Overview

overview

10

Static

static

3

19408d20ed...1b.exe

windows7-x64

3

19408d20ed...1b.exe

windows10-2004-x64

10

209f361ec5...19.exe

windows7-x64

3

209f361ec5...19.exe

windows10-2004-x64

10

2260e01650...fc.exe

windows10-2004-x64

10

24b96bca46...df.exe

windows10-2004-x64

10

2a4e0bfefe...ad.exe

windows10-2004-x64

10

30b28fbbc6...6a.exe

windows10-2004-x64

10

45405e3261...66.exe

windows10-2004-x64

10

55ab9707d2...50.exe

windows10-2004-x64

10

6568836094...3d.exe

windows10-2004-x64

10

72a27ce3ad...a5.exe

windows10-2004-x64

10

9be0387d86...b9.exe

windows10-2004-x64

10

9d44150fdc...7d.exe

windows10-2004-x64

6

b2402bf5ca...fa.exe

windows10-2004-x64

10

c6bd926d58...44.exe

windows10-2004-x64

10

cd321830f5...bc.exe

windows10-2004-x64

10

cfcca94dd6...6e.exe

windows10-2004-x64

10

dfa156ac28...ff.exe

windows10-2004-x64

10

f1ae7fab47...cc.exe

windows10-2004-x64

10

f25337a343...56.exe

windows10-2004-x64

10

f5d16598bf...16.exe

windows7-x64

10

f5d16598bf...16.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r1.zip

  • Size

    10.4MB

  • Sample

    240509-wjjqzaeh6v

  • MD5

    afea082fab4f11b6b68a67f089f05149

  • SHA1

    88f18224dd4edbac578f573f213128d55607f439

  • SHA256

    df50e88cdc283283db23658c52adb6d37e55d4a38da81d63be2c23c190e6d979

  • SHA512

    86e5926b85d1762277bef24a7d9046926e0c41a2e583b5f8b526f2aa3b90ef0693fcebea124293decdf9f1b02a17e2e0e5a0427af4ceebf23c2b61446c0e5e83

  • SSDEEP

    196608:zf+nZ96DqfFbLNoiaZ5VaApZ1RhQxqYTnlQ+/q3XFib3dZB0HMDfAz0LY7s48dka:rSZ96DSrWsUpQxq4e+/q3XkdD5oX0FL

Score
10/10
amadeyhealerlummaredlinesmokeloader5195552529crazykirakrastlamplandemashamuhanasanewsbackdoordiscoverydropperevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67
Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

crazy

C2

83.97.73.129:19068

Attributes
  • auth_value

    66bc4d9682ea090eef64a299ece12fdd

Extracted

Family

redline

Botnet

muha

C2

83.97.73.129:19068

Attributes
  • auth_value

    3c237e5fecb41481b7af249e79828a46

Extracted

Family

redline

C2

91.103.252.48:33597

Attributes
  • auth_value

    562d3280c1a052ff370bad4ad69185f7

Extracted

Family

lumma

C2

https://mazefearcontainujsy.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Targets

    • Target

      19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b

    • Size

      306KB

    • MD5

      b309c1dadd09e6991ed90c6ccac7badb

    • SHA1

      845485b9ae931e443c488e65d44cb2bc4ce48e99

    • SHA256

      19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b

    • SHA512

      3ed5e276f089e112169d41de199b35ff81055913b5d17c2edc6e1d4087e4aaf594662d6b62ef96d9da67865b641d2ea09166d90139a9b5e0f98bac9ff0c0bbd6

    • SSDEEP

      6144:t7Zt9vSWh60RVAtljy114ZGaWCk1LixTtG3Xzd8nn+OJyL98p:5ZSWhH+Z81+Gzunn+qyL98p

    Score
    10/10
    redline5195552529discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19

