Overview

overview

10

Static

static

3

00b85ef681...3c.exe

windows7-x64

3

00b85ef681...3c.exe

windows10-2004-x64

10

02fa9e870a...3b.exe

windows10-2004-x64

10

21feb39957...32.exe

windows10-2004-x64

10

22f65486ce...8c.exe

windows10-2004-x64

10

230ec3f2c3...5e.exe

windows10-2004-x64

10

2ea5e26c15...e7.exe

windows10-2004-x64

10

3352e66593...91.exe

windows10-2004-x64

9

3a8a7d42c4...54.exe

windows10-2004-x64

10

55872fee0d...a2.exe

windows7-x64

3

55872fee0d...a2.exe

windows10-2004-x64

10

5c4e8c59ce...96.exe

windows10-2004-x64

10

9eded57acf...94.exe

windows10-2004-x64

10

ab1944db7d...fc.exe

windows10-2004-x64

10

ac6f6a7901...6b.exe

windows10-2004-x64

10

afa70bcf38...3a.exe

windows10-2004-x64

10

c4490bf883...30.exe

windows10-2004-x64

10

c648954590...a2.exe

windows10-2004-x64

10

d5755dadc9...b2.exe

windows10-2004-x64

10

f066a86310...dd.exe

windows7-x64

10

f066a86310...dd.exe

windows10-2004-x64

10

fa130ffbae...7e.exe

windows10-2004-x64

10

ffca01eab5...09.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    19.1MB

  • Sample

    240509-nayjrshb53

  • MD5

    8d01955b93f7c8a006c2cb88ef09b21a

  • SHA1

    1a829a0641543686bc77418dbb678b102c890d4a

  • SHA256

    45e94c10bbc148cc1f0e810ef4a64b3b2814960515bbe6c69d8570dde960e0b2

  • SHA512

    a0930bc83748bae07c9f3c7ba925a28f17fe9083f57a33252e8443540fbd61dc6f87dd776e9d2b85d27f8bcc3a360b4e4eb2810809e1c8129f326cbfc7b2d852

  • SSDEEP

    393216:NEPhFEt2F0BfdocRN7LQcix2OI31QY782rdAeckV5cCO0DSXZMgDsq:6Phd0B+M1QFxn6175GdaM

Score
10/10
amadeyhealerprivateloaderredlineriseprosmokeloaderzgrat5195552529crazygromkirakrastlamplandemashabackdoorpaypaldiscoverydropperevasioninfostealerloaderpersistencephishingratspywarestealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67
Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

grom

C2

77.91.68.68:19071

Attributes
  • auth_value

    9ec3129bff410b89097d656d7abc33dc

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

crazy

C2

83.97.73.129:19068

Attributes
  • auth_value

    66bc4d9682ea090eef64a299ece12fdd

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Targets

    • Target

      00b85ef681a2709f477253e1b189f4cbad5160e677d7c1640519def540c2fb3c

    • Size

      435KB

    • MD5

      9346cb4c1ee1f0f32394ff3e7942ee76

    • SHA1

      4f7ac5bdf6cac99c70fa71eb8c09d4e434cc2f50

    • SHA256

      00b85ef681a2709f477253e1b189f4cbad5160e677d7c1640519def540c2fb3c

    • SHA512

      5f1a89d266e7f76caa6d68735eeb5d63c9cf5ef5b99a69c787d5a9be89a60cfb81eb734111258b4e1c22cd247b21f5325055e6f14887498631456f0bcd261d38

    • SSDEEP

      6144:6kcY4cCU5TE9W07IaLlAW4uGHmviSDwDNJwlJ8wuVhik70wReTwp/:hcY4vJIGSx5HeilDfwlJ83VhGwY0p/

    Score
    10/10
    redlinezgratdiscoveryinfostealerratspywarestealer

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      02fa9e870a9e9a0cc531855a78099113495ff912e04f39b601de63c2b4853d3b

    • Size

      390KB

    • MD5

      96a485e578b54f2cde0c37c6f512e0c0

    • SHA1

      0a5740973b41ae78b864ded4bc40ea2d697c118f

    • SHA256

      02fa9e870a9e9a0cc531855a78099113495ff912e04f39b601de63c2b4853d3b

    • SHA512

      003eadf321e2614e3cf10cbbb177df679223e60866f3defa0a5851046b55a1aded5cd8cfef293c702b6d40b624b28f7c57563d106c292e33d80efed9e37c83e0

