Overview

overview

10

Static

static

3

0fcedda988...81.exe

windows10-2004-x64

10

2432f37cfb...1d.exe

windows10-2004-x64

10

2b87c7a59a...5a.exe

windows10-2004-x64

10

2d0e9487b9...7c.exe

windows10-2004-x64

10

305a49521a...a8.exe

windows10-2004-x64

10

34eac23d05...83.exe

windows10-2004-x64

10

4288cf23e3...b7.exe

windows10-2004-x64

10

566c1670c8...b3.exe

windows7-x64

3

566c1670c8...b3.exe

windows10-2004-x64

10

5b49e20d68...4b.exe

windows10-2004-x64

10

6c3c673ed8...b1.exe

windows10-2004-x64

10

7ba1ecff94...00.exe

windows10-2004-x64

10

7fc78a2450...25.exe

windows10-2004-x64

10

80c33721dd...df.exe

windows10-2004-x64

10

9c63b1ba60...a6.exe

windows10-2004-x64

10

ad95249c96...29.exe

windows10-2004-x64

10

b3b9cd87ed...59.exe

windows10-2004-x64

10

c567fbb4ec...1d.exe

windows7-x64

3

c567fbb4ec...1d.exe

windows10-2004-x64

10

c69d581e2c...e2.exe

windows10-2004-x64

10

e3c9a1721d...3b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r2.zip

  • Size

    9.8MB

  • Sample

    240509-wc83aahf33

  • MD5

    1b2db937b94746dfea7bf3abe2e394e5

  • SHA1

    a278b4fe5358ef6a52d0258deb2560fae65c185e

  • SHA256

    9805f81a13aaa68a2026a38b70b1fdd1d76fee0ff63916c669d728c6e4dc3b7e

  • SHA512

    6d5be98ab203bd78e46f351fd601316c8f6dd95b643b6be7922c60129233e71b7038d8dda27308c2f05e474e8f97db1266604c31d5b9060d5ef21113c8ac3ca4

  • SSDEEP

    196608:biG3mBoHVso5pRYhKSVRwv9elUNbksgBcNCreo8uSlrUbQm+sQEIDPBCFHWCVHL:bMoJpSKE69eiNIBUZLlrpm+/D2WC9

Score
10/10
amadeyhealerlummamysticprivateloaderredlineriseprosmokeloader5195552529krastlamplandemashanasabackdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67
Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

amadey

Version

3.87

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

lumma

C2

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Targets

    • Target

      0fcedda9880a4fde053b44d2ef2a6b90a87db74ea8ef6e1605822364dcd8a881

    • Size

      390KB

    • MD5

      4cd2e5b028941f82914293c0be110810

    • SHA1

      9fe5e00f5defc489fae2355ead82831df654a13a

    • SHA256

      0fcedda9880a4fde053b44d2ef2a6b90a87db74ea8ef6e1605822364dcd8a881

    • SHA512

      e0f1a31d99aea178209adb6eefef489702d2872584130582585369f9d9abb4ed0d70206af0a755c111436c6b77d0e78c6cd8582d015bf6ab594a1b9641e46033

    • SSDEEP

      6144:Kvy+bnr+8p0yN90QEP2QZUjtQ5JZep0uGXbA6I:ZMrky90C2sDGbI

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      2432f37cfbe720ce2f627a725367676d71bb944d2306c1eab9bab6b0cab5e01d

    • Size

      514KB

    • MD5

      4e89c8ab274dd94465d49ed7b67e9979

    • SHA1

      6048ea64bf04018bf560334945745677c0d5f1e0

    • SHA256

      2432f37cfbe720ce2f627a725367676d71bb944d2306c1eab9bab6b0cab5e01d

    • SHA512

      184e6166d71ecc0d898e4417e261a9c64a5419378555c04a5e4db1f64ad10906f4fff5c37d1a25b1523a5bb2a8de010518a8c215ebcab7318322338ac9aea2bf