    • Size

      1.2MB

    • MD5

      b22e3d28fcb85f140790e00b67bf0048

    • SHA1

      11daf8146bf98eb6f00d82e846be9890f3280724

    • SHA256

      209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19

    • SHA512

      061c481cfa66c6271c9f5c329942768a6109b13e404303ac1fe6912a45ac42a1b14d62044898cca104225a9cbbf079b24851436d62538d748bce6e8752f90d7c

    • SSDEEP

      24576:ll1NeljsInpBxcyc40xvOGe2ErJU8dtqF6dl0:lnHInpBxcyc40UBFU8+cdu

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc

    • Size

      514KB

    • MD5

      ad9443ce5e431e8295fd202f57cf1d6d

    • SHA1

      330ab81f8d5d8360f11e9e15f6829608c3ed666e

    • SHA256

      2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc

    • SHA512

      d6bfaf96f61d6055c4e368f22542ba85d8d9c77d652480195953db43eced505a7102d5b10d79842e76483f90b1bbfa22a0d2fd6d0a423166efc8c585c3f665fb

    • SSDEEP

      12288:NMrby90ooS9jGwyQikPj16mcXt3Q+snYfeplV3:GyOSTJj143Q7nmebh

    Score
    10/10
    amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df

    • Size

      389KB

    • MD5

      ad9be100cf69828b8e7a7a836154d5e4

    • SHA1

      dbf0f2accdb22e674419d2c0abda7fbef534c3dd

    • SHA256

      24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df

    • SHA512

      0e13d0bc6bfffef4ee50fb62eb2168de8426761b4da0091c95eceb7cb1f461bf05f73677bc07ddf504e69e306a3848e148b22c9fc17eeb3a247647a96d7f0446

    • SSDEEP

      6144:KKy+bnr+Rp0yN90QEnI11PokWcnZNbQR5nfyQPLaW5F/tyKYuNcUNQfMFkkhgVRn:WMrdy90uTPTcty+dqMS/VRi1nm

    Score
    10/10
    healerredlinenasadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      2a4e0bfefe7b6b2a94d46c408fe05d1682392c66666138b8b0c32e028bf15aad

    • Size

      1.0MB

    • MD5

      aa56dc80d4e82ae017ce150cf8fa48cc

    • SHA1

      2a7ee36a1296e0438ef0e7a9ab41d8ff03496ec4

    • SHA256

      2a4e0bfefe7b6b2a94d46c408fe05d1682392c66666138b8b0c32e028bf15aad

    • SHA512

      ce4c8441785c866d0bc9ab8a5c23bba8815fd8a1e30b9ab10ec6a36c6aaba2ebf70bf3c53a9515a52402014daf6e2b25542397fc498bb9a12ad11ee602769daf

    • SSDEEP

      24576:XyaHBh7s7f2+6EFDn3Q521V2AJ56SANT0kAZJzgc:iahwfsEd3F1sAJ565gke

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      30b28fbbc6f9f8aa27776aa07f15f77a8fe9829ca5ded9e75d26ca377674a46a

    • Size

      514KB

    • MD5

      a5906f38456848691daa7ad90e16383b

    • SHA1

      5eed856722109411b99eb607e5bbe4f4dc1537d8

    • SHA256

      30b28fbbc6f9f8aa27776aa07f15f77a8fe9829ca5ded9e75d26ca377674a46a

    • SHA512

      ab8d1c01d7de39c82df4db1f704c0ae70d907c32dbf96bf9482d08ff4de06c7afb0636ba770b67b34af76fa848b6391b3b97a9aa6fa09bd993033b691b2c114c

    • SSDEEP

      12288:QMrZy90Xngq0rDJXt+/xLRjDd2zMpoCGmhF631xFKrn+CjYd:Zy60Pq/xFAwFGNFxFw+4k

    Score
    10/10
    amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      45405e326148ce7f80326893b92fe8efe62819ee5465fdc13767a76472e21566

