Overview

overview

10

Static

static

3

05a0748d48...c0.exe

windows7-x64

3

05a0748d48...c0.exe

windows10-2004-x64

10

16b83c8926...86.exe

windows10-2004-x64

10

1e756c3dd2...17.exe

windows10-2004-x64

10

2d35abe32a...2d.exe

windows10-2004-x64

10

3754d1115a...68.exe

windows10-2004-x64

10

489287cb76...28.exe

windows10-2004-x64

10

4a64601cda...bb.exe

windows10-2004-x64

10

4f57ecadcb...56.exe

windows10-2004-x64

10

678b5c88fa...33.exe

windows10-2004-x64

10

6ade339142...e8.exe

windows7-x64

3

6ade339142...e8.exe

windows10-2004-x64

10

6e1ca7d8d7...d7.exe

windows10-2004-x64

10

7a398dd87e...55.exe

windows10-2004-x64

10

806347c33e...f1.exe

windows10-2004-x64

10

853890cb43...68.exe

windows10-2004-x64

10

85f2f1ff9e...04.exe

windows10-2004-x64

10

8ea62cf585...13.exe

windows7-x64

3

8ea62cf585...13.exe

windows10-2004-x64

10

af1379c2cb...5d.exe

windows10-2004-x64

10

b22005984d...40.exe

windows10-2004-x64

10

b567e2a99f...c5.exe

windows10-2004-x64

10

f8896ca2a9...6f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    9.9MB

  • Sample

    240509-w3lpnsgc8z

  • MD5

    09b2fd8ab8bb7b21d19e8b0d66b0a6e3

  • SHA1

    00619075f6f627abd500cf464e09df5432c0e6b3

  • SHA256

    e22a5cadeacc1a9d95354d85bdc17f6ab2dc5d23efe7df6d3d4683fb7b881a52

  • SHA512

    c50ad05f5e92f0f7435f46bfa0133064c09f8b35620088a7a20ff51a0aec0abed16109934b23bfc0ffa88d18aa9008203710cef43d3bb8492bc453ebb1b99acb

  • SSDEEP

    196608:1m4iK4GFiRjG/y3yqo9i1ZvK/mKdLeNmzDnEFZr+uy5zhIyIk9AoowGThoZ6f:oHDECE+K/nCdIv1eQ9DZI

Score
10/10
amadeyhealerlummaredlinesmokeloader5637482599krastlamplandemashanasapapikromabackdoordiscoverydropperevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67
Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

lumma

C2

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

5637482599

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

redline

Botnet

papik

C2

77.91.124.156:19071

Attributes
  • auth_value

    325a615d8be5db8e2f7a4c2448fdac3a

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Targets

    • Target

      05a0748d48b19e76e2ac6f6c7a81179bc89e5adf95615c3d3417fc86f39342c0

    • Size

      296KB

    • MD5

      1e1c1e0154da443ce8e83086f29a5838

    • SHA1

      5be703f641f5a4bfbf54799747840cd570cd5046

    • SHA256

      05a0748d48b19e76e2ac6f6c7a81179bc89e5adf95615c3d3417fc86f39342c0

    • SHA512

      df9f5d25b6f7934c8994379cee15ec7b44abaef51823a3abe5499ce1cab047a5a17b4384b7fe1c9edbd09bd1279a71762da95881b3e789942d992acb99bc89e6

    • SSDEEP

      6144:xq8jJ6IyLKHndgbV2NNXFZ4Cy12Cao91fNnWs70W5I2vCoCe:k8jJ6xENrZNy12Cn91FnWJoCe

    Score
    10/10
    redline5637482599discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86

    • Size

      389KB

    • MD5

      1e6d0394a9335f03d83a7f498df12ec8

    • SHA1

      aa25774159336873d0799b11546d7cec88ebca87

    • SHA256

      16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86

    • SHA512

      4bb7c4a3706e4056f6cc38e46dafab8e6bd463a148d5bc46197f7957f750d51c6d98903eeebe5b560283d1e15536bebad88c364e3776d5b804d99f36b8a17393