    • SSDEEP

      12288:gMryy907GpFrreamboOBlpUn7NeXsLrhtRBW3eaXDi:iyEq6ayoAun5eXsH7RBWOaXDi

    Score
    10/10
    amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      2b87c7a59a469adca1693ceecd7fb1ea4eb1bb095a55e316a96eafda54e2285a

    • Size

      390KB

    • MD5

      5151da14da5318506c76f8f0bf8f2263

    • SHA1

      ee1e6b8c177e075ece88b6186b97a1f1d878eebb

    • SHA256

      2b87c7a59a469adca1693ceecd7fb1ea4eb1bb095a55e316a96eafda54e2285a

    • SHA512

      35347e37d11b914a0b69f6d8592d7a7782c86c196a4b16d8415eb2d5c135ecea9223d63212f15dad61e023cc706caf29b1839bd55281d033689eb93edce6d742

    • SSDEEP

      6144:KMy+bnr+ap0yN90QEkHAJLR3gWt7ooOsikfnmTT7SOV/MQtmauilIlYJRZBtg:sMruy90+HAJLR3gDvtkfSSOX96mPC

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      2d0e9487b9ef5db2eb0500ce9a5ed167ceb3c1f271e1a50f7283d3ed521cb67c

    • Size

      767KB

    • MD5

      4ce629f8747eda6f87736e78bdfa16a9

    • SHA1

      17184f40285443cc76533b58363b13cd1647ad99

    • SHA256

      2d0e9487b9ef5db2eb0500ce9a5ed167ceb3c1f271e1a50f7283d3ed521cb67c

    • SHA512

      1aff9c893365d2cf73edf1634964f09c50665f6d4b057bf3ca8352c97ca9a488c5bfc17ac1d69c8d31e1b0e9800017765aba5374362a47ef758f18a66db0148a

    • SSDEEP

      12288:cMrGy90KcRXwceOU3O7iGzGz6AOrFilv4k425Uvy2hl+nMLAUwoNTeWsIk:iy9e893OuGzGkrFiGkL5Ur+g1k

    Score
    10/10
    redlinelampinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      305a49521aa7fa93bdb6f6a01420fcd3800a565c32194a366c1d6a22f8f00da8

    • Size

      390KB

    • MD5

      556b6f8063b6be20e9c3cce8da51432c

    • SHA1

      0fc90e69928de47b6dc5502fefa2eae4f82805ec

    • SHA256

      305a49521aa7fa93bdb6f6a01420fcd3800a565c32194a366c1d6a22f8f00da8

    • SHA512

      02aa56be7edd80292b1b1f325ef1a56a9a60ff004c3b3fdebc90e5a4ad9b1f68fdc0c659ba3a37673ccdce41d9d26f39619a0df6a9fa6b0dfde7033a8813cf04

    • SSDEEP

      6144:K6y+bnr+rp0yN90QEqwfVzEk+363cTtpEfG3SCVCzhyYc7SdMMMQ0OoJmCUKWLA:OMr7y90cIzu3ehhyYcOdBzIfUKZ

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      34eac23d05376694cf25e5de3b6455451ef743f0f766b72fa3e5b94726010c83

    • Size

      389KB

    • MD5

      5129e2aa9577a88546b213ba9aa633e2

    • SHA1

      4b5dad0b02d1a52f709bc6440327600bbe2e0a79

    • SHA256

      34eac23d05376694cf25e5de3b6455451ef743f0f766b72fa3e5b94726010c83

    • SHA512

      cd156016266dbbad12cb970d11101fce04cf2a15fc4528d77b606a54b5ba16fe5b7401801011b72ee8b9fba752048ac57e57413509af5a793d67519ca829e4ba

    • SSDEEP

      6144:KQy+bnr+ep0yN90QEiS5QTUfkLMG/8FNRkHjQ18xWMmq/908ykUlvmpZ:UMrGy90ASa8y/0kDE8y9sX