    • Size

      514KB

    • MD5

      a3b12999051bccd12021b96b6f86c928

    • SHA1

      d8fa4600a37079cabc0b61744970a0e1efaeb502

    • SHA256

      45405e326148ce7f80326893b92fe8efe62819ee5465fdc13767a76472e21566

    • SHA512

      d795296547eefe35537e545f47a5b3bfb2a2cbc298c0ec422a62fd888fab370685b2102c4ee289ad8cc34e30f97dd616ec53e8cce3682d711ab28c5504a933b4

    • SSDEEP

      12288:kMrPy90Ptd6fvSMfJOjUlYm3Yw+uMNdwmD+gV3:DyTfqMfJOjQY2z+dwmD7

    Score
    10/10
    amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      55ab9707d2ed04fd65eb47b64da270cf7fa47cedb721831c5dd0567bda7cc950

    • Size

      389KB

    • MD5

      a5290f41b140199f65e9e9b7d2271a3f

    • SHA1

      15492c7db927b054e4eb813b426d5c8642ab22a1

    • SHA256

      55ab9707d2ed04fd65eb47b64da270cf7fa47cedb721831c5dd0567bda7cc950

    • SHA512

      f944b217adfb55ed323340d606576ff39ee125e085734afed8ddf19c9f4781e1a972a9add350175448b174dd3496b5424642072434d89eb018a093bc4fee60cd

    • SSDEEP

      12288:NMrAy90Y4tMhulGOAFfgBYCifwu9GVtJK:9ydoRAFYz8M9K

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      6568836094de3a32f9c325ced189bb981eb0cf8f4492e1b8b901ef52879c063d

    • Size

      390KB

    • MD5

      a6f8f7131f6c47621b2e965cd6b6c981

    • SHA1

      327a8177a15d3a0838e98aa40ea5a8a46c655d95

    • SHA256

      6568836094de3a32f9c325ced189bb981eb0cf8f4492e1b8b901ef52879c063d

    • SHA512

      d2b98015331f39aefb690df721fc0a0696dd17a621828cf729efca2cde927a8e603e5f88df50414d46020df7a52b49470df60cd7eb08a0ca9301a6ba50d00b3f

    • SSDEEP

      6144:KSy+bnr+Sp0yN90QE3zx3tQ3dNyVO12a/QNe9EOgqOLjBavFo4:mMr2y90pV3tQVo0QCaFma4

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      72a27ce3ad4f2daa863374d24914b9bdd41f5b34e08b440b9988fd847de7a3a5

    • Size

      389KB

    • MD5

      aa413f00a634a54138763909ad2d91fd

    • SHA1

      1878f20db3f565f33a3e719132e7c1a26169a938

    • SHA256

      72a27ce3ad4f2daa863374d24914b9bdd41f5b34e08b440b9988fd847de7a3a5

    • SHA512

      1e87efeb14401efd75d2e76423e750a0dd78e70f579c62a5a876e046300674dddde54ff450f06dfad4c95ae85e8d96f0f8199b1222cc206912b8d1aaa4567a5e

    • SSDEEP

      12288:tMrKy90lN9Rx8Rh/VCUR3OFegBYCRCThPL:vykFx8RhVCUB+9zuL

    Score
    10/10
    amadeyhealerredlinenewsdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9

    • Size

      514KB

    • MD5

      b2a6158e5066da9cdf80f68a45607dbf

    • SHA1

      9c0a1b48a8f821e1bfe1cb4266aed6fa30294c9c

    • SHA256

      9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9

    • SHA512

      c8a3d4dd40a4c1dcec017e78105426093d4be62bd931b72af4ab38cdce5cfef19eb3b74d2cd0c63e352bb6c3cd76ab08922f0ecc8c26f0bb159a7e393b914cf7

    • SSDEEP

      12288:7MrVy90uCP6AGluvgTtGOTN8F3a56b3WEwjXh:iyG6AGsgTtLma6b2h

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      9d44150fdc90939c6efc8d7882f0d89238b77267f40bd7b9e9fdff66d41f587d

