General
-
Target
red.zip
-
Size
12.6MB
-
Sample
240509-wpnbcaad52
-
MD5
aca9a51fd57b56eb53d0b1b91f9477fc
-
SHA1
970bb8bb69fa3b55923eaa35ef500d13e1cc0284
-
SHA256
7d410d6cb63e94a97e6688255ca56279bac5cacc70d37f91986f2235ce99ef8e
-
SHA512
cbbaf0521d2278f4ac30b7944a1fcdf1412aad9a3869fb63e7e4b3d1105b98bdd0e67ce1ce08321b62b5fa8535f78fbad1e4352d0d3b41ffbf70f6130a5f23d0
-
SSDEEP
196608:pHQqmwbiVMP1WUf7hoQj1d3UonEiD14xbckhxDecuqrJWMBXRe+HR8:pwYfP1PDhoQjPEeIxbvwgoMBheam
Malware Config
Extracted
lumma
https://plasterdaughejsijuk.shop/api
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
https://mazefearcontainujsy.shop/api
Extracted
amadey
3.86
http://77.91.68.61
http://5.42.92.67
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
lande
77.91.124.84:19071
-
auth_value
9fa41701c47df37786234f3373f21208
Extracted
redline
lamp
77.91.68.56:19071
-
auth_value
ee1df63bcdbe3de70f52810d94eaff7d
Extracted
redline
5637482599
https://pastebin.com/raw/NgsUAPya
Extracted
redline
masha
77.91.68.48:19071
-
auth_value
55b9b39a0dae383196a4b8d79e5bb805
Extracted
redline
7001210066
https://pastebin.com/raw/KE5Mft0T
Extracted
amadey
3.87
http://77.91.68.18
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
-
url_paths
/nice/index.php
Extracted
redline
gena
77.91.124.82:19071
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
krast
77.91.68.68:19071
-
auth_value
9059ea331e4599de3746df73ccb24514
Targets
-
-
Target
0b4bb67302386646ed679bf7dbfd9e44d9c5eb985f2c043ef415113edb2b2eca
-
Size
3.2MB
-
MD5
ebae2001c178349478be67bcab2f95e3
-
SHA1
53f98b5a0e55f4fea161e69ef617e6225270914b
-
SHA256
0b4bb67302386646ed679bf7dbfd9e44d9c5eb985f2c043ef415113edb2b2eca
-
SHA512
c8f48338abb5e7c95dc316cc25352286344fa297cfc507328379f23fc819c47490bbb529ba5854a6ccd99c8345c773d8800dfed48ce914754464d2ad13adc378
-
SSDEEP
98304:PeI0efBuRWQ88ctBoLsh/Q7G9ao7cwdizRS:PeIdBuT8bthSG0oc
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Executes dropped EXE
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Detected potential entity reuse from brand paypal.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
0f6ce02639d4d4caede8c3432a529ff995f9d50cbfec335bbe9dc19b8f5c9ddf
-
Size
390KB
-
MD5
fbe11448c95eb3d859b67811a5027ccd
-
SHA1
f3ad51fdea8d704a2ac80be6fdf81bc1fd99e72b
-
SHA256
0f6ce02639d4d4caede8c3432a529ff995f9d50cbfec335bbe9dc19b8f5c9ddf
-
SHA512
a048298718fd19a810bbffdd73e39027c1458f085cd3ebca042ce8470979c1b5830d1e4f16f7fc3ccc96dd546f78d850c90c3493887cca66e0ecaa4c34f911c4
-
SSDEEP
6144:Kny+bnr+Wp0yN90QEa35FPZiqimkWn7ZNjQBLvam3+eYNKV5HJuZMBrCFXkK9xMH:hMr+y90s37PZq+k+v4fJAMdgXACDYv
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
10893005755e760cedfd88c67f168c3e2f1e26fafad63a929c1e953e718f49d7
-
Size
389KB
-
MD5
f66ede1e06a086d548beab7306b19c2b
-
SHA1
e3473b146cbe237f60308ded64136d2e0d0e0138
-
SHA256
10893005755e760cedfd88c67f168c3e2f1e26fafad63a929c1e953e718f49d7
-
SHA512
892cd0b6b431c432f1defc9e8519389ac731c4b635e5e8b610790495d7e02ab7cb0057d3ce349a893bca34d9d21185b7f69c744258984ba1ea5947ddb322cd69
-
SSDEEP
12288:EMrZy90J4zMV/aGuDCQsgBYCpxsHJKBCs7:tyc4xHDCQzzzsHJKb7