    • SSDEEP

      6144:Kay+bnr+Xp0yN90QEw2RqEJ7YkWnjBNsnDwA16Ngl+U+YQqNwk2eAsOXmE5JCzHZ:WMrXy90OEl162l+UAkAZ26CApO

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      21feb39957e192116f1449fe8d8fdf2104aaaef3e4f6a5e516adc72ef63dbd32

    • Size

      1.2MB

    • MD5

      913372a73a1f952c41762a0ea1f91a37

    • SHA1

      d02ec459307a0847637f788a5e2e33c732f42f31

    • SHA256

      21feb39957e192116f1449fe8d8fdf2104aaaef3e4f6a5e516adc72ef63dbd32

    • SHA512

      733128ca43a63c485b28a8f2215b0b4848acfa0929692b588130adaa5cf2291b30bbb08232b85704ff5739ed87f43cf251a18882343a486e99eb9ab06856ef4b

    • SSDEEP

      24576:yy82uVKaX0hGaGcr+Osx1QVB1ZyuItcIZ2v8i09g3K/03u:Z82qKu+9+fQVBOcIHx9F

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      22f65486ce4ad040f9985202d9306069315f0db3b4c66e630e358d3e8275178c

    • Size

      1.5MB

    • MD5

      8fffe24a095ff86baacd02f20b2ae01e

    • SHA1

      66dca64c0e369bb53bf25a13d4f60185a1774dd5

    • SHA256

      22f65486ce4ad040f9985202d9306069315f0db3b4c66e630e358d3e8275178c

    • SHA512

      2251e76ca1c3072ff78f339548b5d7afd3bf13e15cfb516584a536e19595e154a343dbc61f19a4765fdfff2a86c962944b195d7d1328be4c5405810d5a545226

    • SSDEEP

      49152:KAhzL8MtOkOiCRahFMaNXg/2f1jlch1Ew6M6:VltNOrahFBXzfdlch2w6

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      230ec3f2c3ef81a9a14c2fc686c0aa21d93d3cca8dca04a8ecb90dd3c54c0f5e

    • Size

      389KB

    • MD5

      96532f08f697cf55f10114171a05405f

    • SHA1

      2841772e1b992e2378716806216f64d07d78f7f5

    • SHA256

      230ec3f2c3ef81a9a14c2fc686c0aa21d93d3cca8dca04a8ecb90dd3c54c0f5e

    • SHA512

      3184b85cb5e6e6c14c9810e29c548bd4cfeb1a47635adc679f698a30e6dbcd7dcda2ca1cb02e3bb7b1d22cacee5621396c7df20de7fc5332a34ac3e0bb530685

    • SSDEEP

      6144:KIy+bnr+op0yN90QEHcP9sv04cnFOpG3YhWK55P1qhF++gBZ+t4NDHdl8WDHIuV/:kMrsy90w9bnFQG3YwhF5gBYCN7dfTR

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7

    • Size

      514KB

    • MD5

      90f4e7656cd4f2ff21d306e9a2127aa8

    • SHA1

      d7c5ac2b853e2ffb6281a91e1d48a652fdb4ab4b

    • SHA256

      2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7

    • SHA512

      cc4a87aab9ee3c6290dd6eefd14e2297f24f9738cad755bb462d402ab408fdbd27d196e5a44475e3a4296c0f959305d645187297fa12f76464f652d040651e15

    • SSDEEP

      12288:kMrvy90pmeitVqabcxZthOFvD2ZT58iro7:7yAitsKcxZtsvCLE

    Score
    10/10
    amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      3352e66593f9d652c7f760070d266d43ca2ba74eca75114c78a92c09c1a1c391

    • Size

      3.1MB

    • MD5

      9aa2ad69aeccac3b49dfc5cecce2fdc6

    • SHA1

      e93044a2babc4d30b26432b6b935bacc701317e8

    • SHA256

      3352e66593f9d652c7f760070d266d43ca2ba74eca75114c78a92c09c1a1c391

    • SHA512

      2b679843b30feb1fa1b8c1a47368f54275ed2a46c0405f6be65c100601815b2fd95c66107a0c3b36e85e12236e02990db259b27e3dfd1fd40d6c56d0816c711d

