Overview

overview

10

Static

static

3

0938a999b8...a3.exe

windows10-2004-x64

10

0ffce302b8...4a.exe

windows10-2004-x64

10

3b67ac2053...51.exe

windows7-x64

10

3b67ac2053...51.exe

windows10-2004-x64

10

4590646dc8...0a.exe

windows10-2004-x64

10

4869031eb8...36.exe

windows10-2004-x64

10

60fc18182e...b7.exe

windows7-x64

3

60fc18182e...b7.exe

windows10-2004-x64

10

67a45559c6...33.exe

windows10-2004-x64

10

74375fb2d7...83.exe

windows7-x64

3

74375fb2d7...83.exe

windows10-2004-x64

10

7c0286554a...02.exe

windows10-2004-x64

10

8bdbf47835...d8.exe

windows7-x64

3

8bdbf47835...d8.exe

windows10-2004-x64

10

9048c42aba...63.exe

windows7-x64

3

9048c42aba...63.exe

windows10-2004-x64

10

933ef5632c...f8.exe

windows10-2004-x64

10

aa2355d799...b1.exe

windows7-x64

3

aa2355d799...b1.exe

windows10-2004-x64

10

ac1a519838...39.exe

windows10-2004-x64

10

b8d6d40ceb...dc.exe

windows10-2004-x64

10

c1b16d8ddb...05.exe

windows10-2004-x64

10

cceb3dc1a5...0e.exe

windows10-2004-x64

10

edcd11e45e...06.exe

windows10-2004-x64

10

fa3e143197...a1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    12.5MB

  • Sample

    240509-v5751shb35

  • MD5

    01fd7df1d4456c4e3ed527280f788a2c

  • SHA1

    a06563da40186d19a5e469ad11b4201600766362

  • SHA256

    57a34a1caae7f0426b32bc71b73785f820451c97d3c5db368da479183b037629

  • SHA512

    1abb43133ab9e885b6134d829198fe345f70144b3746811bbf1e9519d3af9e9fd6a9328c786b524fe9bace375e3037d0162a2ad249dbc643ea39a6d46fe6a52a

  • SSDEEP

    393216:dWbnRhwUmK4kL7V2UO3Z0mP5WCTfa4l2F0:dWbR/mK4kL7VdO3ZL5b

Score
10/10
amadeyhealerlummaredlinerhadamanthyssmokeloaderstealcvidarzgrat3c43beec65deb206d81f3c6b8d956f185345987420kirakrastlamplandelux3mashanasabackdoordiscoverydropperevasioninfostealerpersistenceratstealertrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

Version

9.5

Botnet

3c43beec65deb206d81f3c6b8d956f18

C2

https://steamcommunity.com/profiles/76561199681720597

https://t.me/talmatin
Attributes
  • profile_id_v2

    3c43beec65deb206d81f3c6b8d956f18

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0

Extracted

Family

lumma

C2

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Extracted

Family

redline

Botnet

5345987420

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67
Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

redline

Botnet

lux3

C2

176.123.9.142:14845

Attributes
  • auth_value

    e94dff9a76da90d6b000642c4a52574b

Targets

    • Target

      0938a999b8caf4ac0b0ae0df1eb9b0b22dec4dfbfa3b4cb4ac6b6fdd35c3f7a3

    • Size

      1.2MB

    • MD5

      65883b4a8135be962bb33cbe7124a601

    • SHA1

      003fcf5786e5ba85e4947ce59abbadbb9cb22ba4

    • SHA256

      0938a999b8caf4ac0b0ae0df1eb9b0b22dec4dfbfa3b4cb4ac6b6fdd35c3f7a3

    • SHA512

      15d57b859eef30a26195aceb39f5cf9544132ad2e887842a88430e4d2582b22891e87502cb741685cf6631de6c8768a74d4822df2aa4a66c9d0625f3ef1b00b9

