Overview

overview

10

Static

static

3

35c135016a...ef.exe

windows10-2004-x64

10

3ab23a3036...c6.exe

windows10-2004-x64

10

3b8cd7306b...71.exe

windows10-2004-x64

10

3ea65c50a2...63.exe

windows7-x64

3

3ea65c50a2...63.exe

windows10-2004-x64

10

51c9916d6f...bf.exe

windows10-2004-x64

10

53cf9b6e16...08.exe

windows10-2004-x64

10

64792ffeec...35.exe

windows10-2004-x64

10

71d1420ff1...80.exe

windows10-2004-x64

10

7a08e2a624...2b.exe

windows10-2004-x64

10

7dbf05d83f...65.exe

windows7-x64

3

7dbf05d83f...65.exe

windows10-2004-x64

10

7f80787d38...fd.exe

windows10-2004-x64

10

9176ff0f1c...21.exe

windows10-2004-x64

10

babd836631...1d.exe

windows10-2004-x64

10

cbd8058875...48.exe

windows7-x64

3

cbd8058875...48.exe

windows10-2004-x64

10

d134576ca7...48.exe

windows10-2004-x64

10

da09729d57...e8.exe

windows10-2004-x64

10

dcfab037f7...a0.exe

windows10-2004-x64

10

eca60134d9...3f.exe

windows10-2004-x64

10

f16db96028...f1.exe

windows10-2004-x64

10

f5957f382e...6a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    9.7MB

  • Sample

    240509-rtms6aed2s

  • MD5

    f0f1821c3c86679ab661f3e696cd5ebe

  • SHA1

    c57a6fb5c371c97fcf1600b7e2edac46cfcabdfb

  • SHA256

    d3b7e5cbe2980cd2fb6f7f30eaade26a956ec4a02e71ed37c80b263166b40ef2

  • SHA512

    a915a2f5263258ac6a01ec43c9b31608247f8ed54aa0a0039ea26dc00b296926fbbc141a6c216ebac778f4eb6b5f556842a159e588fdd05547816a3cf5222e72

  • SSDEEP

    196608:RKqUhbQHxUgkXZTZblEaQwyY8ruuITpZWDOrj0boChNnPHCJ8nDCkuGczw:cNGrkXR9lVzyYWi+OrpsPHCKnDSlw

Score
10/10
amadeyhealerlummaredlinesmokeloaderzgrat5195552529kirakrastlamplandenasapapikromarosnbackdoordiscoverydropperevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67
Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

papik

C2

77.91.124.156:19071

Attributes
  • auth_value

    325a615d8be5db8e2f7a4c2448fdac3a

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

lumma

C2

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Targets

    • Target

      35c135016a0f649443e821c488d88916ba73f8c81eba1b57cf92cbafb9cd49ef

    • Size

      389KB

    • MD5

      0ac02c9b8e6f19479620f7e59186e60f

    • SHA1

      bbc977716a369583ff74aef66e2048e35f319855

    • SHA256

      35c135016a0f649443e821c488d88916ba73f8c81eba1b57cf92cbafb9cd49ef

    • SHA512

      f28176a1589d2ea1e835f169d1dff4de2dcf54d2974c32528d61e89ce5209839efb7208ea346cefff1c2197212692ddbbc8352c7bec0b8b4dae0d454d3a6bbed

    • SSDEEP

      6144:Kuy+bnr+0p0yN90QEedTBA8dQIkZMXbdJ+VAwNaGiIy4domfZ6YV:eMrQy90iYVMXbhcplTV

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6

    • Size

      857KB

    • MD5

      0f0d0b0d1763725ce36c1c1db736fc8e

    • SHA1

      3a5d36a40ae2f0aa832b88db12e8080f83b8503d

    • SHA256

      3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6

    • SHA512

      224c93c379f47a4b1886478c26427daab891b4cdbbacf2dbdce454a8d3acc1c16eda545ff2381cbfe0fb872fe670060471f346986f7fc6ae4007039531322f5d