    • Size

      175KB

    • MD5

      b0762cb364c4a6dcaf988e98769222a2

    • SHA1

      383306a9f9e8adc5f893ff3913131e6610525c95

    • SHA256

      9d44150fdc90939c6efc8d7882f0d89238b77267f40bd7b9e9fdff66d41f587d

    • SHA512

      6e2ca96e53ffd5d89d7b800f21c7636b87935fcd8261aac4a936c96a0a3e103ee9704f7cec541c0babfc6ba66e7882d44ac4f7037219ac07c6e6e6273d3056ef

    • SSDEEP

      3072:KNy+bnr+O1R5GWp1icKAArDZz4N9GhbkrNEk1pRroMK6y6S+:KNy+bnr+2p0yN90QE6KMlz

    Score
    6/10
    persistence
    behavioral14

    • Target

      b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa

    • Size

      919KB

    • MD5

      aa26cccde046b0e54b832825a5756c35

    • SHA1

      f5c538220421870979edb4d93fdf8b02a4d0ecbc

    • SHA256

      b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa

    • SHA512

      60ace7d38dccf257e75c6e369355975b84757c127f93afecd6e58f4316bd7f1d13cf55f7d4264d6928e37f62a37d838f9b044567ea49f8bd27eec9511130a290

    • SSDEEP

      24576:IyAXaONmQk2uEBNOAaIGqgK1wjH9AxXChzyvp:PAr+RpItggoH9ARC4

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      c6bd926d58aa119662ccfb970124884439404950b8aa818378fa47a61a658a44

    • Size

      390KB

    • MD5

      b2971e22c8fca83829bad2afae84a0c1

    • SHA1

      4d3a11d21db1e95e86e79382e8600da710158713

    • SHA256

      c6bd926d58aa119662ccfb970124884439404950b8aa818378fa47a61a658a44

    • SHA512

      ad5eb42328d4bc03c8b01ffa2d7ffe85c84394695c233e052a7840fef288e120e5b14e9abcc7c3fae8fada583de7cb9eb19060d23e2d596f900a9cb9b9a74f7b

    • SSDEEP

      6144:Kiy+bnr+Up0yN90QE/QeKcFaMM8MIB88hU3846ZmHwTCcHnlRHSjpiR0NUcP:eMroy90qeKkaMMM/e8l8HvcHnl9eP

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc

    • Size

      1.6MB

    • MD5

      aed3e716f608104e2440f5a872c969de

    • SHA1

      07bd20370b5dfebd101d421c64d040163aab20fc

    • SHA256

      cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc

    • SHA512

      80b1c179f57468ff121a0909e7e6940af32122e2086754329463c9c1877ea6e2cd4cfd0eccfe3f31b830a5d51fec6ceaacbd9e6c8eb6254cd734b0c4cdf00b5b

    • SSDEEP

      24576:fyl8gNcSnpEaZYaoMZ7R9DkPAjuhhqT5zoCVQcx/e1jTfIHBx8sEwZZl7:qHDVq0NZkPmKh8zoCVQt1/Inxz

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      cfcca94dd6bef9e4222fd6347d090711d60251b7718a2a4955753cd95d8e9a6e

    • Size

      390KB

    • MD5

      ac4ef0a8163aa70cb3fb5a2c03402872

    • SHA1

      1f1ce96331c7c08e874f90e466a2617aa1295cfe

    • SHA256

      cfcca94dd6bef9e4222fd6347d090711d60251b7718a2a4955753cd95d8e9a6e

    • SHA512

      65e603525a657b938a3a0bef0faae91a787e00c8f28670e3113090340c8f982291e01455756e46b5e4abca68cc8598d8887f8b30c984b444f03b18a102c44e54

    • SSDEEP

      6144:KYy+bnr+Vp0yN90QEjJh/9hdzrnZ9YgDCV4ZfWb33aY3sJ41IwTSU3VqAtGay:8Mr9y90RblfzPtDCV4tyHsJh5AtGay