    • SSDEEP

      24576:PyuI+YFzqAmOH7ZZBGLaEBupcGi7HjvapU66B49AxQml:aGYUAmGBGLduSGSvTJ4I

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a

    • Size

      515KB

    • MD5

      61851f50c158cd9fcc18c48feffee95c

    • SHA1

      f9926f92e902278822d4e8cc96ea0ad60df70fea

    • SHA256

      0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a

    • SHA512

      7ce29f03b9040535c75e9416bc8039f2282b66ba742a0dd2e08e752c4def86c531388cceea134f6da68261a87cfdb1f03544e07d8d6f186d35f8b4ca16348c5c

    • SSDEEP

      12288:AMrry90FXrxLoTcDl8UEJOwXdRVr3qmVRhSNF4+1uRte1:by2b9ccZ8UEJ1NvdA8+sRte1

    Score
    10/10
    amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      3b67ac2053cfcb67f4034907cf81e72d93541e06f86ab3ac73130c4036c07651

    • Size

      266KB

    • MD5

      6545f1bc26cb43f4b8f6694ed82ce002

    • SHA1

      f889aa07e40c0c30795948c106c1bf1d0e5cca72

    • SHA256

      3b67ac2053cfcb67f4034907cf81e72d93541e06f86ab3ac73130c4036c07651

    • SHA512

      835a6d370dee13fb9c4ef888ce52d8d527b42f87e46ff23712e987b29ab4a761620d9d97707a388bba593cffd0d5684ed7b3bd531475b3ff190d8471ecc30ba8

    • SSDEEP

      6144:MY3/ZaVI/DhkEV89HhOcA++srKbqJSCnXjzegz54pdLnW9rAjD:MYvZxdk289H3PrKbqJSCnXjzegz54pdH

    Score
    10/10
    redlinelux3infostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    behavioral3behavioral4

    • Target

      4590646dc86de08c227e10ecb3a0504d9c0abf060e54eec6a608fcac2fc5600a

    • Size

      390KB

    • MD5

      62f429c5c6e2ab113a26d87e7d2f16e4

    • SHA1

      0c7115f003b6a49315c0acd0aad4cc89d0e092b2

    • SHA256

      4590646dc86de08c227e10ecb3a0504d9c0abf060e54eec6a608fcac2fc5600a

    • SHA512

      8a0fc3daffcb00a722f342b998e557ae37d3bb85e866df029b94327a894839c2654c81c52e999c53d9503db3cb64e6bfd251f1e6ab351995c0575fc914213212

    • SSDEEP

      12288:lMrPy90O3jrML3QBy8vv11djXANDu/XC8:2yPzr1yGNHTANDu/S8

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      4869031eb83eeff0929b84ddb6a50211c58c3773e9a4c610f1ffe9db5f968b36

    • Size

      1.7MB

    • MD5

      5d694b9a92d53f3a8949051522cd6282

    • SHA1

      f6075cd95c47b88f2f2feb91c3ff752566bb9c9b

    • SHA256

      4869031eb83eeff0929b84ddb6a50211c58c3773e9a4c610f1ffe9db5f968b36

    • SHA512

      a4cebe331b2e83cfbbe2f193827f8bfaf4dd159500da53b929301f3b974a340fa2816d4434f0889cc43ba58f900523fe6a92d514eaca46617ac858b0b84ed44b

    • SSDEEP

      24576:CyqtbxSjIgfo7ivFawf/hozeT13jjM0vXBRzlHNfaYoXQ74HHLIhYc:pqtbxSjIbivFawpgoBjJ3lxkX2Ish

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      60fc18182efb95a4ce4e1849473f7201f8de0caf9716fc85ddf837496b3ff3b7

    • Size

      435KB

    • MD5

      65574cb9beeaff86146f6f2ec8cea86f

    • SHA1

      9ca2c27c6efb5895dd9583ce451cd8fa65f4d5f6

    • SHA256

      60fc18182efb95a4ce4e1849473f7201f8de0caf9716fc85ddf837496b3ff3b7

    • SHA512

      d5119d3a1d2ed3f3f3002c5745595c3bf86d8476563ffae8cd7933e5acf3860e0083decb18f9bfe7a27b463fa68a6eba9f9e05cff5bdbcd9ae112a15a61f57de