    • SSDEEP

      6144:Kqy+bnr+gp0yN90QE+rBmAS9kW2PZNK9zG1evw+IsQnjCgK83sE6ZnRC7D4I/FWB:uMrIy90wsAS/kBQk6o7D4I6d

    Score
    10/10
    healerredlineromadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      1e756c3dd2f7e40b65e81817bfdb8988cb9c718ec0f522915ca3dcd647e2f017

    • Size

      389KB

    • MD5

      4b1795960e7d4aa085834c9a2670aae3

    • SHA1

      4cccc41189287ac70bdd813b9c65d539b98a22f4

    • SHA256

      1e756c3dd2f7e40b65e81817bfdb8988cb9c718ec0f522915ca3dcd647e2f017

    • SHA512

      db3ad4c6a638fe81b8f9d5a0084ab290ee393c73b0d2a31c8302a166cbeb9b6fd834eec77fa9a2b029440cd0f00aa8eb09e0e64a612865fef35a7137e20a68b7

    • SSDEEP

      12288:gMrIy90VK1uWtbK9LuUnVQR5Nj9zx3If:4y4ktSLFVQjvu

    Score
    10/10
    healerredlinenasadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      2d35abe32aaee5617d43bf1fd2ace13b082a8d22878b2f5ae8136ab65d54742d

    • Size

      923KB

    • MD5

      1e4d6f387b6127e8e81f9d87c54ab03d

    • SHA1

      aaece8294c60dcb0dffa5666c5562dfd1c625d14

    • SHA256

      2d35abe32aaee5617d43bf1fd2ace13b082a8d22878b2f5ae8136ab65d54742d

    • SHA512

      d462602dbeca21d8aa4b724aa55d44a13a233f651d97894beff0c2f343ec9d1f4d4a13231d7d0ba5e50670aa2cc9df32b812036b50ee6446ffdd926665f62f44

    • SSDEEP

      24576:HychlJu+Eka3nZgkWIRqu1ooxDHWC77/UXuE:SchlJha3KkWgH17xDHW

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      3754d1115a8a0a19cc2164cd88182e48f6c2435bfbbcd6af4c63cc5dc0d61e68

    • Size

      390KB

    • MD5

      4b24ecf2b34c4c389446939c060ddde8

    • SHA1

      0623f7a45306d3849c5045acdac3dbac60039df9

    • SHA256

      3754d1115a8a0a19cc2164cd88182e48f6c2435bfbbcd6af4c63cc5dc0d61e68

    • SHA512

      2ca6237a5fb45a2f338daacc8309f59df8f7c92f679f40ab96f970509878587dc0ec1537e3bb3dbb4ede5826d47daa5787e019cd50bc4543ba6574b53ac73d93

    • SSDEEP

      6144:Kgy+bnr+Pp0yN90QEKOK9pK9K6wWp+BnuyjamdLXs7IgmVK3CcHnlRHm8TttASdt:YMrvy90y3K9FYVdDmycHnl9rsSdt

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28

    • Size

      515KB

    • MD5

      48d8dd6d47882bd5e0431a0cf6d1a552

    • SHA1

      47b7610f1443096d9d442b5d8bce9054c8d529c1

    • SHA256

      489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28

    • SHA512

      721d7ec4e09ba8f857ce39e3509f688216f5dac18c3e5aaa215633492e04a40b8e9c569ddec5fbaf8b020ae50357990a5336fda52e6dced6437b02502a559708

    • SSDEEP

      12288:QMr9y90kVhlZSFHR0jsIpCE5NLNbPbE5uhI7tibmQmYoL:9yTZ60BpCEMuqJ+mEoL

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      4a64601cda22ee78c5a65b16c6140cd47a27949c9b5b09685526fa936b55c3bb