    • SSDEEP

      49152:W1OtAz7vzNxv6p9OOEaWqLCL7EG2I5UQz7nIGoqSWQbVEEdCXT429FQf9:yO6fzj6OqL87EGl5UQz7nIG/QEEd3im

    Score
    9/10
    paypalevasionpersistencephishingthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral8

    • Target

      3a8a7d42c4509a4814d5eb963c05afb11363688b72aa7535816ae86e20bcf654

    • Size

      390KB

    • MD5

      8e667084524c9501437cd806a391ff09

    • SHA1

      2c88b8d58c6cd3e3a299a36687ffefbc89385e86

    • SHA256

      3a8a7d42c4509a4814d5eb963c05afb11363688b72aa7535816ae86e20bcf654

    • SHA512

      78a748e7c0840f18e7ee55e6c7cd325d23672639161faf5c4c21d339aa72ca414fc903a6c9fc0fef751e9b6bfca801121af279bfb808ccbe6536ac7887b4de24

    • SSDEEP

      6144:Kfy+bnr+jp0yN90QESxK8s3JXYQoKZ8pxgiFDgXq9asAxgiNcjr8FyUuscU5GNt5:1MrXy90c88SoQUxDgXEa78N5HUoNt5

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      55872fee0d31d2f9381e3b62d592835be2ee776ce2c69397061fc06d6efa5ea2

    • Size

      274KB

    • MD5

      938610ac96c1524bd47fb2ee3b49cb72

    • SHA1

      a320045f12ccbefe3d8599bc0581f310e5807556

    • SHA256

      55872fee0d31d2f9381e3b62d592835be2ee776ce2c69397061fc06d6efa5ea2

    • SHA512

      059bd88f6b40e15ae616a48de378994240b96318a50bf5a7c40491cf112c8b5e76c0e5500e1cc93115f4c8481923283ad57f2381d96604e120161fc2b8a95607

    • SSDEEP

      6144:jpeaoQWhlmgEDyvpXo1IpXRY5N4RJleiNcwpf:leaZzyvm1IpmysiNzpf

    Score
    10/10
    redline5195552529discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral10behavioral11

    • Target

      5c4e8c59ce4b4f21acc7d26ba988d8f069d256569e9565b33d865a9859a5ba96

    • Size

      390KB

    • MD5

      90a1351efa21b2e57a8c54b5812ce7c6

    • SHA1

      2459edd54e8d8413286c252735945d9b894796b8

    • SHA256

      5c4e8c59ce4b4f21acc7d26ba988d8f069d256569e9565b33d865a9859a5ba96

    • SHA512

      b462b03695a58b9294219d2edb9db510c296e4da98ee2b21d3a14c11dbbec8a8baa9798d4bded316d7634fb8f41ac2555d23598a5b452293a76a4190d7a1f13c

    • SSDEEP

      6144:Kpy+bnr+xp0yN90QEezQF5w6ZMxThr8t+PDhCI7KEx/wOJAWscFhiiIHYH8:XMrhy90DMx1rxPDhCI7KEZmWdzZrc

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      9eded57acff39eca8ffe9167fa52ac5a352e13a9ce3d0f0696a5a69bf589b794

    • Size

      390KB

    • MD5

      917bb5f4d2e524203ec2f8b2ca6cde66

    • SHA1

      7b18a47f6b6e167d9604449477b5b1fb8cb0a579

    • SHA256

      9eded57acff39eca8ffe9167fa52ac5a352e13a9ce3d0f0696a5a69bf589b794

    • SHA512

      3844d4a958eef980cbdea8a9b9db4d2f030ce738ebd7e38fc91afd0eb993c340f3942481b6029393d5534e65bcfd3158ced08fbf67b12ff67629ec60f20ac8c9

    • SSDEEP

      6144:Kuy+bnr+9p0yN90QE1vPgYPRrnkW6nZN7QR59Rm5DfBivUUBrJhYjqSB4aaiCx55:KMrVy90rNPRjEx8sUdXGB4aaiFq8e

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      ab1944db7df59717e8b318a32f59870d54e081f919a261fe3ba94f98287e65fc