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837
-
Size
235KB
-
MD5
ee5e79d00a13fde9e96a1f9953f35fea
-
SHA1
788be8b6304f138f5c7bdf00fe98562de6f2790d
-
SHA256
10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837
-
SHA512
26b1209bb16d6e5ed3dabe6fc18e6ec425197ecfd26f2038d9d796cff93d25597c774ca01fec5d975457ef7e544b9d7f7d09372e391c1823b4a7e3bcf94d0c49
-
SSDEEP
6144:KCy+bnr+0p0yN90QEdHyEL9MR1SKgfYLNYs1Ul8C2N:6Mrcy90zgoYLWs6l8V
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c
-
Size
390KB
-
MD5
f8cfb1df4bcb4f9f8b7b9d0708e16d69
-
SHA1
93755a42eacd228ef291a3136a1394593c678faa
-
SHA256
188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c
-
SHA512
12b8522f261a7e3d0b91a41cfbf93b80bd10ffde1f8b53c548e8aafcca765cd92f511b71d05a298b7712e9f30b3cf81eced8ffe73ebee48b3230d5402cdf3f68
-
SSDEEP
6144:KQy+bnr+lp0yN90QE4JX36Yol3tvc630ZEnOOZ38ow6db8IEw2+ogF1AmoTMJrTH:0MrFy9003obIE3dwooI+c1AlTM0Mq8X
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
1b3c0e579787bcef84732f5265ff9b365cdc639dfb3b301ffbfb808167567506
-
Size
390KB
-
MD5
f721e921a1d0ce588d0614c7257f90f4
-
SHA1
339b731d73e585d123b3243ef3f3f95ecd92e4d1
-
SHA256
1b3c0e579787bcef84732f5265ff9b365cdc639dfb3b301ffbfb808167567506
-
SHA512
302847dea588564672f5335a1e312d34a99b166c601369e3ab99a01b7c2b1201c56b4b87859b3d8658c316e37004ac8b16a40ad304e1a3116172e36fa9071898
-
SSDEEP
6144:K9y+bnr+/p0yN90QE/TmKPN4KfD+HXyLx+SPntq302ViNF4XLmMdmIi5:zMrny90lyMGKfDwaPO02ViNF4zk
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
2590c6aee0971ee73ddf13b31120ab5a7a7268c588bc55a8fe221b203913c447
-
Size
314KB
-
MD5
a2e82df6d2a9597325d8523d3625b7c9
-
SHA1
1a5bf994f2bc9c0cd810e94776a3fc480f5d7f3b
-
SHA256
2590c6aee0971ee73ddf13b31120ab5a7a7268c588bc55a8fe221b203913c447
-
SHA512
1a89b7a438d12b21e4c2b2b9afbc348fcab3bfbce86b03ae49b001a5a184ed911cbf5f484da987c23957fec7afe9deebfc815215ef956bb3a8edf692a000eb10
-
SSDEEP
6144:znnpI60nbM8uPZy3+8KIDx7uVKBrC27XXJCWsgg5DeQhNM9PXHS:zn+60nbnuK7I+rC0XX4gg5CQhqHS
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
2faa75c50b323133e8cbf507e6a3a4846097090d2e2c1a5afb174f798ee42a6d
-
Size
1.2MB
-
MD5
fb2fec42f81a255012c589b29e4f086e
-
SHA1
99110b60ce21039ed15f571a46159ed2409d2ead
-
SHA256
2faa75c50b323133e8cbf507e6a3a4846097090d2e2c1a5afb174f798ee42a6d
-
SHA512
0c36b9af63f1e1aef4cd1146c9b99902fcc8ca3bd61228b163336f10085170ae31889dc1837ca0b1c547818e4bf4b60450ff1b7599b324ac22bae8290fd5e3da
-
SSDEEP
24576:EXixqeljPl1pVbGqvHnoPa+YioUMMn/NNT2CPQ6:EyTl1pVbGqsuM/L
Score10/10-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Suspicious use of SetThreadContext
-
-
-
Target
3bb8a790f7feb85fb0d0f7d2087ce3d7e4eb5577393162c735eec885b66a044e
-
Size
1.2MB
-
MD5
f2060efdea36d0b964aacf58232d74c6
-
SHA1
26c27e2c2f243cab2d85bbd3b4dc8b6f2590daf3
-
SHA256
3bb8a790f7feb85fb0d0f7d2087ce3d7e4eb5577393162c735eec885b66a044e
-
SHA512
bb051ac9bb0699feaeab22c94d8ae535ed392dc0aa440907475d421870c5f8f44101dd1ef306ee96946c646814cc6db36e9623ba18ac917c50dcfbf4686abb54
-
SSDEEP
24576:F9lnCBXoonp1hwCMUkRvWOvqYCZ2ylmJ0H6r:FPRonp1hwCMUkk6pCtlo0ar
