Overview

overview

10

Static

static

3

0cc30df7f6...35.exe

windows10-2004-x64

10

1208df4133...ab.exe

windows10-2004-x64

10

2d6ce3858d...b0.exe

windows7-x64

3

2d6ce3858d...b0.exe

windows10-2004-x64

10

3a484bb7d4...29.exe

windows10-2004-x64

10

3e36cb02ee...9a.exe

windows10-2004-x64

10

3f3ae36481...68.exe

windows7-x64

1

3f3ae36481...68.exe

windows10-2004-x64

1

4be1f370e8...6b.exe

windows7-x64

3

4be1f370e8...6b.exe

windows10-2004-x64

10

54ca5c456c...76.exe

windows10-2004-x64

10

6aa8d5d0d6...df.exe

windows10-2004-x64

10

8db6f54494...1f.exe

windows10-2004-x64

10

b07c30e9c2...0f.exe

windows10-2004-x64

10

b62068be50...da.exe

windows10-2004-x64

10

c1c526ed2a...52.exe

windows10-2004-x64

10

cd9de412cd...04.exe

windows7-x64

10

cd9de412cd...04.exe

windows10-2004-x64

10

dce60a71ca...cc.exe

windows10-2004-x64

e25842dbe6...9e.exe

windows10-2004-x64

10

f358ce518b...e2.exe

windows10-2004-x64

9

f5bf417643...17.exe

windows7-x64

3

f5bf417643...17.exe

windows10-2004-x64

10

f6dc0b4c65...d6.exe

windows10-2004-x64

10

f8dfa98c4e...be.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r1.zip

  • Size

    20.4MB

  • Sample

    240509-wqjpjsfd3w

  • MD5

    d7b5db394cfc2ed0c442617b1d38e284

  • SHA1

    546976b3800d5ad224296b161bff070714a5eda8

  • SHA256

    7575b6a7ca1e6aeecfc397511f1b32b4a78d90e4766e4942510517290d09a617

  • SHA512

    37e9b455a24fcdd7b80544b07befec52a2e8efb9619c4140215ab87b953fa54bf8692f56e554e718bfc9c5a226d0cb5213092735165434e1151017a5d66d9bad

  • SSDEEP

    393216:nGdHUlrjUlAQ+0unA0vEKsA3Ikf1EyL/FSlw0WQWQ0sjGe7:Gd0BUlAHRxcbAlCtyZQjae7

Score
10/10
amadeyhealermysticprivateloaderredlineriseprosmokeloader51955525295637482599581694481genakiralampnasapapikbackdoorpaypaldiscoverydropperevasioninfostealerloaderpersistencephishingspywarestealerthemidatrojan

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

amadey

Version

3.86

C2

http://5.42.92.67

Attributes
  • install_dir

    ebb444342c

  • install_file

    legola.exe

  • strings_key

    5680b049188ecacbfa57b1b29c2f35a7

  • url_paths

    /norm/index.php

rc4.plain

Extracted

Family

redline

Botnet

papik

C2

77.91.124.156:19071

Attributes
  • auth_value

    325a615d8be5db8e2f7a4c2448fdac3a

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

amadey

Version

3.87

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

gena

C2

77.91.124.82:19071

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

581694481

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

5637482599

C2

https://pastebin.com/raw/NgsUAPya

Targets

    • Target

      0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535

    • Size

      1.6MB

    • MD5

      db49775df584d04028c83082753a41e4

    • SHA1

      4c5e66c25845497bbc4181dd5e601cf49ae54830

    • SHA256

      0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535

    • SHA512

      93ddb8d4f97263fc55df13832695ba63692016c840db1bdd629aa0f463e46c97bbf88cdc471423875c87956ffa2b66d6653474970123822e4515f182ff586eaf

    • SSDEEP

      49152:9MsyWtfsl+3i5O5xzr6W/RFze49CMU1b:Os7m030k1lz//2

    Score
    10/10
    privateloaderriseproloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      1208df413315575653953f79f71da4afa0f3816339cca881a3bd12be0cc7f0ab

    • Size

      515KB

    • MD5

      d9913d9f643c9aaedccb2c7e055ed031

    • SHA1

      f9812f588b1a16b6d292bd553695404858dae7b6

    • SHA256

      1208df413315575653953f79f71da4afa0f3816339cca881a3bd12be0cc7f0ab

    • SHA512

      51ce523840bec8f71baaab82b7841abbb825276280142cb67a84276558bb640a5fee511c865862868cd1f15ecddaeaf6e4c0feacf826751d37229577384dae00