    • SSDEEP

      24576:nyD97B7U1CjyvR3id1Z0Fr4m5lO5x99+wfCbnBYsVj:yDaCjcipq5lO5X9+wqbGK

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      3b8cd7306bcee474040656c20f071e99345caea6d53f3bae9bb55dfbe680b571

    • Size

      514KB

    • MD5

      0c314c3384c85c50e9da541ac5b0893f

    • SHA1

      efd1f83a21c41e8a55d9a13e4ed57ea2a7cb7d9a

    • SHA256

      3b8cd7306bcee474040656c20f071e99345caea6d53f3bae9bb55dfbe680b571

    • SHA512

      70e9b01358106c18fb9553957838b26dbe75e914dd84e062c77ceb7b35820d32e5a3f1be000eeb86a91c432774de8c99ff13a2c77b4ac788ab7c2a978ebe935f

    • SSDEEP

      12288:mMrXy90Wc0SidpHIxieOutu7FyVekPhbiAMd1Juj:5yXc9idN5eOuc72vbi9d1Ja

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63

    • Size

      1.2MB

    • MD5

      0edc62a65d1081dc5d7b85b678ab57a5

    • SHA1

      1e1448bcce4f519920f50e12cbe27b79418036b3

    • SHA256

      3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63

    • SHA512

      4ab96c86203104d741c166f1980b04a5e74c1e294b676c4dccaee9eca5308ea729099d7dbfea605b5037181c57c4f870fe0b3ff5008b4f8b2b60ed0f95cc1db2

    • SSDEEP

      24576:0g16H28pon7yhsS6RUOviFG7IrCJ366q1FP3fkTV:0O0on7yhsS6RUFUDRVskTV

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral4behavioral5

    • Target

      51c9916d6f5b5ac66aa9b7e4343b3d5a2fa54d57996f9b7bb0d4b18987afd8bf

    • Size

      642KB

    • MD5

      0bc5faf0e7fdbd7657e543edd6737f85

    • SHA1

      10b8a75b664245ec610d52ff93e6018790e0f029

    • SHA256

      51c9916d6f5b5ac66aa9b7e4343b3d5a2fa54d57996f9b7bb0d4b18987afd8bf

    • SHA512

      44a5669177dc9edc2996016254f48b35252e5bcfbc513cbd85cd7405f03d78ec2f86d28071353ffb6cf6ae5411e4e1f5252c2ef4f9d785d867dfb9b88751beee

    • SSDEEP

      12288:0Mrjy90oZo0FV0/keZ9Ni15Iv6aCt3JV7i9wQE4Ytm4Nqz/EjCPyZ:HytFjs9NiOCI+Qotm4NAdPG

    Score
    10/10
    amadeyhealerredlinesmokeloaderpapikbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      53cf9b6e163fb85f7a2983777330f4b842b13db5809af32dc4a7847702037208

    • Size

      390KB

    • MD5

      0b1ce353968b0c3b2460ee1c970494bf

    • SHA1

      0ad9526a8fd38865222352522661dda4646a7c3f

    • SHA256

      53cf9b6e163fb85f7a2983777330f4b842b13db5809af32dc4a7847702037208

    • SHA512

      7700968aed5a72650e592ec32e4bbb66bf6a96999b5b1f4844b6845e8ace895ab8a42a6548075ba1755831958be4baaaf2b35824a134cc74e90b3e6f47cb17cf

    • SSDEEP

      6144:KZy+bnr+fp0yN90QEMhQGyF4t+9hRuXhVZzbqQvNU0ngBZ+t4yD/FJgvCuMd4f:bMrHy90Shfo3uXhbbqa3gBYCyDtuMq

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      64792ffeeccbab6bb3d100eb7b35cb61c8c90b802e42d83350baf6d1ceefbb35

