Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    r1.zip

  • Size

    10.3MB

  • Sample

    240509-sbvaysaf32

  • MD5

    b7513d4183ecdd60da32b7576bb15499

  • SHA1

    c5a1f583fac59884e42c3cbd378d37f680d45fbb

  • SHA256

    c6ac7038f2b8acf3787a19170444be1ee943b1eebbf70e6d74758b47c73c4ab8

  • SHA512

    db6aeedcd282ebd20ff44d6bffe1357d6b3f0e52696c70d9a636a6f5b890dadf69d0892f54095c13ad9b5fc0879f72d8ca3c0fffded56dcf253d612b80251f68

  • SSDEEP

    196608:HvFvvmpK96sD3Xghs1k0C69qBLJXSKMQWJ1MSsJMmHD+8YXJ3xyYgxHL+e:7QwXrhoBgQWJ1SJMmS8YXJxyYgxr+e

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

5637482599

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

@WinBinLow

C2

45.9.74.149:48852

Attributes
  • auth_value

    f7d8268222997f5a0b2fde81e0514f51

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

papik

C2

77.91.124.156:19071

Attributes
  • auth_value

    325a615d8be5db8e2f7a4c2448fdac3a

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

lumma

C2

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Extracted

Family

redline

Botnet

581694481

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

5345987420

C2

https://pastebin.com/raw/KE5Mft0T

Targets

    • Target

      036028e38619a2b41891058cbbec38bbd4ebcfca4ce732fb7db9ad8f372c62a7

    • Size

      390KB

    • MD5

      3c37601b22fd9a0a2a2b8292dbf7d939

    • SHA1

      04e36bfd794fb057f974ff87af40da195812f3ff

    • SHA256

      036028e38619a2b41891058cbbec38bbd4ebcfca4ce732fb7db9ad8f372c62a7

    • SHA512

      e9539f61a9343c93123cc8877b3362d8837bcc78903d5dbe524460e49943b7df8451ae0d0785ded0c0bd8dc6e221aecfdf3c236adbb393003eed4674153e8759

    • SSDEEP

      6144:Kzy+bnr+ip0yN90QEWXOmWct9LTwWXJRjUQYoB2rEb8NVKsF3rE3:ZMrGy90UXRrt9nbvJBYCo3K

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      0f5fae471624fdc2019d0988b658e0832f13a78b6b310cc8c3c1314c3e0c9f8d

    • Size

      1.2MB

    • MD5

      3addd1da95cacaab48c74e7787e6bc9b

    • SHA1

      ee33af7f80b3af72bd876610855d990fe757ba32

    • SHA256

      0f5fae471624fdc2019d0988b658e0832f13a78b6b310cc8c3c1314c3e0c9f8d

    • SHA512

      7797f245be9fc0c1140a2b57ef568065638db688479c42241d11efa7654120a18afb7f0b15dcf040d3463637bf5275248b2d5ce75edeef5de1dd9dc74f49ec60

    • SSDEEP

      24576:GyBVRwC3In5QtVwW0AlvMvuLnS7D+H3Hv:GYRIn5QtVwW0AeinUaXv

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Suspicious use of SetThreadContext

    • Target

      1998a377c7bb1ac8d7d9ef4fdd72c4bc6479d87263d40908ca9ea76e5f8f2011

    • Size

      989KB

    • MD5

      3c50d977f47d3c9b4d9a0fb9e62b20b6

    • SHA1

      744f98ec0a9bc23236ce1baa143bbc259afead77

    • SHA256

      1998a377c7bb1ac8d7d9ef4fdd72c4bc6479d87263d40908ca9ea76e5f8f2011

    • SHA512

      78d8a2af91556548a788ac10c50d2d7483f88c8233469dc565e9fd514e08445539a947999892eb486278b4d424d5a049dacd9dbbdf77dfdfda26e4e0f7f3f349

    • SSDEEP

      12288:78pKXIOOVTcldbSBDvIY3Mbw8xiMA2aCLolxjBOTmuOZiUVxQMb12:QpKXNOVTcl8BDvIY3wwIaLfOUVxQ

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      1b624e343d222ec9333b85d3af29b913b42ba3196fcb192f618e87ec4afa8855

    • Size

      389KB

    • MD5

      fd521013454248e86a636512dbe3d338

    • SHA1

      2c2b97dee16c2d7ced7d76ce594e03270ecb9e8d

    • SHA256

      1b624e343d222ec9333b85d3af29b913b42ba3196fcb192f618e87ec4afa8855

    • SHA512

      24d919b6d86e34a0cf3c2d5890af0109e95cbc65d05b9647895fc3db2cb4d9a8fc340a19b97bc1c66eb74d596f183a274ee868717e3166157385e4a3132b03be