    • SSDEEP

      12288:KMrxy907uK8EElOOinxnMP+vIPGBEARwMrXu72wuL:TyquPo/nZ4LPGBEAdrXu7bo

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      2d6ce3858dc5849cd0e5ce873e285bbd3b6a34ad11e20937b1827c8f3594abb0

    • Size

      274KB

    • MD5

      e37c96dcb461998f850d7f29636f4c7e

    • SHA1

      99e246345e6f7e42e1bbf87413af04ecde111326

    • SHA256

      2d6ce3858dc5849cd0e5ce873e285bbd3b6a34ad11e20937b1827c8f3594abb0

    • SHA512

      8e74a88d6396f1c687e70c4e54964a3bbd632038d4c775ed01f6564fb0651484f7e75e499cda7e159984f7d595b8bc0cb497b3762b4ebb133035d32986343670

    • SSDEEP

      3072:S++KoocagDG2XjkWhG2Lf7Ggq3L1JxPiilhkgowrWtctWaYUhP+OKerH80fNLtvf:tJeaoQWhlmgE5++WhsZrr9tCZnrwp/

    Score
    10/10
    redline5637482599discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      3a484bb7d4882d8f4ab5dcb7c60a4d1397a642611888b68c5e13702926794729

    • Size

      390KB

    • MD5

      e5623dbb07c715bf40d82dd36df6cd45

    • SHA1

      1e636843ca903406cf011d2359e300737cbc9176

    • SHA256

      3a484bb7d4882d8f4ab5dcb7c60a4d1397a642611888b68c5e13702926794729

    • SHA512

      3cb7f3805046123b7b6297783478c41f7a02a154fe49957e4a866b0ea29b1dd697ef0a1cdf4240603d4b4e08a26d4d1220d89e86cdcfecae350c1fe9512317c1

    • SSDEEP

      6144:K6y+bnr+2p0yN90QELJRVtUdXkWcnZNTQR52pX5B9I9/VULECcHnlRHnnXUQtLQ9:6Mryy90VnbyWpDy9/ihcHnl9XXtLQ9

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a

    • Size

      2.0MB

    • MD5

      e1ca89e321f8198d4253c9178eb523ff

    • SHA1

      fe072ee589998082c37b054c4d8e4f0a6aa4eeb7

    • SHA256

      3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a

    • SHA512

      af0d2629e4fce28b141f77762d351ff64c64fc965b9fd51bad073948841c6ea19655e34a7d1aed30837c67cac6e0e5f8af52e9eca07d58a77fdf3d213cd59f2d

    • SSDEEP

      49152:SxZh3SQ5yCsV/BuPeQePc/yRrkS2TCwuRI7V1GiTCBC3O:WSp/iucmAS2TCFIB1RTC

    Score
    10/10
    evasionpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Drops startup file

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral6

    • Target

      3f3ae364814c4c229616f1792f939131d6af421c4fa431b81f955015d14c8168

    • Size

      308KB

    • MD5

      d1692bfe69b9eba7c632642192c2387a

    • SHA1

      132970b55855bcff595ac8af257b27c4b0fcebc0

    • SHA256

      3f3ae364814c4c229616f1792f939131d6af421c4fa431b81f955015d14c8168

    • SHA512

      715b107c3e4a7772159c0de693ccacf36a2f62f54dc3cac0b4c7f6e0f8f25996472803be965eaadea3906e100e4f8557782cee76399a8787d91f19ec3107cf06

    • SSDEEP

      6144:dMbygE5HGw3GNc6xTQROzphoTjgEV9YCHtWRKZl/I:AygE5HGvWSpmnr7p3nI

    Score
    1/10
    behavioral7behavioral8

    • Target

      4be1f370e880d06da141a2c9957de478c40592a3abf6312aa8c2ef401a37d36b

    • Size

      306KB

    • MD5

      d41a5cd7a3a7870992cfd75c5eff1637

    • SHA1

      8365910e5f8fff802cd8d928351270432128abaa

    • SHA256

      4be1f370e880d06da141a2c9957de478c40592a3abf6312aa8c2ef401a37d36b

    • SHA512

      893c73fe37c917bf3c8557c1344e03daef3d1264a0296847fbd5e667e0070b6c920a58f709ec96bb2c1afd22a485d366479f57911eb5073e4c77e6f43243604e