    • Size

      390KB

    • MD5

      0f8598fb85f2093ef6d50320bb154ef9

    • SHA1

      2c59e4a20dfbf7509be558e6d23a13b885643055

    • SHA256

      64792ffeeccbab6bb3d100eb7b35cb61c8c90b802e42d83350baf6d1ceefbb35

    • SHA512

      4f02ce78063742780afd98688b40d764f5d27b5cc3877c13ab3a616a2d2b92fbbd800bb64548d43f7b58970cbce83143fb75ba2682c2de3bfaa0db19a9c28b75

    • SSDEEP

      6144:K7y+bnr+mp0yN90QEkE/euW+jgZlHyZgSKaFSJV1MA3lm7ZP1bj40:NMriy90GxufjgvyZtKOSJxabj5

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80

    • Size

      390KB

    • MD5

      0f6e9123147c19f2467905401e618e1b

    • SHA1

      917abbb6f211d4a7662c8f05947e799452691601

    • SHA256

      71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80

    • SHA512

      151241129262e3de028e744556aa0ae408c5b469996892abd32ddd41dc86bc2a0e496e4bf2ed07c6a8cadff7643e3f0bc9b501eff36dd2b4a90b7ffef1e67e1f

    • SSDEEP

      6144:Kvy+bnr+Kp0yN90QEH1EEZn+h2FJ3GVHY+M0NoAsjLSTJHAcihT9/2U8sC2dQ:RMruy90cETW4YdJHnihTcU9BdQ

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b

    • Size

      514KB

    • MD5

      0fa62ebed394e0d1ca75a047dfcd8883

    • SHA1

      c320dd1803bf38cd5822882b9c3aed0c0d2df000

    • SHA256

      7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b

    • SHA512

      d36d9c9ce7042ca5942ec1a762e109c21a717057b6895b8d1b74892c6b08ff7b017c7142012685eb2112ac6800344910e8f2086980887641717db5a20fb437da

    • SSDEEP

      12288:VMrNy90LyyzBA8YCgPxn4VxjSadSX9zheZnSW:cykXgPaSadSX9tmnSW

    Score
    10/10
    amadeyhealerredlinesmokeloaderromabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965

    • Size

      1.2MB

    • MD5

      0ebc98820c6a15e86629ecbf82323a08

    • SHA1

      2e443367c537780f39c92d70903bc500876b8f52

    • SHA256

      7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965

    • SHA512

      8c0d1786416a52444f8920db9ed9900dd902c388519dc9045601f599308adae01cf7592b2dfe81119bcc992b2dae432c6e6df26d6ec739a3a9e3d1d836503b4b

    • SSDEEP

      12288:GWbqxxv297HF1HLZVrS5WPMkD+gaxMaRnoN7vhkmUuGZaU0M9cmyel8ePTtYOJeY:Vbqx5297HFpZVrMWP3DpaS1bUZjPSO

    Score
    10/10
    redlinezgratdiscoveryinfostealerratspywarestealer

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      7f80787d38486459a9c104bc8c42dd78c68e0e27411be54897379c415c7c73fd

    • Size

      690KB

    • MD5

      0c87128b0af187a9fe71653d1a0e5263

    • SHA1

      001166bb1806c1063c1c1cea0ef6098514871057

    • SHA256

      7f80787d38486459a9c104bc8c42dd78c68e0e27411be54897379c415c7c73fd

    • SHA512

      e276d4155b9d5d0a68c5474f756eef46abf49adeb78ef13f3d70c5c7da785f000c7c55044641e2c6f09a7b2af2f96d60d4f9c0889de4143af59f92779e8696ba

    • SSDEEP

      12288:XMrUy90DLtlNOkp0zgKrIv1HTh3K43YALqOoTgBetsh0T7YU1+iiWW1kfd:ryQNeg2oph0AmOoEBeGhVyEM

    Score
    10/10
    healerredlinerosndropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      9176ff0f1ca08377671891eab2e7fd1bad29e129985b386e1486b543767b2721

    • Size

      359KB

    • MD5

      0deb769fd0074adcbd5a49ec72fabfb3

    • SHA1

      a4653cdcb6a68d1f247079b6357d03d5c7950bb3

    • SHA256

      9176ff0f1ca08377671891eab2e7fd1bad29e129985b386e1486b543767b2721

    • SHA512

      3de0a84ed28f1d86273fa5a82ba464e4c4c023d334fdf2a22bd21922e1083b8877827adfea963e772e58c268f88632ce513c6d7881ac71f1b478fb3df530b907