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      4288cf23e3f7079623b595c70496f28f4678e173ed25b2ef6101e66d3e99e2b7

    • Size

      514KB

    • MD5

      553e00500d378ac6c88ebcb49f0c11b2

    • SHA1

      b0640e712ebde50090ee39742411f065e998128c

    • SHA256

      4288cf23e3f7079623b595c70496f28f4678e173ed25b2ef6101e66d3e99e2b7

    • SHA512

      3102d0c6d812f7220f60816f48e6a4d9dc0cfa84fe4fba947e661fa03f7870edeff42fdbb3f4df82040dcf5f8c2241187bb6264c59687a2a92ace8dffbf6399c

    • SSDEEP

      12288:rMrry90RaLXTfYqGozYJ/1epNJeGQ9Fyw:IyNgqGozYB1eXsGQ/d

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      566c1670c8a5f43ec35b831518b15cf388fbddff2c3ba3ffc8167ac1bf0a1fb3

    • Size

      492KB

    • MD5

      c40f810518e4290ab7fc1e07e5c83ff9

    • SHA1

      9f8bc2e44eb00b71047c04864e007225eb9779c9

    • SHA256

      566c1670c8a5f43ec35b831518b15cf388fbddff2c3ba3ffc8167ac1bf0a1fb3

    • SHA512

      044be66f51e52b07e77105dcf1ab2b1c099636eaa557124e5e442b6c6383564d578c21f1a6a0a0a0caecb433a16a3f552b27aa5e714cccaf9bc01f2b741335fd

    • SSDEEP

      12288:d4w4rJNNGCt//w5qVN2iu79mnxhyC4GNq/SBoCe:/4rfN5Xw5qVN2H79mrymyR

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral8behavioral9

    • Target

      5b49e20d688471002a1cc866e323e32a0e0a2f1e92fd2f057979cd27a850f44b

    • Size

      390KB

    • MD5

      c2d23a53e4099c1c7126c1e6e332fb12

    • SHA1

      22f111c42bff48f88be368920886195dc990b3fb

    • SHA256

      5b49e20d688471002a1cc866e323e32a0e0a2f1e92fd2f057979cd27a850f44b

    • SHA512

      7251bc4c9dca30f08baafa1e4b9572a20d026a351ba7b5482190f605b41087a25da0f259e0742adf796f556a42b5d09e1a05d0909ae947a830fdd30ffa280bc5

    • SSDEEP

      12288:5Mr/y90WOOEnMEY4/7kJByGYpEzPCGDk:myZpEYgO55zaGDk

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1

    • Size

      389KB

    • MD5

      54c918a054a58d3fe6838ce4c31344ae

    • SHA1

      84132b9e7a9dfb09181d37588e2d69c9dfa7d8c7

    • SHA256

      6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1

    • SHA512

      2847ba4171fd4a050fce828595c3b066de2b69afff4f5d72877d36c24f14db541610d6260cd44c7530fc026792c1b5fae9f93b8b7dd18eaa870f9d86b14bf091

    • SSDEEP

      6144:K0y+bnr+Xp0yN90QEcHiyKnpVK7KFibk30yxOF+2SlqcK+usm64j1pSSQAJM2Y:cMrPy90GSpk7KwbbyxwMqcRusmDZG

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      7ba1ecff945330ba39b0d1bc0a81272da1abf8acbbe727db52a09c23c16c0c00

    • Size

      390KB

    • MD5

      50934aaf7bdeea19404491b568fad850

    • SHA1

      4ca4dc3557f0a6e27595e1a72c33129ad3bec595

    • SHA256

      7ba1ecff945330ba39b0d1bc0a81272da1abf8acbbe727db52a09c23c16c0c00

    • SHA512

      21caa908bcfc5cd3c4c2970ed8c92931887b2e0b3776c992bfd3b66aceff6060c5bc7d047119deb3796bb2107460490eefa3c8f09a6d7fe09e675d2d78909067

