Overview

overview

10

Static

static

3

01aa1629bc...16.exe

windows10-2004-x64

10

10c3a4b3e3...62.exe

windows10-2004-x64

10

12d321d9a6...0f.exe

windows10-2004-x64

10

2a2e3be04e...f7.exe

windows10-2004-x64

10

2bca03b9ef...e5.exe

windows10-2004-x64

10

2d2e176ff1...1c.exe

windows10-2004-x64

10

2d948afc82...ca.exe

windows10-2004-x64

10

2ec8f43232...da.exe

windows10-2004-x64

10

3a0ceb2aa8...f5.exe

windows10-2004-x64

10

3d5d854d7b...21.exe

windows10-2004-x64

10

68ab5c7a84...5d.exe

windows10-2004-x64

10

7732b3137a...d8.exe

windows10-2004-x64

10

7c81a593c9...95.exe

windows7-x64

3

7c81a593c9...95.exe

windows10-2004-x64

10

8a74314c35...5a.exe

windows10-2004-x64

7

9b03895e9b...54.exe

windows7-x64

3

9b03895e9b...54.exe

windows10-2004-x64

10

a777a11027...76.exe

windows10-2004-x64

10

c0dad59a3b...fd.exe

windows10-2004-x64

10

de0b656af4...69.exe

windows10-2004-x64

10

e0c981a9f2...55.exe

windows10-2004-x64

10

e5410c580a...b5.exe

windows7-x64

1

e5410c580a...b5.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    22.5MB

  • Sample

    240509-n4bbbsba37

  • MD5

    d56f4e95930b3022a9154109a74ee9a2

  • SHA1

    aab57467b7376c0acfa8253803fa755e30d199b5

  • SHA256

    7cc4ca7df1354c5dcc6727cacfda8e239f161845dfb3a7cb9889f29fad4b792a

  • SHA512

    863deb414616634b30fdf52d1430612ae5a78e27d0a83ce78a03721fc9fe791e29dcebf802d2b42bf6a351b73b328e5ea623952f5d7895fd1c16a5e6fd8f6446

  • SSDEEP

    393216:Id8nf+aTRKKp8zMP2o6J/fbaVRtj5xNRMum/DoMjb+sXYCNeeMMtFvSqRWwvzcXl:I8W+KmLPbqTaVDNun/DoMjb+kQeHrhRY

Score
10/10
amadeyhealerlummaredlinesmokeloader6077866846kirakrastlamplandemashanasabackdoordiscoverydropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67
Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

6077866846

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

lumma

C2

https://alcojoldwograpciw.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Targets

    • Target

      01aa1629bce01d1d882c10d835fa7765f2a247f51bcbf0d46b77b87362877916

    • Size

      390KB

    • MD5

      a076ae6cb1b18ae3f0157f02f17ad575

    • SHA1

      a51acdd2e42beb97ca8de21d3a07e62f2fbfbfe4

    • SHA256

      01aa1629bce01d1d882c10d835fa7765f2a247f51bcbf0d46b77b87362877916

    • SHA512

      311bb21e88f2ad16c04011058906fb15d2329a97a1f8cfa22a10088c4a2b23a5f57d46f156f74c5b1c8c38bf96af54683803f464b38f68ebf589e5033c95f2b1

    • SSDEEP

      6144:Kyy+bnr+Ip0yN90QEkX3vNbKMTy4HDtPdpS5eJ9cIkiGBmzC9AozEIsGE:uMrQy90KX3RKM2YtPjSKG8F

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      10c3a4b3e37a803bd0aa6309c39158c1cdc781b3496a972f062f1fe958597862

    • Size

      390KB

    • MD5

      a0ca6912e574833240194ec4fe31f631

    • SHA1

      8755f22d65a895e74cfc8675410f24e255f0827b

    • SHA256

      10c3a4b3e37a803bd0aa6309c39158c1cdc781b3496a972f062f1fe958597862

    • SHA512

      4b0b545b1f5bc3d93d71d6a9cd4cb411fb38a56f4c426648fe38837e4bc00c70f8406f679ae08aa8aa296edab828f8aa2b7c3b2db2f7ecb3ca62ee277e6be6ca