    • SSDEEP

      6144:KCy+bnr+Sp0yN90QEnJi2omMch2DFto8CKsEIxqySgBZ+t4eDCpUDozUP:+Mrey90NJ7omMFFt+KiAgBYCe2pkozo

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      2b559f1c510907c1a260b6482b36dce3ba603f08fd80d98ee793787a12104d29

    • Size

      1.7MB

    • MD5

      39f8521dd657ab5aaae4d2c76202614b

    • SHA1

      155a43d23930b1b7ccb1e7f0ec560063d8b5bd0d

    • SHA256

      2b559f1c510907c1a260b6482b36dce3ba603f08fd80d98ee793787a12104d29

    • SHA512

      6d312b975fee87af2f9e2f7a5f47db421e8d1074c74e730bd834ce8605aba80fa2174e17658ba501747c2e4f1007f93b41428fb6827c485269b61ba19718f773

    • SSDEEP

      24576:Xy40POuk6AxshWoadVb7uEla50CTd9Zijzers8QScFfv2LO5RM1u9773VaVAR3:i40POyWBd7uEl5Yd6+gRd2LyRZ9daU

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f

    • Size

      315KB

    • MD5

      3d4c73f2d10c4ea03e9f55af41a02d7f

    • SHA1

      e9f70b120dbab724b88c37161e5df5d8607d7500

    • SHA256

      2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f

    • SHA512

      05122b99c10edc0ea4b69f471daf0ce182268d505166e05a69757016f7f87b5e031911c8efd0e6722691b236df5bf2bef74f7a315d9c6c2c6d1e363bf9d98f27

    • SSDEEP

      6144:rI9pI60nbM8uPZy3+8KID2YuDUtMXVgbhAZdxldn+kXHS:s9+60nbnuNYV2glAnjJZHS

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      52d5102aa94d913408cacb8480a5007f4757bac252d6379b467616eb62442eea

    • Size

      274KB

    • MD5

      3b2f6dcd799e06d8804c55bc9128b9f4

    • SHA1

      67bfd5573dc98910ab128d825d92c16fa29c48c8

    • SHA256

      52d5102aa94d913408cacb8480a5007f4757bac252d6379b467616eb62442eea

    • SHA512

      05db7c5138366ff685398a45be1fab7bfec70967f116babb1ebbdc15a112cb28964efa7ba614b9d9cc76dedddf4974d057432bc5b1882e1379c426db930a521c

    • SSDEEP

      6144:0JeaoQWhlmgE5pdj7yKUtYowTgEd71anT7fxwp/:ceaZpp57yKuY5TgO4T+p/

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      536536221030ca60a298f443a202be11047ecd20614f20fb85ec8e3b3915e013

    • Size

      390KB

    • MD5

      3bc5b2426cd5cab7c9ca7e5737d6d7c8

    • SHA1

      8fae227b631bd835a2fcb586a104949bb6759045

    • SHA256

      536536221030ca60a298f443a202be11047ecd20614f20fb85ec8e3b3915e013

    • SHA512

      1931cb86b9aac7a3cd519b357df7cab9907e1c7cbdc3dd13e9366ed01cf1420e450ed56b4813754e3d6c91c21ee1eb53bfe628f9fa99f4b9925bdf3246f9da75

    • SSDEEP

      6144:Kdy+bnr+4p0yN90QEfWPhKGKoAptKI8B5qf03QyCFcmRQoIe0lfrmkzOScRIvN:zMrky90xWPMpgIb0gyCFcpTeIPLvN

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      5460a1d2c84823a33909daab1fdc811ef8902f88377e1cf46112a9d0cdce6e37

    • Size

      278KB

    • MD5

      380a33366b16a0894082c78984ba8345

    • SHA1

      9ae5f79b7bdc0d1a1141c5a9d318fe8680149e14

    • SHA256

      5460a1d2c84823a33909daab1fdc811ef8902f88377e1cf46112a9d0cdce6e37

    • SHA512

      81cd5aaec512b832e69f071c62339578b1c8ec5170962887899f5164ff3c236275e71c63708c1083872c536b8e80ca5057c3f011b556994993c72faf6bb0cac6

    • SSDEEP

      6144:oA4BeDwJ7SRiJVN2FdyxSDQdMP5cIieWIJQjTWuo:oA+z2Xyx7TA

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Target

      69b4a9447365c1cc607cb7e8de4957fcb1ce9841892d9533740403ef7e5af76c

    • Size

      389KB

    • MD5

      37e149c79f6c343a6e5e070bae845e45

    • SHA1

      fa31552438049bc5ac502c437a18a522e693c644

    • SHA256

      69b4a9447365c1cc607cb7e8de4957fcb1ce9841892d9533740403ef7e5af76c

    • SHA512

      55c547884baba9d02f7a87db9863c027aa23d880d1829e3c043bb91482b152f5c9e1dd9b4b54eb3dba86d3ea59d4e180eac5e43260827b1543685522f6e9e556