    • SSDEEP

      6144:Kpy+bnr+op0yN90QEzksTLHBIoxvFznqrZatQxQqw5PgNpxCYqDNgOht541GvAY:HMrgy90emLHJvFzqrZavu061GvAY

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      7fc78a2450a642c8ab25d22c58c9792408d566a5b9043d95b64f6b407d9d8225

    • Size

      922KB

    • MD5

      4d6bc87a5035be0d2eff75f9a663f7a7

    • SHA1

      a427033287f275020232a2f96e8413f7ffc9b400

    • SHA256

      7fc78a2450a642c8ab25d22c58c9792408d566a5b9043d95b64f6b407d9d8225

    • SHA512

      c2168b460ec7fe2f6af5f3c4103a3940aa2b4da642790ddb2efa69463f71f2cb1b3183bbd9ee5f8c5046d9b56fafd89c79eea19ca14c0467a8861af4ea3c8399

    • SSDEEP

      24576:QygOXaCEQ2qvM8W8KNJv+w7pg9uz8aPjsER:XgOqCEYk8W39g95qY

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      80c33721dd8916cf61ad4cfe3a1f57bd083b1adf9fdad50707739a67ee1c9bdf

    • Size

      390KB

    • MD5

      513a509c250dcbcfb62c1b6191fc7e53

    • SHA1

      178f6536c34418890075aba7cab396d4da2d487e

    • SHA256

      80c33721dd8916cf61ad4cfe3a1f57bd083b1adf9fdad50707739a67ee1c9bdf

    • SHA512

      d1260a8e442870e4ca64b0cc91be943724200a8a931facaab8c0a6109752bb733dcae7bfbea4aa3b177bbee6e09f4e297ccd8929ca942d83c06a82804419c044

    • SSDEEP

      6144:Kmy+bnr+6p0yN90QE6LoizgY+72NOaqTyDwtqmq/zQ2PLLsK2CmVuCcHnlRHfOFl:GMray905isasFu1mI/PwlcHnl9qRVT

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      9c63b1ba6018935ad5e5fbb92f79d2bbd6eeb9ee0520ed5cbe7b9e1213eb33a6

    • Size

      1.5MB

    • MD5

      c30d6278694817d3cc99f6ff5265da74

    • SHA1

      350567243f65ea38c3bcbc24fc93272e4e46217b

    • SHA256

      9c63b1ba6018935ad5e5fbb92f79d2bbd6eeb9ee0520ed5cbe7b9e1213eb33a6

    • SHA512

      3963175ae52c90b743dbcc1b38220ab2abcc10916558053c1a6f13ac52ca426aec2394ddf5220f482c48ad9e08955704b4764289c26f50a45ee648297b5b4a89

    • SSDEEP

      24576:cy51XtT3ttYzCJsw66AMLRzIdYiQceweiSKE70EpUSn6qY0I+mUNNqU:LHXdttB0uJKjQTkE73pBDY0I+JNg

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      ad95249c96bb70f2fde592c74bf9bfaa2f25de9282a90943574ce4e547731029

    • Size

      918KB

    • MD5

      4e8759ab9a8b5f7c4f66a88a89ded7b9

    • SHA1

      0d8b409b1a28cb898951b534878586da01179b0d

    • SHA256

      ad95249c96bb70f2fde592c74bf9bfaa2f25de9282a90943574ce4e547731029

    • SHA512

      25cb5ec44688de16636b97d082ba9821fe135685f16c9dc9211583bb60f98a7120d22ef772ae7ab68bf6b33a71d0bcc6fd266ffdb04bba7b2e4d0af63b3b851e

    • SSDEEP

      24576:4ycoiRyR63BFw1QzzRQ3Uc+3k4aMm3KCzylrULA4Dh3nqM:/cois/8NQ3Uc+3XaMm6rgLA4DB

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      b3b9cd87ed117eff25ebae286512425b6d778c82802a6b097ac45b68e438e159