    • Size

      863KB

    • MD5

      9c07b9eafa5a6c98981382e139e61f33

    • SHA1

      527012dc267ef2c160554ec2d63bb3bf498b8a87

    • SHA256

      ab1944db7df59717e8b318a32f59870d54e081f919a261fe3ba94f98287e65fc

    • SHA512

      3daa673fa19e3d0a05c2fc6bda3a3f51b01914ca1a4bef6a0ff7f9f883a6a3e2c86efe8e09e0236e516a729cb59150c0a01674a1a5ee6e43065fadb9dd4b1100

    • SSDEEP

      12288:rMr7y90d2ekv6Oxnq/+4Drb0zHtcMicaYe3vzbB2sfWT4MQSWXH0tKOejh971gq8:4ymGvKpHyaNZXM3QSQt5QZXK8b

    Score
    10/10
    healerredlinekiradropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      ac6f6a79014cf8f7e7574684eefac7be8456184590031637c4329470e2c2d66b

    • Size

      390KB

    • MD5

      8edae791c2f8b43bad7344d8b980328f

    • SHA1

      25ecd604ac6a58b47783b8e1c53c666c3069611a

    • SHA256

      ac6f6a79014cf8f7e7574684eefac7be8456184590031637c4329470e2c2d66b

    • SHA512

      0ad898c020941178058fdb92b322e1a3e8d22173f606851aba6b601570d6007cbe337517610158fd4232730158400a8064389af1c02787aa9e64d8c8c9ee2b1d

    • SSDEEP

      6144:KGy+bnr+pp0yN90QEPoOf+JNc6o/L8g3g9h89l1W48eZ2xjtu:2Mr5y90Voxc6TfaMZeI8

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      afa70bcf383e33af9cbc128ccd361170f3a0ea3cd99315128edb8e1a80aad23a

    • Size

      1.6MB

    • MD5

      8deec4805523efe236b6022799c882d1

    • SHA1

      67b0a6dd0d7592016e3b22fffb623ad33a42364c

    • SHA256

      afa70bcf383e33af9cbc128ccd361170f3a0ea3cd99315128edb8e1a80aad23a

    • SHA512

      64b1b6dc25569ddcffa8249fce0cb9534bca605ab7061a288955df776380473a26b6ebd57faf5f28cfd2a6810bd216da07436078a2201adf23dc0c77ab151b24

    • SSDEEP

      24576:ZyOAv8szkh1NLNczLu4/8b48sUsYFCR11JPNTRFd4gvgjtjHIi4xWupgmt1IwQj:M0IkZNct/8MB+FmvlNTLd4poPWutRQ

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      c4490bf8834c5c3594355b47c30aba72c7684a25e0614f1a74add9993af97f30

    • Size

      515KB

    • MD5

      9b8021b570f8537a35e6473425712c56

    • SHA1

      7705fbc7332b2945c16d51929584bbdce269f6e6

    • SHA256

      c4490bf8834c5c3594355b47c30aba72c7684a25e0614f1a74add9993af97f30

    • SHA512

      d84bf9600a08d87179230da9fa4655fbe0dfcfd4667eb19ac5d26ac9850f8920a81ad2c93e1859ee1841e0353bd7b339c671608211dc145effb731bd1b994247

    • SSDEEP

      12288:kMr8y90/KKxfRPj6YJEv/IxjywHcI5kbhvfLoG0Ql2fQfz:4y6G/sjAYih0K2Qz

    Score
    10/10
    amadeyhealerredlinesmokeloadergrombackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      c648954590b2b993dd0ec5a577cba1b52011aa076b30819cd9c278d54c229da2

    • Size

      1.2MB

    • MD5

      8f0ae8b9143b7c2a9d3ee80fb01e12e5

    • SHA1

      89f6a23d8506e9f9225d65cde96557e343ed2ea6

    • SHA256

      c648954590b2b993dd0ec5a577cba1b52011aa076b30819cd9c278d54c229da2

    • SHA512

      92a13795c626c78cecaa8af7c42b1156bbec24345e610b8ed5487e536d532fce4a93af4eb15528949c77169f1a694c37672ff1e3dee5442152a241acb2776e84

    • SSDEEP

      24576:CyLs0yzVqprTMOkQDpNfAv6eht7Q3PcTUahfoMx7pMeW:pw0yBqV4pQDpSvdht7Q3P4N7pMe

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      d5755dadc9af9cde67934873a4cde67dc43f1cec089cfbeef71140b67d9912b2