    • SSDEEP

      12288:tcY4vLQ+mSA9L9mmzs5CdJ00vYUcYsTHMpH:gEXSAh9mmzWCD0sDcDcH

    Score
    10/10
    redlinezgratinfostealerrat

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      67a45559c67180bac6f740ec616b9c74df65b1cb4a48219d705f41d667e2b233

    • Size

      1.5MB

    • MD5

      634f345e2fb17bc841ce205beeda286f

    • SHA1

      d9f43cf541bbd64156c36193206c96db42f47674

    • SHA256

      67a45559c67180bac6f740ec616b9c74df65b1cb4a48219d705f41d667e2b233

    • SHA512

      408f007c13bac39d95d0df340757bbca1e3d56b6c8f95b38f354fc9a8c8a354e4b56e6cd3aca19c70f70afdcdeaa46bb847c18bab61649629d17eaca094ad3c1

    • SSDEEP

      49152:wux1UO1LsM5vIzSyx8jYRogsQ+aV4Qmsad:T5LsMWzSQRogsDaVYd

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      74375fb2d74b7174b1444727d6bd1534918dce2deffdf037cfc3050c20679d83

    • Size

      409KB

    • MD5

      5e32f62d26b4476c6862785b9d6b5db3

    • SHA1

      8fc02bcd0def2535b64690e5a5ad4932bc92a398

    • SHA256

      74375fb2d74b7174b1444727d6bd1534918dce2deffdf037cfc3050c20679d83

    • SHA512

      52a24032e70c00461694e271cd4bbacf0353a4a2c6a8fed15def4fe1fe4f9792dea10a3a4cc9f7c72a0e9e4280220d7ae362fce33703885a1d417979d75f395c

    • SSDEEP

      6144:D0EpI60nbM8uPZy3+8KID4LunuX2Csvo0ZtPZ4mr99uXDgXyXHS:4E+60nbnuPL5X2NVrZhrz8HS

    Score
    10/10
    stealcvidar3c43beec65deb206d81f3c6b8d956f18stealer

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Suspicious use of SetThreadContext

    behavioral10behavioral11

    • Target

      7c0286554ac9381c9063b805018449ecbbcd29f8ce4cd23f2f0899846f42c802

    • Size

      923KB

    • MD5

      59e3ca8cda0c34785621ce53cbc443f7

    • SHA1

      8c5b70c4b8a48f01470dc1db50bfd40ee04e60e5

    • SHA256

      7c0286554ac9381c9063b805018449ecbbcd29f8ce4cd23f2f0899846f42c802

    • SHA512

      7e33c14d7696fbc2d29c48518a9cfdfbd9a520cc44dfbdefcca4f8bd198b864404fea00837af6cd0e4c739f12c704f113e04b5fbe37493745782b5b471e215ae

    • SSDEEP

      24576:WyN9l2hKmLvK2da6iBraMH9oFh+AjiFZj6vuQkl7:lNvSbja6i4oov7QZj9l

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8

    • Size

      1.2MB

    • MD5

      5bb7562ad2bb2fb122d6d2c40d6a855e

    • SHA1

      0b4b3dfc42ca7de38e8fe6572389409f38f742fb

    • SHA256

      8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8

    • SHA512

      41137bb2030b67d7a6f12b49c2c9a732f5efac08c833f5332194efea2893f1a85cf7425e0620d349e8b2a1f78c3881353ea907468a46e243311aa4b62c1e3a91

    • SSDEEP

      24576:SOtUIXhOon8zlymWH89vv1vBaTnIqlWg9z6W:Swson8zlymWH8tzeIRgUW

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      9048c42abaabca33d5b7af1bcc44359b59b27e5665057af23d6189a59cedd063

    • Size

      274KB

    • MD5

      61027cd0178468508c57ab3fcf4f03dd

    • SHA1

      fb68390075c76430f96d6370cfdaf50c772cd75d

    • SHA256

      9048c42abaabca33d5b7af1bcc44359b59b27e5665057af23d6189a59cedd063

    • SHA512

      c97168850734767f131e3f148b667d51b25ac310a04cf7ecce6754fc576abdb7381af4a3a652db4837bdb5ea667236db74ac07d8dc798983942cb2abdc2428d5