Score10/10-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Suspicious use of SetThreadContext
-
-
-
Target
3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb
-
Size
514KB
-
MD5
eeed819879e60a78356884c79cc1176d
-
SHA1
73182a6228fb1978bb85b750939e58083733dae4
-
SHA256
3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb
-
SHA512
ec81ffafd04adfeb3849df9b2fc7f501b652124b0d3d40c2adef0f53a95fa17385a955ddc5f6598893572ae8e3a067cc80f7ae5a2600f5ce1514395b7e83a8bf
-
SSDEEP
12288:gMrDy90VStL+T5sUZjdKCjNhbdg9f23ulFmoU61Z/d0Z/+mxQz:zyAcIHH5r4rmj4W+m0
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
3df74027fece0dd6e6c9f46260e3c886ecbcfd4dce43ac64a90f1211d78fe588
-
Size
724KB
-
MD5
f4f787db36502a2e05f39da6a313e914
-
SHA1
4f842c75ce854d86420f9790c47c81bdcecd7c5d
-
SHA256
3df74027fece0dd6e6c9f46260e3c886ecbcfd4dce43ac64a90f1211d78fe588
-
SHA512
0728509f9668750a075e73175e48f90625f5e62ef3d1e95641d654d43f749dacb1012110c6e445aa64308a64b0d23c447041ab0ec994300a6b06a1091523d52b
-
SSDEEP
12288:hMrCy90ubk8a7kp52+3z2scqnKypirYMFBWzHKXRd1akvD6lKCjetDmzHu:zy5w8Qkp5/z2sc6KypgCzHKXf1vOHje9
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
40fbde6d35302d77db924d8a4db6569c23336d9205e82f12a82228cc100edb71
-
Size
359KB
-
MD5
eb475f3a8c4a25a19fa0abdc1e907952
-
SHA1
8988b40a69f6cb754a42bc5c7871ed839629b504
-
SHA256
40fbde6d35302d77db924d8a4db6569c23336d9205e82f12a82228cc100edb71
-
SHA512
3199b26a1ce8049c64556a2a9d0465c3ffa479594ca01d7ce052ba64fd128ab9da6302bf55baaaf59479e3a4c53f0569d93d7bb4d1566d1d65b4864b4a20af09
-
SSDEEP
6144:Kiy+bnr+Yp0yN90QE0u4z6ibeyRRmxXl7FiiOhCn2v2wTcpnC:2MrMy90N4z6iExV3OhCn2xt
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
6ade7d6ec7a6381185b43d64ae2429ee9c4ee1ccf584c5bfe5887d96d03e3680
-
Size
924KB
-
MD5
f2a435288af42881303cdb4793ee7400
-
SHA1
9f5bd3e4f31299347372107b08b89938437393df
-
SHA256
6ade7d6ec7a6381185b43d64ae2429ee9c4ee1ccf584c5bfe5887d96d03e3680
-
SHA512
18a69e04bd6ae02bf78bb2673dbe3b7710c889afa62189238db4837f1230d5debc6b97f02a8a8d677f5df5cc19b6fc735ef1502a35c05a060d767a9fcd550e5d
-
SSDEEP
24576:oyWuYzzI8C7pWy5JAFCCMr58qneW2i4IFoYYOiG:vmzIls0OMr58qneni4EoYYj
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
7abba1ebb59dafe06cecf717ad708d5d5e873cb2cd6cfa536b3cf5eef782c19b
-
Size
983KB
-
MD5
f96ab377e21347c5e38d5af7a8917d70
-
SHA1
71ffd7a11f3ea4ca942f5e37c4ee26a579768db5
-
SHA256
7abba1ebb59dafe06cecf717ad708d5d5e873cb2cd6cfa536b3cf5eef782c19b
-
SHA512
faf6d7f33e5d90290319169b374e77504649ecb6ca8377e5424d006967a3c552e3860da4b3fe926f341e86ec7e4dac36dc3f9eb0d0745eab84acfc6ac23299f3
-
SSDEEP
12288:h2pQArdk+4w8eaVYVpoeQEbc0L2NcsWrQ8Av7VT5cO1utoW3Z11609QZ:h2p9dk+4wv2YVpoeQbVvRtC3Z4
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
855fd4cf224283ecfadcbbde8f8bda52096a389946f6890fa83b09e26cea10dc
-
Size
1.0MB
-
MD5
f4c9a2e04bf7425f92b4dfa743985d4b
-
SHA1
ecc8cafe83d4ce841894c78a6add9841174738ef
-
SHA256
855fd4cf224283ecfadcbbde8f8bda52096a389946f6890fa83b09e26cea10dc
-
SHA512
cc22e3244b1e9a5373777dd645b864761963fc34ebaa09338a6cf16f0240de7b6d073203ebc70a45cfb0f41b23bfe6f60adc2322f1bc71f3bf92b9ac40872d68
-
SSDEEP