    • SSDEEP

      6144:Kny+bnr+sp0yN90QETqTMCUajkkQ4sdeBCwcVPCJHNmPm3b23q:9Mr8y905qo8AgsqcV6Jmmp

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      babd836631e288a3898e6b871ded792269de5c0014085887296a642d03a14d1d

    • Size

      514KB

    • MD5

      0ac62c0d23be9b2b0411eaacea43446d

    • SHA1

      bcdb0f062db7feee2ade7f8b39e456b1e8484ef1

    • SHA256

      babd836631e288a3898e6b871ded792269de5c0014085887296a642d03a14d1d

    • SHA512

      4d4fe35e5af3fb310430534c51e23c045f5179c4bc0a265923847ddae2f668c1b2f7b5a78b8f0cb420d07519b47356fd9eb79d6f9f2251fe7ef79045237be0db

    • SSDEEP

      12288:hMrry90Ur1Cc6vD8ZF1dRzBzgsGC9CaRcEixn55HgC:WyRscyPsWn/

    Score
    10/10
    amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48

    • Size

      983KB

    • MD5

      0f5dcf244539e44929a29fdc2bee6cf0

    • SHA1

      d12c4a1527a6910e0f45e5d61c3f0f027cd65892

    • SHA256

      cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48

    • SHA512

      34b382df4ab8246c87c8a49acf7f37b33ed252c75b94fe47db7699ad20906abbd42b58ce953a5547da064b5fe93c38eab8d64299f85f99706cb8154af039a0fa

    • SSDEEP

      12288:dN53wXdk+4w8ea9YVhYu48bkEXjTvrVbJWekouloWnxfKuXl/DeeQA:dN5edk+4wv+YVhYu4rCTvhFanR3XlCm

    Score
    10/10
    redline5195552529discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral16behavioral17

    • Target

      d134576ca7416e71db7bd5aad43296de284dd20154fd0784d9bf45d27603fc48

    • Size

      390KB

    • MD5

      0ee61794cf7e5502cf233be168d461d4

    • SHA1

      eaaa82aad6309480ea83e8ce6bc8ce19f52e3bbd

    • SHA256

      d134576ca7416e71db7bd5aad43296de284dd20154fd0784d9bf45d27603fc48

    • SHA512

      4dcf9ede6cdde27077aabcff5f8085d86691d8d76bb4166e741d0c5ad70fffbeb4dfd3fb8b9e4a57b859de70e3b6148b508920a229ed726e2b595a7e1f334575

    • SSDEEP

      6144:K4y+bnr+Mp0yN90QEQw4t9gTwevTqZFJTTSCDW7fqgfjr7f:oMrsy90z4t96TqrJzD49rD

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      da09729d570cd93ed61c515d8407a5f4b201aca65e870a52b3082a39645d32e8

    • Size

      517KB

    • MD5

      0a0496a64597ed2a279826f1f99e8b80

    • SHA1

      a56286aca00d98cc6dd17e0a0ca0776d270f6934

    • SHA256

      da09729d570cd93ed61c515d8407a5f4b201aca65e870a52b3082a39645d32e8

    • SHA512

      f6d434ff7fe88438c872da5c09771f2bc4c3d6dfa3027cdeea95f5b357fe722bc9c197921ee929bb21651e3678dc30c606c5474ae3571178ea9613f3abf64e4b

    • SSDEEP

      12288:XMrny90SGsys5qsuyfEBsRv9isNkG+Oce:Yy99XuysQjuFOce

    Score
    10/10
    amadeyhealerredlinepapikdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      dcfab037f7269dd60bc810f260b86d7331030c746f879fa94f4b6bf922ae96a0