    • SSDEEP

      6144:J49Ac4+AxvS28Pnjq7CKASYWRPoEIDArwLPSwpZ:JsAcDt9XW5oDDArwNpZ

    Score
    10/10
    redline5345987420discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      933ef5632cb9efcfdd066357d6d3cef5ee2fda4fda1ad8e2a5c8fa37a5e983f8

    • Size

      856KB

    • MD5

      5b558774d4486b26e57bbc6e4ac6b57f

    • SHA1

      856138aaa324d4a461e2712e661c718e8f3aae78

    • SHA256

      933ef5632cb9efcfdd066357d6d3cef5ee2fda4fda1ad8e2a5c8fa37a5e983f8

    • SHA512

      aee207127b0d6fe63a3411d7c56b595dfadbe406e8814ab8540785d62d7b118ed967fd37dcb8d574671fa6a4370014c7a098aa111432c67473e30c693f271e2c

    • SSDEEP

      24576:Py+skW5QXO0H7qvspKkkrRh8tfi/Dpy0LHOz:aPZ0O0H7EkkrD8t6UC

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      aa2355d799779408d9b50fa6ad3975c9eca4e30aa4405d6a01bf647c7c688db1

    • Size

      1.3MB

    • MD5

      63d35dad49cabfe3e9b19406072d0cf2

    • SHA1

      57651073be30963ce25b2a773714cf4f04b1437f

    • SHA256

      aa2355d799779408d9b50fa6ad3975c9eca4e30aa4405d6a01bf647c7c688db1

    • SHA512

      599f713aec7eb928c4a93e4e520b3db2acd594cc1be2028e35ab26592323bdd487766d402c22d1cfac6bbea38a9a3b67567f8c0aa38e095c90236b69eb331054

    • SSDEEP

      24576:UIh8NUuIoPwItf8+2JnvnNY5d8NBDra9hUK:UKJoPwItf8+2JfcK+9hb

    Score
    10/10
    rhadamanthysstealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Suspicious use of SetThreadContext

    behavioral18behavioral19

    • Target

      ac1a51983828d30d00c76912304628e7ad96b59348ac9377cf93c8f7c058dc39

    • Size

      514KB

    • MD5

      59fb589e90a00ec0ccf1612f0dc2781c

    • SHA1

      017a2f2c15e968b8c5ea36c9a853d5d77919fb82

    • SHA256

      ac1a51983828d30d00c76912304628e7ad96b59348ac9377cf93c8f7c058dc39

    • SHA512

      3ab6ec4e8e968c478404f8a926e20d0ba1f1d223374358e048a8ac9b68148937d775679c3c2bd736409e604556a63620e30b4cf386b0f4eb6fe421602dd38f65

    • SSDEEP

      12288:XMrHy90WBtd2hKp4mL7wQpgp0PkOV3q3RcSWjjXeJoGTvq:QypBtwhK1w308o3KSfPqoGbq

    Score
    10/10
    amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      b8d6d40ceb8eb4629f70f1a83e6e09e52da0cfffaf3354a4bdd9dcef75240adc

    • Size

      390KB

    • MD5

      59c9b460225451cbb1e45e47c334d898

    • SHA1

      54a8b11936bac1643aa7f06ef981198841b2456c

    • SHA256

      b8d6d40ceb8eb4629f70f1a83e6e09e52da0cfffaf3354a4bdd9dcef75240adc

    • SHA512

      9160a2a02fe74967684d58d44e7c0aae87f020804200a156340c770a851f04a5f0c3fae1cc1c898696e2985da3afe3bff7a2a2008ae0c743c024add26bfd9532

    • SSDEEP

      12288:UMrky902VVmcIyVW9JeVis3VQCrrnEpM:AytVlVGJeVisypM

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      c1b16d8ddb22e16efecfa0c8e36f2388f5a13885f7633da10e0c7dbc1823f505