    • SSDEEP

      6144:KFy+bnr+Wp0yN90QEMMHTfcOSn1XrkWGjZNJ2h74Tj98p881bbZKgTDUONPu/:7Mriy90BzfcOS112Tj9g1RKgDUqm/

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      12d321d9a66bfb909ca6ae3097f6aba39263be25c619d424b1dbefd373b20d0f

    • Size

      390KB

    • MD5

      a0570c03b2992062f9d7c88983ec0531

    • SHA1

      ef7a037d1215d81b892aeefd6108df59ccd2167b

    • SHA256

      12d321d9a66bfb909ca6ae3097f6aba39263be25c619d424b1dbefd373b20d0f

    • SHA512

      60d7a0422d3a872689e165148ed85c13820017ce7fbbe6e17e1badccb790d1690136144496d3c332c8272e0f94870d90e8bd231b893500f40d0d38e6d45bbf26

    • SSDEEP

      6144:KYy+bnr+jp0yN90QElD2DJ37wIsWV673NgHi406Yp5EeO2ufKu/:YMrny90rD2DJ372DmB06i5k2uCu/

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      2a2e3be04e8391170c3a71e198b45f6e45c085dff086c4e7b09748919fbeaef7

    • Size

      514KB

    • MD5

      9d827bb83640e0913032c63de8cb78f1

    • SHA1

      449eee66a32c41f5c5aee7d77ded58b575c1b984

    • SHA256

      2a2e3be04e8391170c3a71e198b45f6e45c085dff086c4e7b09748919fbeaef7

    • SHA512

      ec3e904df1ce5374b9b94d41edad0e79e012992fe988f1f994766022e1fef388500126c14dbe96487650cc8475611d32314c4f20df4ca271f85ce9d53e3ac695

    • SSDEEP

      12288:WMrdy90DnHgun+muOlzU2R3jp2W8zmUHlz8nlQH:Ly6nHguntu6f2xmal8lQH

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5

    • Size

      359KB

    • MD5

      00db65dad659f95f255fd66a55a3dbcd

    • SHA1

      59e2ff84dd9a158365a1046620138ddd07757acb

    • SHA256

      2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5

    • SHA512

      7e9b19dd6cc96dc841f2bbc610e080d4ee6e2968b8faa3227fbd57b5887a22e2bffe8b3a935cac36c85963f6ea126ec4be50f0b8f1202ac96723098ce6c4aea1

    • SSDEEP

      6144:Kwy+bnr+Up0yN90QElkfSgk3+ouqto7NQz7wmYo6Bv9Ov+bwR8/8gPefdHOD9:EMrMy90l/m4xz7wDoG9OmG8/Befy

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c

    • Size

      325KB

    • MD5

      a11dbc01603450452854f17aa7ea1eef

    • SHA1

      18436f7c4a7a4477c0baa93ddc108babce9491bf

    • SHA256

      2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c

    • SHA512

      1ac3b35ac7b8742c8eded217595f30ae25eff216409bddd3cc18809ff6e5d873c7feae6e1e3501dc02bebe2205f9f9e8db9718c76315b679ca8ce73aca2135bf

    • SSDEEP

      6144:K+y+bnr+/p0yN90QEJR9FTYYX8K75Nq/srdzir8IkNO3O0sUBWd:mMrry90bzFFX8KVpirQMFBWd

    Score
    10/10
    healerdropperevasionpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      2d948afc82e00dd1f60cb24271d2c482bc87f04e3f42bcd4147a3e017a974dca

    • Size

      389KB

    • MD5

      03519383d227ce282a2870d14344b88b

    • SHA1

      7aceb1ee4bfda479fd339ce7e7ed1b61e24af93b

    • SHA256

      2d948afc82e00dd1f60cb24271d2c482bc87f04e3f42bcd4147a3e017a974dca

    • SHA512

      788be9577fd9562faa566d1d5c02e1c57814b86b0c99066e13af9366a4e77bb697811387ddd1825316e4e7e5565c98ba9cfabfea5a4feab4ff665c1e4543186b