    • Size

      390KB

    • MD5

      56d34cca840bb1840d959c7bfa71f175

    • SHA1

      14af65fb8f211962bd73452aacd0a7076bf49feb

    • SHA256

      b3b9cd87ed117eff25ebae286512425b6d778c82802a6b097ac45b68e438e159

    • SHA512

      5b05119212623f0c392c2c7577fd898a5e7e20c89b104f83b09b0220a8fa0aae1b175b54fe7114cf56d30af2a52b82e034e6a35544775f0de51465ce1c40af49

    • SSDEEP

      6144:KEy+bnr+Cp0yN90QEBM1UkWcnZNbS6AxEUfPvC+EWgDzyGsj6U:gMrqy90vMwnPqW/GzU

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      c567fbb4ecb66496889cc136a63ac18310c18ecd83880c4c83fb29e71c63d51d

    • Size

      306KB

    • MD5

      5289c70cd98e713d4074b37ccdb48139

    • SHA1

      6711a067f0228f67e0585df2ca478b361124244c

    • SHA256

      c567fbb4ecb66496889cc136a63ac18310c18ecd83880c4c83fb29e71c63d51d

    • SHA512

      4819dbc5b0fd6b56eaa5a45adb78db8a62982fd7bcf127decf0a41254ae5b9d572cfbfd1fd08038cf1083d0e788f53f476d583600169b8eb537811ab8ceb8b00

    • SSDEEP

      6144:1oZd9vSWh60RVAtljy11wMChzxz2+aPie45e8q/4I1mupJyL985:CZiWhHWVbFaKeb8q/4uf7yL985

    Score
    10/10
    redline5195552529discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral18behavioral19

    • Target

      c69d581e2c9751820b591c60023bbffd16aa66ad26d0c76b20574cdac2cc7be2

    • Size

      320KB

    • MD5

      c7c86ccb7a8447c0fc280c1677d5bdfc

    • SHA1

      47c05e0511f3d29afe982bf266cb420cc85cb0fb

    • SHA256

      c69d581e2c9751820b591c60023bbffd16aa66ad26d0c76b20574cdac2cc7be2

    • SHA512

      5015e11b3d4857a07cfd27d5f176721b0eeede05e675ff6ffb2546126853164f580bedcc847d9ceaf9a9916478a8c41355015c2c2764124b7e47dd2521ab13e3

    • SSDEEP

      6144:K0y+bnr+Up0yN90QEqrKEP3ve7yRfsK6KRFjEXtaBv762LA0iRddbIq5xA:wMrQy90cKU/e7RK6KRdEXYp7tbiv1x5W

    Score
    10/10
    amadeymysticpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      e3c9a1721d8f0eecf6a7e81b32b9823a4952d636d4930a9cdfae0876cf293d3b

    • Size

      1.1MB

    • MD5

      4c57105730828c98c61e10949fc25950

    • SHA1

      b018b8964a21ec971d7a8e3480ce28976012374c

    • SHA256

      e3c9a1721d8f0eecf6a7e81b32b9823a4952d636d4930a9cdfae0876cf293d3b

    • SHA512

      ead8b5fc20e1a9f2125f2f7338edc844f80415ef768f02753dcdc51140b811ae2fb60f0d77226418a433746a28c81296f1a8b41333eb6b7c59c9f52f82e1f378

    • SSDEEP

      24576:8yqOw0U5IPpj5uiUgnhUaO6O/xaGRxr01X:rq50U5gpJUD6lGRp

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral21

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

redlinelampinfostealerpersistence
Score
10/10

behavioral5

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

Score
3/10

behavioral9

lummastealer
Score
10/10

behavioral10

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

Score
3/10

behavioral19

redline5195552529discoveryinfostealerspywarestealer
Score
10/10

behavioral20

amadeymysticpersistencestealertrojan
Score
10/10

behavioral21

privateloaderriseproloaderpersistencestealer
Score
10/10