    • Size

      390KB

    • MD5

      65bd764de0a2de7ba43d8e3d73e162e6

    • SHA1

      08285f8d1d2f31557959b1f302c7641b2cecf9fb

    • SHA256

      c1b16d8ddb22e16efecfa0c8e36f2388f5a13885f7633da10e0c7dbc1823f505

    • SHA512

      0871cfeaa3bdff0770578f3fc5ca322379b2d19dc1100026c93a10b6ce286d61668664f2e11a4dac8d91d21242e701dc73f63d836a36428b8c74bf58dc447b7b

    • SSDEEP

      6144:Kly+bnr+2p0yN90QEq08pRS/JM214DJbgSWpmo9SemeD3kksy4TAvUui:zMryy90IRjSeFgNDUfJU8ui

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral22

    • Target

      cceb3dc1a54d4e14e7b2dac2489e5cd6194c0f51b064f6e726229fb798deb20e

    • Size

      768KB

    • MD5

      6029b53a99c95c89f05348134130ef59

    • SHA1

      8bed0b5da45422d839446df8f87dec514b88b848

    • SHA256

      cceb3dc1a54d4e14e7b2dac2489e5cd6194c0f51b064f6e726229fb798deb20e

    • SHA512

      40d170992d9663f56577d2f75d609600c25d001bc7bea2854016da37f0e4020cada096c623e47dd3315d797c65d762ad181c604e659c61a03942c10745c6de76

    • SSDEEP

      12288:1MrOy90ds4JKIlZCuYpzqJ8x0KfiaI/e1lDsyCPLVD+trmFGEkh4aWF:LyAkgC0pKVIIDUPhCtrmFk4RF

    Score
    10/10
    redlinelampinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral23

    • Target

      edcd11e45efed930a5a9563c77aa25c91d52061edd71739f3b01b63568f9d706

    • Size

      1.5MB

    • MD5

      606fbe646ebb4df5c3f5b54e46c0fdf1

    • SHA1

      8ff94dd2d2164452af6a4b3dcc070b3d83df1a08

    • SHA256

      edcd11e45efed930a5a9563c77aa25c91d52061edd71739f3b01b63568f9d706

    • SHA512

      a3d7c5481f3f5cf1a239b6c448a608868faec6801b098f4d5c922cbbd544b7b7e1751922f9ed2b395d33983886a60e4793cd1a0db507664fa00ec99182153379

    • SSDEEP

      49152:7ir0XAypplkMlIMLZ3RqJfPoH3SRm0QIrbQX:G0XAyJEMLZI4H3ADf

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral24

    • Target

      fa3e1431975485964a90b92bb444c1ca0520a5e2b03b1d0b14d263f8802620a1

    • Size

      390KB

    • MD5

      5ed7643e177a74fc803f8b2ca8febbba

    • SHA1

      2b8d2f5e2d3d1e302e941b0d3e47d9c91be060a0

    • SHA256

      fa3e1431975485964a90b92bb444c1ca0520a5e2b03b1d0b14d263f8802620a1

    • SHA512

      d23d0d7ecda5f7f592802e8c3ab86c62b4dafd8f137a1c31ed7f55c196773a3030daf6de44d239287f6d405e8173baa139d15122903a411223c6cd1fa8a8eefd

    • SSDEEP

      6144:KGy+bnr+4p0yN90QEMlBZAAZFvL4ja8Ofm2qSPyyR1aBm3QpsEK08KAN40:CMr4y90qXZ/4jOe2qSPFR1aux08KAC0

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral25

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

redlinelux3infostealer
Score
10/10

behavioral4

redlinelux3infostealer
Score
10/10

behavioral5

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral7

Score
3/10

behavioral8

redlinezgratinfostealerrat
Score
10/10

behavioral9

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

Score
3/10

behavioral11

stealcvidar3c43beec65deb206d81f3c6b8d956f18stealer
Score
10/10

behavioral12

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

Score
3/10

behavioral14

lummastealer
Score
10/10

behavioral15

Score
3/10

behavioral16

redline5345987420discoveryinfostealer
Score
10/10

behavioral17

redlinekirainfostealerpersistence
Score
10/10

behavioral18

Score
3/10

behavioral19

rhadamanthysstealer
Score
10/10

behavioral20

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral23

redlinelampinfostealerpersistence
Score
10/10

behavioral24

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral25

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10