    • Size

      390KB

    • MD5

      476312e3c4f36a6599bf9978e6d605a0

    • SHA1

      ee25d5db5694aadc3a9efaa67fae8a8dcaf56629

    • SHA256

      4a64601cda22ee78c5a65b16c6140cd47a27949c9b5b09685526fa936b55c3bb

    • SHA512

      2b671eef423f5502edfa8ebda69b3c696bcd9126b97b9a5e0b130e488ced8bf8ef4d47ab9a4d2f940e1c5c44c3246e4dfddd187d98382c2c653a09270c5e44dc

    • SSDEEP

      6144:KEy+bnr+bp0yN90QE8QNSryj31/wS5QRv4ZuHAQ3ojb0uDeP9VFh/5OqN6McLO:YMrTy90aQNS+j31vAKR0GzeTFhEqOO

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      4f57ecadcb01211787f5486a7230a8018a0f8a85dfe1ad7b633beb40126c1c56

    • Size

      390KB

    • MD5

      482b5b5074e9a4dd3dd618255f853f73

    • SHA1

      a65442b85c5fac2fe3cb9b5af4ce4bf6238dd1e4

    • SHA256

      4f57ecadcb01211787f5486a7230a8018a0f8a85dfe1ad7b633beb40126c1c56

    • SHA512

      f8f6d4aa321abaae7e1ef37c03ef3df6b083ec13581328ca73a97022b4e39763102e8b5926b0a105135c6319327213e6a803b0042372bf8beb1d7d3ce83b0ddd

    • SSDEEP

      12288:GMrZy90aJyyFZrk62AYWbT4bPwnzmfhx:XyvpTrn0ba6

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33

    • Size

      514KB

    • MD5

      1e6d11e2a9a40c2d205a289ef607ae24

    • SHA1

      f26f81b52bed31e6603334652139784d0a8bfaac

    • SHA256

      678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33

    • SHA512

      be2d827e7ad204b3b92c2c83f67a02e62cf4748c6b322493db36b282374d2c53aeb774a6a0f1eb465215e8ce6f956f6ee9f437da9606c8bf1dfc47a036b43d72

    • SSDEEP

      12288:aMray90Q3D/EZvDisHKwoWljc/MistLDMn2OxRfsfO0lNKc:AyfEyMY/MiKLDqHRfsfO8Nn

    Score
    10/10
    amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      6ade339142b77016063402bfde9702b7b9bb644452bae38929035daf779beae8

    • Size

      1.2MB

    • MD5

      49653516356b84287648a3fbb3681ef3

    • SHA1

      18d25bf8c3f6c8557d87966f8ea39c8f05f9f875

    • SHA256

      6ade339142b77016063402bfde9702b7b9bb644452bae38929035daf779beae8

    • SHA512

      87d1127a9caa03f72f3c4b7f6215651e618cd2bad0c46100a5a5c921170d8fd5ba8dae53918efd18de3a8a305c95280b3558ac9d32081f33146e973104cdfc5a

    • SSDEEP

      24576:UfBNveElInZKRPgiGiJvvTd1Y/ikf9PvXkfICSTxnO36c:UJ5InZKRPgiGi5YFBPGIjOh

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      6e1ca7d8d7a0c42eccbd5723dfdd5c856c5bb683313ec6d6d042d9ba90afced7

    • Size

      390KB

    • MD5

      1f1dfc733bf06bfb281880445b8e8507

    • SHA1

      f386c9d5de54b5f5e8d5c30432813b6bd5f5167c

    • SHA256

      6e1ca7d8d7a0c42eccbd5723dfdd5c856c5bb683313ec6d6d042d9ba90afced7

    • SHA512

      8db0b8713009de6accd81b6e61ffb8f1c667dbadf83e8e5cdfe65e234071ee92ddd334e32eaa6871feca7ce4d3651d95d49c7d2e24d8c9f3d2b49a1ddd54864e

    • SSDEEP

      6144:Kdy+bnr+Op0yN90QEuUW3eVlNDncJAfIjLX8eunbs4eFmWQN4BlZlNwHixfT4Z:vMrSy90sU+e9o6feXBudNAlZleHjZ

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      7a398dd87e73b31bd02e99eea6ac42ac6c884f0fed02dcf0a0a2184a33913555