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff

    • Size

      862KB

    • MD5

      a85e4b8403f70f8c8c2a4694b484c3a8

    • SHA1

      ee614a34528cda5db2c436bbc77247c3fe213f60

    • SHA256

      dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff

    • SHA512

      457c453516d49626c8f0e5e9a446962314e44c1cfa8ae5b50f0fe344590ceb2a20f53936c3d6a6aff9e0379bbe8e0b9afdb3ec994ce1ad0980620919f29b5157

    • SSDEEP

      24576:5yRfeUF4xX+YYKqx+QgmUpqWngJeXUXDH7:ssUF4xXPY5gmRVJeX

    Score
    10/10
    healerredlinekiradropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      f1ae7fab47b54b57b64fe4b0569d28421b914cc77c243cf2d59a0645d15e8ecc

    • Size

      864KB

    • MD5

      b256e9fc25625b83e43a74ea8307026d

    • SHA1

      8bddc4828acbc99bb6b144ed6c2ca8ea918f9345

    • SHA256

      f1ae7fab47b54b57b64fe4b0569d28421b914cc77c243cf2d59a0645d15e8ecc

    • SHA512

      60bf45c3636a766acbe9e0614ee3f88709259e6a81e65b08f107648c17e4ae73de0cbd737e8c03dcc02401e8ee3c403aa2216b31e68fb9c5ce1ab76e3624624d

    • SSDEEP

      12288:EMrry90/YoqPF09KlVJVkFpsJHw/zCZjnNHTSNKdiWBCDnz17X2dvVvtXIHsnzdR:/yMUnVDknWCzCjnHOjzN2d5t70yrNhV

    Score
    10/10
    healerredlinekiradropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      f25337a343c26cdecd99eb7f095938fd24fb233463a8af3fa69acc5201eed956

    • Size

      435KB

    • MD5

      a76aada563b5fff5cf81824d40e87c25

    • SHA1

      b6c50c7d69b765a396e3995642cd3c82ed9eb370

    • SHA256

      f25337a343c26cdecd99eb7f095938fd24fb233463a8af3fa69acc5201eed956

    • SHA512

      093e3da142ee67a4da1c8f352460e5d90e9565ec60855285a19eb6e2c2f85d8b8ec22e0b5f46194222954ffeb19e1a8451f9d364c8869f1ef8050decc7154a56

    • SSDEEP

      6144:KGy+bnr+2p0yN90QERSilWQs1fiFwqQdcKrObo6czcJVDQvY6iflPOxpJOrtND4h:CMruy90HSil5s16yMbl+xHslOpMzKL1

    Score
    10/10
    healerredlinecrazymuhadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral21

    • Target

      f5d16598bff76b7aeece243b4478a48e666bbf1a2adb20f2684cefe2f7d06616

    • Size

      490KB

    • MD5

      a9b440ad0e7d76d9fa2ec485fa53eeba

    • SHA1

      179dcad63a03197776e3b9ee4354dbfa413f7528

    • SHA256

      f5d16598bff76b7aeece243b4478a48e666bbf1a2adb20f2684cefe2f7d06616

    • SHA512

      bbdbfdf856719da627de9c70324edfeec3e2d91d32550c12fd2923302456da68768618f45788bc68e71d48de3f30e731181b9a69139624a70bf936a8a7de3a15

    • SSDEEP

      12288:quFz06FWD5fReUOLoFCaK40dC3l8qjNG8AR:qr+WVJeVLeK4PljJA

    Score
    10/10
    redlineinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    behavioral22behavioral23

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

Score
3/10

behavioral2

redline5195552529discoveryinfostealerspywarestealer
Score
10/10

behavioral3

Score
3/10

behavioral4

lummastealer
Score
10/10

behavioral5

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

amadeyhealerredlinenewsdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

persistence
Score
6/10

behavioral15

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral19

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

healerredlinecrazymuhadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

redlineinfostealer
Score
10/10

behavioral23

redlineinfostealer
Score
10/10