    • SSDEEP

      12288:tMrcy90kZOXq38EVpLdCLA9sgBYChe8WkPObqU:1y3OO82pL4LAxzToV

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      7b7ce936fd017fb3d3de8552a69b50012fdf9778cf317ec09212df4830d993c9

    • Size

      390KB

    • MD5

      3878b03638487d7fcda504b7b6112f6e

    • SHA1

      62a91750f680cce74a674c1188230b30a9c8284e

    • SHA256

      7b7ce936fd017fb3d3de8552a69b50012fdf9778cf317ec09212df4830d993c9

    • SHA512

      b5b7e76d64b969687670e23030ebcc39a9b50c893268670f93c0dd923d3e4e9c3e224b80c6e1ba15419fdee4bdf0720104d2559466e60d88947addc3ec221aaf

    • SSDEEP

      12288:cMrTy90xzhDbGx71diTJXu8RXxZm+a+LfafLIpD:fyOzJGQVxg+aU7Z

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      82e326156adec2026e8e0aa855442e0ad0ba79d30fd32edc514718586f8c6f5b

    • Size

      514KB

    • MD5

      1d8e6325e62c7e65a61ec67d8ea49618

    • SHA1

      657be0925f4484192570d53b0116a1913ab7b622

    • SHA256

      82e326156adec2026e8e0aa855442e0ad0ba79d30fd32edc514718586f8c6f5b

    • SHA512

      5d64781b3050c1d326f4bac79691d7a83b90b82a9ed7ee38752e1b00d630710076a5d2f6e17f73606dca07bc591607fbf217c2587628ea572e5a03e879028059

    • SSDEEP

      6144:KDy+bnr+Hp0yN90QENzWrc1tGtu75jZYTWZjRHY6r4zivicXRAhzb1d5J9yvzwDG:lMrny90/gcjGUVamaifBs/YvHXDeO

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      82e97b51cae4985f5a2abc5bbe0fe4c23fb25fa8072e45d5e34ec789cb7fcc5f

    • Size

      768KB

    • MD5

      39bf80eb44acf1a81fada3d27fc3d228

    • SHA1

      ab1b7c12d61733d2ff88c01c76fff9d8bdd15b0e

    • SHA256

      82e97b51cae4985f5a2abc5bbe0fe4c23fb25fa8072e45d5e34ec789cb7fcc5f

    • SHA512

      726d3d9f8990f6e0ad6d00d35dfb69d316bfe474a94bb429cb34a580b86c7e3750bcb0d05e6bb0731efea28123beb399da4d2d492351a9f275165d45f6a47096

    • SSDEEP

      24576:XyHqqDah9D/bplKzYEkXOsb/xnZIuPhG:iKqSD/bHOYEM/ZiuZ

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      9b8496e95efc2095012f46230bd3642a47e89c4a73886f41db8e991f7fa863b6

    • Size

      642KB

    • MD5

      39da6d62eb04b947ef0c3b289cd76848

    • SHA1

      6fe12aecd3b54b2713c067bd1654977eca28c0b6

    • SHA256

      9b8496e95efc2095012f46230bd3642a47e89c4a73886f41db8e991f7fa863b6

    • SHA512

      ca056e94c745c20cd74978d38373a9f366c2083fc1955066f037cdf6f514e1fbb5b8e2b08c04416ab79340c00f48144afc779bcad17bd3f15062860d160aadf9

    • SSDEEP

      12288:zMrjy902S1PSTBNhq3yjD2NS6Gf2Lt7qYEvae+0/PRUnioKyNh7P6:EyGPy0ijD2lG+9qYEvx/ZUjHNhO

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      b21367ffaa0009b30055944fc1052857ec46336d5bfe2efd3dab109667a56fef

    • Size

      1.0MB

    • MD5

      fcec5bd6e991dabef70f77e08e42bccd

    • SHA1

      3ae3b13a9757d327ed4227102d5b0b54712f19d4

    • SHA256

      b21367ffaa0009b30055944fc1052857ec46336d5bfe2efd3dab109667a56fef

    • SHA512

      59a2d1cc2576e55beff18f52573b6ac7baae8839dbbf536d5126f88d873375ebb9bb287606021e9c3c14533b004bde6bc3e28511fa646ef65cafabe6fdd4573b

    • SSDEEP

      24576:PyvzwYJvJY4834KiT25Y/fUlpyY4yWvHIPnpAOD6FA7dZJ7Rj:arwamDIn2i38WPIpDzR

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      bd06bfc2696394e32e12dc7d9c3585842b78bfbdc24f4157679058145abb22a3