    • Size

      921KB

    • MD5

      21150b773bfe5ce3cb16ea03e18d03e0

    • SHA1

      4b374d61fa92d29f777a82c7a42d558c697f1a44

    • SHA256

      7a398dd87e73b31bd02e99eea6ac42ac6c884f0fed02dcf0a0a2184a33913555

    • SHA512

      20bf20fd9c3de71ba4fe46d2b31b5169c6268de44a9e3fa96711c0d93f335a583d836935aafb49efade44e7c1a7587c544af3fc5511123aa6115cbec7d6f1d97

    • SSDEEP

      24576:CyFllbMVwT/Q0K3wHNpWhHUZn7CEYfbu:p3lbMVwTIENpYHInXq

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      806347c33e4007046137819a7a108692563d6b877051ff1016faf9a47ec660f1

    • Size

      390KB

    • MD5

      1d9f3ea52a8b89b8ccfb9d703c7d33c5

    • SHA1

      264636a7d26ccf2c82fd20d0f5917353815c85e1

    • SHA256

      806347c33e4007046137819a7a108692563d6b877051ff1016faf9a47ec660f1

    • SHA512

      18d7abf42981ab696358da845979498007e4afe62c9649f761799512fee89fdd5bb990f893b10df4599a1bd0ef357c1f5fde634205eced29e3548f1ae2bb301b

    • SSDEEP

      12288:kMrty900kaBTs4vnRH/sQpYD7cHnl9K+Nlj:Jydka535H/srDIHG+/

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      853890cb435781965f3dc9618397058d03c8d3e59706ede7d308b4afe12cbe68

    • Size

      514KB

    • MD5

      1e403ea018e300ab5fa01dc6722fd8a6

    • SHA1

      b84fea8ce4026eb79d8048b8c2af1d21ecf1364c

    • SHA256

      853890cb435781965f3dc9618397058d03c8d3e59706ede7d308b4afe12cbe68

    • SHA512

      51c703ee4d4c66c3c94d54f96691490b9dddd2260472b48f728f09712b081726e60bc6e1a1df1fe4306b99ab594065512bbce2f44587be7a7461a53dd7c6e244

    • SSDEEP

      12288:fMrdy90UdEtCZ8v/PXBqYmXzGNmIubtV4xM6ijMEV:yy7ut3nx0XKNmIucBEV

    Score
    10/10
    amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      85f2f1ff9ebbc00b11310cb6b89768dcf0eb2032b0a64810fc24c9ec9b4a6804

    • Size

      390KB

    • MD5

      1e53bac92881f6e30ffce45296b9ea22

    • SHA1

      5d52caa9d36a551471b4a3de70cf6fda53dfc62b

    • SHA256

      85f2f1ff9ebbc00b11310cb6b89768dcf0eb2032b0a64810fc24c9ec9b4a6804

    • SHA512

      e9c69a4b639aea6121f4c4d3701baed30413672a38ac918975f62eee8cff82a5f21fd44b6a7d0ef8f03bd6f63e8adabfdd6008250cf4fe8ddeb28e9af1ac1d86

    • SSDEEP

      12288:6MrZy90LWdxWlYoK4/FZDp0gBYCux13lmaj:DyUWd8lYZA7pbzMYaj

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      8ea62cf58512d2544c0f66fbf28e12c7a8344d4a08e8256c968a35de58ccc513

    • Size

      498KB

    • MD5

      4bcbf97b45320fd1995037b5c2fda8ba

    • SHA1

      e5d82af83ef9875c435942d34f79d92a62a65672

    • SHA256

      8ea62cf58512d2544c0f66fbf28e12c7a8344d4a08e8256c968a35de58ccc513

    • SHA512

      c4ae95de3e086442b19c01b18cb8e9ee12aecff5f2a2f3b96c55f1d95ebe871967f7445e364078209d3a0947805aea492459d2586bf9ab453e11d0cc90f76f26

