1

      113fd0267f24bbce914cc6c40946666f949e71e2

    • SHA256

      eedc883713775fd0c74224f0bedec2b1e88a105737c823318fc8ba819901d991

    • SHA512

      0eaf67c2f43322a3078c09930b4824bd57d6550cb37f5685e328a110a0c858e20ca8a099c6edd92ceae3ec1028077439c341cb8a8ba5c8774152a47479ecac51

    • SSDEEP

      24576:Gyes+XVnvEZEwluVaizN/nbr+pr72IbKJZz:VesgvEZcVa+hnbKp3KJZ

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral10

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeymysticredlinegenainfostealerpersistencestealertrojan
Score
10/10

behavioral3

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

mysticredlinekukishinfostealerpersistencestealer
Score
10/10

behavioral7

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

redlinekirainfostealerpersistence
Score
10/10