    • Size

      1.9MB

    • MD5

      8fab5525761a1e1d513d3cfcebc2888d

    • SHA1

      eac452385c6204d132a3dd067722a0f1cc2e0b55

    • SHA256

      d5755dadc9af9cde67934873a4cde67dc43f1cec089cfbeef71140b67d9912b2

    • SHA512

      0da86ac9da17ac45728383181dbbe3239043dd0275ed228f2eb0774df29cc164f18a5fc43a8bbc07eb815cbab733234def44df6c8aaf6e792ee66e316afa11e5

    • SSDEEP

      49152:e9TyReffFJi5631lw0OKRoXehFCM+2md70sZB:0GSJ00UbzW/jC7

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      f066a86310e9df931f9ad80a096c41561564e2e05f5b6865c8531b7abf16e0dd

    • Size

      302KB

    • MD5

      969c5dc0eb8b8253a0fd37a496f58ef1

    • SHA1

      4aa6a4c1c19bff665b5638f70cdc0d9bb7e262df

    • SHA256

      f066a86310e9df931f9ad80a096c41561564e2e05f5b6865c8531b7abf16e0dd

    • SHA512

      3314b40bcbe666e4747cd993b5d8663a1e12957efc9c299b4796bae4c43af35d58c75eec3be1bc8de17d5c5d80e5f8b9c485a3eaceb1a4fe1d31949bb40a403c

    • SSDEEP

      6144:QWzRT5OXkMMnTDs7UNVS49kCNQSzrs5kLJhHVugiqtciLRcx:X1T5nD7NQSzrs5kLJhHVugiqtciLR

    Score
    10/10
    redlinecrazyinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral20behavioral21

    • Target

      fa130ffbae77f393b8c3761880769505ffbb2fe708e7fc375f0bf42732542b7e

    • Size

      3.8MB

    • MD5

      8f20f82e55f613e3387d8a4393d84415

    • SHA1

      1fbb59f002e77b5608e555d5fb856ec649a94128

    • SHA256

      fa130ffbae77f393b8c3761880769505ffbb2fe708e7fc375f0bf42732542b7e

    • SHA512

      3596ff1cd6012bc0c3f6a8f928dc124499b2c64406ae8e99d994e84c6f8e817869adb3c23a1ca221a418521dbba2592bef264c43514a0dbab794d69b57af3f4d

    • SSDEEP

      98304:fbst8f/CbxPjMQCx+eU9XLfZUN0VoIojgMnrL8007F:fb9nCbx7My7twqFojgMnfe

    Score
    10/10
    evasionpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Drops startup file

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral22

    • Target

      ffca01eab57ad303c53af864d96d53e1fe5339d089ece9c9288d685395588b09

    • Size

      769KB

    • MD5

      93c1cf125b85fb3d837c268f1a522d43

    • SHA1

      021b4c910e6c9af13c94f77b6f5e88a1480c82a9

    • SHA256

      ffca01eab57ad303c53af864d96d53e1fe5339d089ece9c9288d685395588b09

    • SHA512

      c700c65674e875ca0f1a460ac20407a48067806d4f99af805f53fbd9b533de603b491d3f0c439c7203aff86e424fe5d99a9360452413a362ee5aa36d0a63bd30

    • SSDEEP

      12288:PMrAy90FvlyVN8Ha8xmcAGaIevzTUZczWOQO7vw0wRgPoS3bHvit1j:by6wN7gmcOFzlWOJ7YVRioS3bPM

    Score
    10/10
    redlinelampinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral23

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

6
T1012

System Information Discovery

6
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

Score
3/10

behavioral2

redlinezgratdiscoveryinfostealerratspywarestealer
Score
10/10

behavioral3

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

paypalevasionpersistencephishingthemidatrojan
Score
9/10

behavioral9

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

Score
3/10

behavioral11

redline5195552529discoveryinfostealerspywarestealer
Score
10/10

behavioral12

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

amadeyhealerredlinesmokeloadergrombackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral19

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral20

redlinecrazyinfostealer
Score
10/10

behavioral21

redlinecrazyinfostealer
Score
10/10

behavioral22

evasionpersistencetrojan
Score
10/10

behavioral23

redlinelampinfostealerpersistence
Score
10/10