    • SSDEEP

      12288:p9I+5gSN27L4AhsAXjl7p8d0oDrVR583JNPamoCe:I+5/NQx2YRpfoNiJNSPR

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral18behavioral19

    • Target

      af1379c2cbc8abd767e205c1b0a8be9e9c8b5765083700eb3fd2313bf3a76e5d

    • Size

      389KB

    • MD5

      49c96deef87570c04d31914e09ff63be

    • SHA1

      3a4e4c8a5173863f6845b3234f9f9e6bc31fdaae

    • SHA256

      af1379c2cbc8abd767e205c1b0a8be9e9c8b5765083700eb3fd2313bf3a76e5d

    • SHA512

      7a717c5b6cf12cdb56f4f933216cef0e7241003d140b35fe9ba7e7bbb5cdfc0445545e7840f943b01a5e38c009b4fc9ed2f71c5e4854e699c91f2c97643c6327

    • SSDEEP

      12288:5MrWy90azBG2m2bq0htHmjM7gBYCQAljb:Dyu2bq0jHmZzXX

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      b22005984d343fd352d0b9067646db68950aebfa2c1e0d33b05276c602f98e40

    • Size

      390KB

    • MD5

      1df02e7a8bd92fc60d7803261f145a79

    • SHA1

      c39335bcc97c8ffce40bab53e10054d8f00beb7e

    • SHA256

      b22005984d343fd352d0b9067646db68950aebfa2c1e0d33b05276c602f98e40

    • SHA512

      72fd0e718691a85b4a7fa73b58f1580efbc5a3416075065955ef266138c1a45427e8ea2d62555e16af7f4b1e6c8e82ae898a2ece8a01f4a91d4296818a94694e

    • SSDEEP

      6144:KSy+bnr+dp0yN90QEvcRplPxPItIu+sFW5YVtPgCrSJqO9bBHka:SMrRy90KRplZUwUkIa

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      b567e2a99fadbe5df72750afd38b655036141fe91ab1982084901d6855e1c6c5

    • Size

      1.7MB

    • MD5

      48726ab44afa6b367798416a0a9ad7fd

    • SHA1

      ce93701961e083eb42672752ee274a00a3e1a658

    • SHA256

      b567e2a99fadbe5df72750afd38b655036141fe91ab1982084901d6855e1c6c5

    • SHA512

      03e8402e4f774dab2157c12264d157bac559a6f259d146b8bfd0592c880308607995e2bf7b53c5e61d1f9ad556601edc9d2b9b1bc9d833a101329c89cd9b8c42

    • SSDEEP

      24576:/yT8NOIybemiPHi+dlVXGZ1ph/GauSeqOBNUCLrQ17AGP9+kvHDvkjEvt4kxhlhs:KT8Tybe/DVXGPrxxg0Gra91vLD1x5

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral22

    • Target

      f8896ca2a901da194a2479237a084ee46b329ef65d0a6795eb3717cbbacb106f

    • Size

      641KB

    • MD5

      20a5e065af0699c936fe4fe95bb9fc4d

    • SHA1

      3a645f043b6fb7194ef236fe7a0ae6d92d27f6b9

    • SHA256

      f8896ca2a901da194a2479237a084ee46b329ef65d0a6795eb3717cbbacb106f

    • SHA512

      d76a5a72fb608dbb3ea7fc76a12b98a36fd408c91886f064792cc7c815a9c2a4db6aa4cc71653af7d435c2e7e9e976e7b9214307370c41496a4b096b9d956bea

    • SSDEEP

      12288:RMrRy90JqgSm+g/Adc0TBpV9W601Duz+g++2O9Vwln8aXOTv0vNWgBJTMO:cyAV/bqB/vXrbYD1WyN

    Score
    10/10
    amadeyhealerredlinesmokeloaderpapikbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral23

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

Score
3/10

behavioral2

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral3

healerredlineromadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

Score
3/10

behavioral12

lummastealer
Score
10/10

behavioral13

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

Score
3/10

behavioral19

lummastealer
Score
10/10

behavioral20

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral23

amadeyhealerredlinesmokeloaderpapikbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10