    • SSDEEP

      6144:KCy+bnr+4p0yN90QEwiyHaiJM2TNSlguN/CxTOxnqJjFf/9Wkd4Vm7p+IVju57Xp:aMrcy90WiyF3xZOxcjFXZ4M+Lp

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      2ec8f4323279cbb3c829846c70e2e3b3f65d9d4591c18c17eb21dd76a257e0da

    • Size

      390KB

    • MD5

      9c59be29ef4f3e26803c20202d2a578f

    • SHA1

      2ae098e847790b599680618d71de7a5e083b0a21

    • SHA256

      2ec8f4323279cbb3c829846c70e2e3b3f65d9d4591c18c17eb21dd76a257e0da

    • SHA512

      af1ac2e6168423c10e001d10447a2be1d6d2432d1c7eb157edc239a5219dcc1378a5ca18915b131e6099982ee898244192d6309712dd24c54996368a0a885f63

    • SSDEEP

      6144:KAy+bnr+wp0yN90QEIlb8Q8Nf1VKGPITYx89NNYEB6LggBZ+t4HDkV+jk9R1:AMrwy90GZ8j1VKGArYSfgBYCHlWR1

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      3a0ceb2aa80172e3223e5154bd251fc1909cd353262609fa6bfeeb684d7761f5

    • Size

      769KB

    • MD5

      9ceb7e981876441b81635ed856e5ac11

    • SHA1

      98c6e57fa8988129fbb40b89436f4248bf02c617

    • SHA256

      3a0ceb2aa80172e3223e5154bd251fc1909cd353262609fa6bfeeb684d7761f5

    • SHA512

      c540769d361ec0aac69c932115cec9a39991edd7b43993fbf8850037f58787165b808a0397de62815fa3adbeab15a271513b276a0f887baf557a94a42ed6721b

    • SSDEEP

      12288:bMrWy90ucNTOa/oSXd6k6GMAhDH3RcZcVzhvfr25meC/N7ycpyv1:9yhcN7wSsAh99rvScd/NOc6

    Score
    10/10
    redlinelampinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      3d5d854d7b4667609b1a4eb70e50a6f99578a6ede0809793fc835cf2aebd7221

    • Size

      389KB

    • MD5

      00b20738f1719e9d165b996cedf1cc3d

    • SHA1

      8f8973a6b71a499743c2df566f594f696aad169c

    • SHA256

      3d5d854d7b4667609b1a4eb70e50a6f99578a6ede0809793fc835cf2aebd7221

    • SHA512

      f0233c8e8dc67edcc41efec8d30f780ca8ce20960f0ed79b91b8465b5fd09b06c046cb8dd51d3e2e158631426501bff5346e5342c1986ca40901309cdba75176

    • SSDEEP

      12288:pMrHy901thF5SPk+/GQICWr6/hnlD9x6T:GyCXrQIaZnwT

    Score
    10/10
    healerredlinenasadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      68ab5c7a84977eb7379341d29d2b10434cfd4ae30fb2276c4973f5fa55a7e85d

    • Size

      390KB

    • MD5

      026e9d2d6645c34f2e9f33fadeec589d

    • SHA1

      b3eefcab5fc8a993b9e037e62510c80b6e617683

    • SHA256

      68ab5c7a84977eb7379341d29d2b10434cfd4ae30fb2276c4973f5fa55a7e85d

    • SHA512

      f15439a1e3d76b5304724bcab133f1ec15e63cb56a5890a4baa3d266575039797dc98af49fbf60d664d6339186a577780c080cbcf4890855588d17d76bf5b608

    • SSDEEP

      12288:sMrIy90JHXoKWDekYxbv00NcQEIgA8Kk:cy24xDYRb8Kk

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      7732b3137a721cb543261e9c4ecb5c90b51aa6d810c2df0104df6b11e319dbd8