    • Size

      390KB

    • MD5

      0a95874b2a8162c0b6b4ce17301f8305

    • SHA1

      382fba3d10bfb1ee65a9392c0927aadccedf51f1

    • SHA256

      dcfab037f7269dd60bc810f260b86d7331030c746f879fa94f4b6bf922ae96a0

    • SHA512

      448a75c424f9d1b068a2df1df6a70ecc1a87bf34109e3c4ba977180344564e96aa9c542e9ed2fb1408944b28f71f99cd001ea5e3ca5a28ecbe53f02e88b3c59b

    • SSDEEP

      6144:K6y+bnr+2p0yN90QE+kwYCLqDGN01RODsqLf1LLPZfJHw9CcHnlRHYX34gba/:iMrmy90bewGNGROfL1LLpJHtcHnl9C2

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      eca60134d922b4bca2cb5060841b6d45581f33e04f763a9c118fc9f22e289e3f

    • Size

      856KB

    • MD5

      102cc57cf59a9b99f5615c58ba8ae4a2

    • SHA1

      0e92c89813cae891a354a5feea121b2aad6d77ab

    • SHA256

      eca60134d922b4bca2cb5060841b6d45581f33e04f763a9c118fc9f22e289e3f

    • SHA512

      7d1cab053e2b8aa3b66f866f3beff4241c85fc9d17ee6b1f7b8b1c6964b7aca133cf2ae080feb91e0b82f304d45f2556d88e072274bf17bb7cc479d3744c2409

    • SSDEEP

      12288:6MrMy90GsPfX7+uwEvNGQdJ6HpKFKeVNxsZMQDkbQFUoSCfd07Cw:+yqL+ubvUQyHkFKaxsZZugRw

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1

    • Size

      920KB

    • MD5

      0bba6c5a8b9979a2241f1450ba08acac

    • SHA1

      823b3a858ce440a6b30ca707db2a28ef5596fdff

    • SHA256

      f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1

    • SHA512

      8d23fc817ef2cb576610036221c22b4b7ab5697dad617de7bc6f656619e9764f9f126db0e02a2a79d7a55d2bdcca68477f77660d789d9676d7750aaa0692167c

    • SSDEEP

      12288:+Mr9y90+HbQau2ZVqMaLa1SZpRgJf+X+dPWgI8Fitq2UudtD79LEN6nt1S:7ydcoVY8SZp6JfRPHvFujZwN6na

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral22

    • Target

      f5957f382ef0f17bbf1d83cc0b5d4f133ae56c9c5a3101548b66b2462dbe9b6a

    • Size

      390KB

    • MD5

      0eb1fbc2d5ee4ff34ade8b4c2253e955

    • SHA1

      ab76633544a01eea4234f73c227c439ca8749eee

    • SHA256

      f5957f382ef0f17bbf1d83cc0b5d4f133ae56c9c5a3101548b66b2462dbe9b6a

    • SHA512

      f0548458151c70d6abdda3e15d88c3dc5acc3cc3bbc10d0c2168a9166895217541a125f31d4810ed27e270199b1834330b8e7f0d2d5896300c10dd4b742d23c7

    • SSDEEP

      6144:K6y+bnr+vp0yN90QEXDpy8+SzJ8b9UVB4pAj03UzOPE5iVWhM0ZihJ115sS:WMr7y909fb8b2bBQUcsiiM6uJ1/

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral23

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

redlinekirainfostealerpersistence
Score
10/10

behavioral3

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

Score
3/10

behavioral5

lummastealer
Score
10/10

behavioral6

amadeyhealerredlinesmokeloaderpapikbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

amadeyhealerredlinesmokeloaderromabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

Score
3/10

behavioral12

redlinezgratdiscoveryinfostealerratspywarestealer
Score
10/10

behavioral13

healerredlinerosndropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral15

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

Score
3/10

behavioral17

redline5195552529discoveryinfostealerspywarestealer
Score
10/10

behavioral18

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral19

amadeyhealerredlinepapikdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

redlinekirainfostealerpersistence
Score
10/10

behavioral22

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral23

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10