    • Size

      390KB

    • MD5

      3a4cea3fc66e9b3d9560878ba1663cd9

    • SHA1

      591d5bef008232bbf43c90708e23f8d8e4eb2f22

    • SHA256

      bd06bfc2696394e32e12dc7d9c3585842b78bfbdc24f4157679058145abb22a3

    • SHA512

      701af6e157e20e8dbab2b81225a4895a3bbf2e5f6c2450e6d0b39b2d54203905f0d565ee59563746ea10fd3ef14dbd9348dc559f3bac600d295fbef27a83e2c0

    • SSDEEP

      12288:HMrCy90LK3WNWBSPa46LcHnl9nZF4rQKL:hywyYzHNF4TL

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      d191282ff466919a5feb6c8682f696332eded6dd8747d336fe16593c6ea96f7a

    • Size

      390KB

    • MD5

      fc8a749534902b784a021ba891b2de71

    • SHA1

      824c3750ef168c3eab90a5761864157f47ec971c

    • SHA256

      d191282ff466919a5feb6c8682f696332eded6dd8747d336fe16593c6ea96f7a

    • SHA512

      26c9096fccc01a9c74f1a380a9d4052843711502d5da32d4a3c371f98b7abb3abf7905e08c94c4f8c717949950d0320cb3457cb615b9b6e085cbe8cf070e2769

    • SSDEEP

      6144:K7y+bnr+7p0yN90QE++Xq2qkWcnZNbQR5mbZvdLFhJauS7BfbCcHnlRHGb4kXyG:hMrry907a2RdL3AuWOcHnl9z0+Ei

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      d77888ac75d20228b7b7d9e6605425cfb9f51ecf0f39863b19981b1598b3a57b

    • Size

      924KB

    • MD5

      39ebcf56ab4b2fb98a2e2590c5a5a588

    • SHA1

      90ef0140fb2cd50c8f3f507ec061532252882acb

    • SHA256

      d77888ac75d20228b7b7d9e6605425cfb9f51ecf0f39863b19981b1598b3a57b

    • SHA512

      c596ee775a66fffe2df60c2cc909f89e71b2c6d95fba57ca78ed5a13c962b2520b6e8460ddc9f3ca0e6cb8b9e5cde134ed157f0a9ec39cbfe13c2d7bb62149ff

    • SSDEEP

      24576:OylPVB7/z8r9NKS/rdlEGOapBK/Aoa2ZLZP:dlHopNKSjkapoFa4t

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      ef11bf7b35a28054917643092a94f68ccdbc57cd68005df66e6d81a0d2d012d4

    • Size

      389KB

    • MD5

      3acf2e92c0625f14957b8bba85a5a133

    • SHA1

      519645e11407ed3991cf6501314ea5d8cd4e7a64

    • SHA256

      ef11bf7b35a28054917643092a94f68ccdbc57cd68005df66e6d81a0d2d012d4

    • SHA512

      e181da02b0e85eb7362d0528e5f2da52140b607e44c0f01bf5f772e80992c4fe396d1aaab512e1fb57f7cd54258488a8bd00386ab23b57b932c8d1259dc000b9

    • SSDEEP

      6144:K+y+bnr+lp0yN90QEUO/bqnT1boVBqmroo3FgmF32GBzHPIRUMjRDDQdf:uMrty907zqT0BtUqoAIRUMjRwdf

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      f0d33c78b4822415ef8b626889ef19e5538cc85e78b11afdd7a1e3aa9b84b8aa

    • Size

      919KB

    • MD5

      393d6bd3d722abd31114cf500a6d31f5

    • SHA1

      027ab7af8553f0a73e95d6c9c8ddeb0e12af8965

    • SHA256

      f0d33c78b4822415ef8b626889ef19e5538cc85e78b11afdd7a1e3aa9b84b8aa

    • SHA512

      d97c315bd1aadb8f209099532d1d84265c305b7a0217dbbc172104c34be32d6a17d3473cfd89a44985d639e3e14bc723a3726b44fb857ab45120fc13feeac903

    • SSDEEP

      24576:fyp+BYZ6J6nTHME00k7UjgA69JsKL0AI6bnscKUph5E:qpZsJAH87UjOHaonsrUP5

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

Score
3/10

behavioral3

lummastealer
Score
10/10

behavioral4

Score
3/10

behavioral5

redline581694481discoveryinfostealerspywarestealer
Score
10/10

behavioral6

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral8

Score
3/10

behavioral9

redline5345987420discoveryinfostealer
Score
10/10

behavioral10

Score
3/10

behavioral11

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral12

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

redline@winbinlowinfostealer
Score
10/10

behavioral14

redline@winbinlowinfostealer
Score
10/10

behavioral15

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

redlinelampinfostealerpersistence
Score
10/10

behavioral19

amadeyhealerredlinesmokeloaderpapikbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

redlinedizainfostealerpersistence
Score
10/10

behavioral21

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral23

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral24

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral25

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10