    • Size

      865KB

    • MD5

      0052fa6e5f2a8acf21c2bbf6f3bdd6cc

    • SHA1

      3a05bd0f34c716e55ad701b456c50ef624e3cb02

    • SHA256

      7732b3137a721cb543261e9c4ecb5c90b51aa6d810c2df0104df6b11e319dbd8

    • SHA512

      89775e9dce33ba0cabd9298c61b94423e2e96c67c0b3091c71385e492ad30838e7e6b297865d4e9fc68bad79613c37e5f5594b78c8b8730f3f1f181b9b34701b

    • SSDEEP

      24576:EytrgJgSxOLwdZCZqx7qJtKM3GlPNMh49OjQF:Txg3xOkdZCw4rwNZSQ

    Score
    10/10
    healerredlinekiradropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      7c81a593c9a2d9ab34fc28f1c121a9133b5584f0f4893ce3b51f6d7fdc040495

    • Size

      968KB

    • MD5

      001fd77dc866551558dbdabe0918c8fe

    • SHA1

      ee2bc863795256c1573dce130ff05d9e0aa4778b

    • SHA256

      7c81a593c9a2d9ab34fc28f1c121a9133b5584f0f4893ce3b51f6d7fdc040495

    • SHA512

      459497de8b051b9086e7d3a57fa06a50903666e61fb2a9815c80692b525821c4bcb75a44eea540aad9cb6214bf646d5a533496353373de616cd8656dc6cb7da6

    • SSDEEP

      12288:d4r/VjTk4fZ0JeFGdfIBmq4KRl8EtDYzbYzTL2dpuwiuZndFmhqVJxMI:o/lTk4fZ0JpdfIBm8IgTLBwUu7MI

    Score
    10/10
    redline6077866846discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a

    • Size

      12.3MB

    • MD5

      a1e5c187755b1d1f6ecd92de6a1ee13d

    • SHA1

      b809713035e9e0451f7ab7e7b8f29b2c8e44dff5

    • SHA256

      8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a

    • SHA512

      c6e484d4668cd78d67b5ba5f65ab4639c2c03906e8585388aba521ec0ec062f9ea24109f174e9c4805c33230b5162a40ffcc65095f68d6baa14ef6b69490ecf0

    • SSDEEP

      196608:tUSP+yQZ55mfaEsVpxlTCUmT3p84YcgYp6OfPe1VyW4PTPJetC93t:tFw/41sVpTTC89PYgmPe1VSrPoC

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      9b03895e9b8629528bbb718f6ceab16387b6aba3cfa7fd7750d1372e383a7554

    • Size

      1.2MB

    • MD5

      01f57ffedc53094c3d382135edcf73c9

    • SHA1

      07cb59a3e430fdbbc77d906910ab4fd105c9f449

    • SHA256

      9b03895e9b8629528bbb718f6ceab16387b6aba3cfa7fd7750d1372e383a7554

    • SHA512

      73d4c5f23d3e00a6e508326cf892977844a6e3f20669c9f1afd770660a7f6ea31d9f08ed022284827d3d35b542a00233b0dec05e75545fdacca82f7f4eb225b1

    • SSDEEP

      24576:U51heljsInpBxcyc40xvOGe2EayAJrG8EJ:UjjInpBxcyc40UBaRZr6

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral16behavioral17

    • Target

      a777a11027afe934646141f176344a5c05c946b740bea45e9684b9a8b98f6676

    • Size

      856KB

    • MD5

      9c48aaa51cf65419d11ed418bd2da277

    • SHA1

      bb7b03058b06c5c35df8bdc072ec392069acb5bd

    • SHA256

      a777a11027afe934646141f176344a5c05c946b740bea45e9684b9a8b98f6676

    • SHA512

      d53f5b56ebd8d2aaf8ab75d662a11c472261bb9ef9a37770d4e745bec3418ed8cfaf975e2c237dd410a245acbf14710db1039445e69088fb1106c71d25dffd3e

    • SSDEEP

      12288:JMrxy90R8ri0sl9RVN3oc2gVc98H85rd4517lsGG67i4C/1C9ZsVsV2b29z56QjT:Ay1r/slXbXNc5e17HfiNzdb2ZAhI