12288:pMrXy90AnEbF79w5lfUQYeJ+CMGNfrZlcROl1Eh3CkczpbZ7wyYirGZUq0dTlpLx:iyUZ5wTf/IGhPc8lUspb+g2U/Tlpv5
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199
-
Size
514KB
-
MD5
f7e21fe46471f2c2ed069aef315b7804
-
SHA1
dd6a5df8e71397f470e69c76f39d1c0cc9005028
-
SHA256
a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199
-
SHA512
0a7019ce31cadd53d2bc8034ae4d07e94efd48240077da373c914b86e16a9395e55d53721c5ebd383fa2bae16ae0ab95f8091f1f779f031d7dacf208e2b41fd6
-
SSDEEP
12288:fMrLy90LKDglCRXwYt1wZvidrr2fIfvZVHex:MybklLYvOvqWIZI
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
b46951fdb517d60cd2516aa317646c027a36d6b4e159c8d97dea70549b3b00f7
-
Size
990KB
-
MD5
f3f7b120102c92d22113a925a8b7484e
-
SHA1
84c72e9a03850118992ae8e1b0ed7b90c408cb8d
-
SHA256
b46951fdb517d60cd2516aa317646c027a36d6b4e159c8d97dea70549b3b00f7
-
SHA512
e0a69d4dd4fbfac414484d004be58b0a91e82996239da83db9c4bceb6db7c400dd7e8d4dfa9fa994bc55894ac63cf7851eb19780b862da30b6a21d8ba5def1eb
-
SSDEEP
12288:esaAPELxH8A/5+ldbqRZ7MCRMbG2uE64aVF7o7zF8nJduIZkUAEpu4Eb:8A8LWA/5+lURZ7MCRwGGakPnUAEpu4
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
bccb41d4cd07f22dc7128aa361e7b2b43320ef072e11627fd143b376cdee0817
-
Size
389KB
-
MD5
ecb22f79e71a59c4894d1e5d8c1e5fc9
-
SHA1
2207da5846db951af84b3bcc1cc8fb55ab05cb95
-
SHA256
bccb41d4cd07f22dc7128aa361e7b2b43320ef072e11627fd143b376cdee0817
-
SHA512
975684b217b7ccc5f5819b75de371efab9a70b2be15afef048b793159718d66bf8f78325747e8ee5c6fcf059aee692d00b640a697d9521768f912f7a9b32fc58
-
SSDEEP
12288:FMr9y901Cn+QmrzXRYcvB8gBYCsmbp4cy9:cy3+zjRYc5zXbpi9
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
c726b1e0ec6fea88dec580a790bb738a4976fe2f076a838067ec66bc403054ab
-
Size
390KB
-
MD5
ea4c8fd3c2d26a95dad5562a25fdfddd
-
SHA1
9c667037c530458e8d1487d63264d48ee61468c7
-
SHA256
c726b1e0ec6fea88dec580a790bb738a4976fe2f076a838067ec66bc403054ab
-
SHA512
bd344a8ed2c93baa2b1e5077d8e103f096c6a4e9d2bdd01578374f8e97eb28c5527dd9b0dec268b93995ce9133459d9db3aaa274cdd7fa48368b57795702909c
-
SSDEEP
6144:KXy+bnr+Qp0yN90QEnqqTiS9Kz/8ZVyVgfrxGW5VY5p5xyCVQe5P5XxGnnmJ0bGe:BMrEy90HdfrxGW5zCVQI5XxGnBGy2e
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
c8c3182273e1f34a2e9b4a2afb39aa5e5fa9ae93368dd9487b95f7ca43f17d54
-
Size
1.4MB
-
MD5
ee2b40ddaa498948143e583523b15aef
-
SHA1
b246f477308da6a2973d755c1cd023465049b234
-
SHA256
c8c3182273e1f34a2e9b4a2afb39aa5e5fa9ae93368dd9487b95f7ca43f17d54
-
SHA512
bf9a360e1f67e00a77eba27c9939a720bda97f5d6c51fd65401f496eff7289b1862f76aa67c44bdf8df66efcaaef488d1f855ef0059453c0c2ebee7d1ae5af94
-
SSDEEP
24576:Gyg7pPRAxomGgmAKDEfFDbHQkIrak7dzFh4gUnTpnoHruMyAl0lokb6lOjKVyX+v:VkpJAxwcKDEfRQkYa874gUnTp4WAl0lG
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
15Registry Run Keys / Startup Folder
15Scheduled Task/Job
11Create or Modify System Process
12Windows Service
12Privilege Escalation
Boot or Logon Autostart Execution
15Registry Run Keys / Startup Folder
15Scheduled Task/Job
11Create or Modify System Process
12Windows Service
12Defense Evasion
Virtualization/Sandbox Evasion
1Modify Registry
39Impair Defenses
24Disable or Modify Tools
24