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      c0dad59a3bf41db6ecf798e4bdcef76482de14c96e0a17733413f0a05a686cfd

    • Size

      1.5MB

    • MD5

      02d3cc52bf2daf9027e9f5f03f9d5c60

    • SHA1

      64a54dee7b09794656ca9507fa03519451ebe600

    • SHA256

      c0dad59a3bf41db6ecf798e4bdcef76482de14c96e0a17733413f0a05a686cfd

    • SHA512

      a13e38a688863d6cf350a3ffb4c4df79b625945d92d7ed0964f1dfaf90b043e39b502695c7fe7e326856406eb536a8aca1537c0375cc5b30dae4f06dbb4b302e

    • SSDEEP

      24576:Sy43P8nmHHvHZb/3jXiV4MpypFR7uDMZiq3lDNGKVIAF/smmFJycDaV8ENEMKtAR:5vmHHPZb2KMpypFZflUKKAFmF8cN4Eh

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      de0b656af41759ffa8477cd8c387f71b8e3cbddbc718028139d53bc1c6b95d69

    • Size

      390KB

    • MD5

      a16ac9ef7483e3521231c15a522765cd

    • SHA1

      4d101b7b20025d4bd709a1db554f2f5d4beb4e9e

    • SHA256

      de0b656af41759ffa8477cd8c387f71b8e3cbddbc718028139d53bc1c6b95d69

    • SHA512

      a560db70c1b0624ee3d93193830f1c98c94164b8938b7ad7a9066f0ace9fd6c8606671e21d59b6293054216e3326f12245acdef33cbd8438c5561b3c51cbf14d

    • SSDEEP

      12288:9MrRy90FVDc5PBTcopqsqeYaacHnl9XyLEUH:sykS5P5TgaJHGv

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      e0c981a9f27b4ad406731c3e41ec4ff1248e97b375aacc1a4489a8065a22ed55

    • Size

      1.5MB

    • MD5

      030a19de6d13bbdbed407d0e94df145e

    • SHA1

      36fb3018124e48e495fc3e5808646c2d181fb4cc

    • SHA256

      e0c981a9f27b4ad406731c3e41ec4ff1248e97b375aacc1a4489a8065a22ed55

    • SHA512

      b7094a94d8c42331fcee668ed1f1359d13c1623403232f116cfee7b7a384bb767180decab4e3760a51bfd8414cc4b7ac621c202d24f225cdbafa0b1403d35f44

    • SSDEEP

      49152:qklcuIfk1sTMr2OBuSFifJxwZphoZ/W79A:f2faim1kYZ/oZ/W5A

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      e5410c580a81399010c4afd0cb43116c8c6e79ed10a16ace6ca24b1180f130b5

    • Size

      309KB

    • MD5

      9ed6e3149f3de480b6dba815648459a3

    • SHA1

      0bca971a602e9a23ed01f24d74e00af6dac8a288

    • SHA256

      e5410c580a81399010c4afd0cb43116c8c6e79ed10a16ace6ca24b1180f130b5

    • SHA512

      ffa150f81a93e1d49b159b60927b527fa1ab5918c0d5c20b332ef6c350c156f1c3da5c728b23e3a737abbd88d2c9d9bf719357d28f76c43bcc767145e2e4d218

    • SSDEEP

      6144:O6hm2uPpiUxyd2eVps3AzI5lftT9KJ0te92+RmnlhA7m/I:7m2uPpit6eI5fZ1te9ZsnlhAQI

    Score
    1/10
    behavioral22behavioral23

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral6

healerdropperevasionpersistencetrojan
Score
10/10

behavioral7

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

redlinelampinfostealerpersistence
Score
10/10

behavioral10

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

Score
3/10

behavioral14

redline6077866846discoveryinfostealer
Score
10/10

behavioral15

persistence
Score
7/10

behavioral16

Score
3/10

behavioral17

lummastealer
Score
10/10

behavioral18

redlinekirainfostealerpersistence
Score
10/10

behavioral19

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral22

Score
1/10

behavioral23

Score
1/10