    • SSDEEP

      6144:vBZd9vSWh60RVAtljy11yiI8iz2jaYO9eGoW/JyL985:JZiWhHE4i6qfRyL985

    Score
    10/10
    redline5195552529discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      54ca5c456ca4541c7a54027ae67295d9bdec93f29d76b9e8ab36e1fd52b1b876

    • Size

      390KB

    • MD5

      e2ff92ceb1b36894ab6449df6190d5fe

    • SHA1

      e62b58fb4e8a161514f89711a1684e1db6100572

    • SHA256

      54ca5c456ca4541c7a54027ae67295d9bdec93f29d76b9e8ab36e1fd52b1b876

    • SHA512

      dbed33a08c20707d07b024fec719db94a797828ae3644fb2d81ab7ddfc504e04ed863b29e1fabcbbea4403af4b1ce70c104e4ab4efe226d2a188f9bc3f23b5ab

    • SSDEEP

      6144:Kgy+bnr+mp0yN90QE5OQxmN7o/L8EAr2zsmgutzuXdMyFIVZ/dxGL:sMrOy90DbxGT2zsNcCXdMyFIVfw

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df

    • Size

      308KB

    • MD5

      d5f61fc6a8c52e0a93619aa88abf0823

    • SHA1

      e8ab904b74f798424102a1739f810f09f1987d60

    • SHA256

      6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df

    • SHA512

      3b5a5f2a02c8788cb4e7245073766e30d3bbb4cb635ae648502d80ceed32a876b0103bc90ecc4fb1749f84d354cc3ba91034aad95f3fd1ea82fe12eca0b6b85f

    • SSDEEP

      6144:K0y+bnr+jp0yN90QE3lEY+zbPsn4Jkb2LPrKRc57uiL4P7:MMrby901b+zYebLPrKG5fL8

    Score
    10/10
    healerredlinedropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      8db6f544940545b4e7f0eef92bc68e65f5e9efd3707f33b7e5594777d56ed71f

    • Size

      517KB

    • MD5

      d41f1c7e31301333d4566921fa2e746c

    • SHA1

      96f01a64517b81d61603d8d63d0a541c46989f11

    • SHA256

      8db6f544940545b4e7f0eef92bc68e65f5e9efd3707f33b7e5594777d56ed71f

    • SHA512

      49b5db3895973f5a63fa5a08d047f9a9b14b82352cb65a5a87c7be12be1797a159276c75dcc16fc61a4c4dba545ca4cb29772a8a4e07f086a47367ca2d5718dc

    • SSDEEP

      12288:WMrPy90Mk+nx9EIMXo6ST4w8kur2PMHtpq01YsEc:Zy/vvDMXo34w812P6ash

    Score
    10/10
    amadeyhealerredlinepapikdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f

    • Size

      925KB

    • MD5

      dd93ee60c259b6d6649066385f4244ee

    • SHA1

      d07a767c2cc5a3f4e22536f80cd5403d48e79f31

    • SHA256

      b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f

    • SHA512

      77da63cbd5f5c49e42b7c8d31388ce5a5f310ab7435e9200ad94f74339d371dd8e4100c1de2700f908c44f849e293b4ae80d8354c03e9c20ab5057df4d2d126f

    • SSDEEP

      24576:jyvRZtvqBOv+fxZ0j5MqJu/2vUx4SoSoG:2vXtCVxZ06qg/lX

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da

    • Size

      922KB

    • MD5

      d86f13a3db074ef7115f9b305cdf356d

    • SHA1

      d0f7e04a160f577a0fc1f2855d4b2a75705f6a15

    • SHA256

      b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da

    • SHA512

      95d1cf4a6a8fc9aa0fcb81bacd78051ef8d06a27bca3e27053283006d9052e6a6329fb0cb5625c6cd9298760d379d043ae18dfbf9c55be002a23f8b7a33107b6

    • SSDEEP

      24576:ayCGAwe+RYdJNjQiVFX9ZD9I21pB3C8MMdMxeoG:hCUe+R4JNUilZDH/3MkMxF

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52

    • Size

      476KB

    • MD5

      e8caa8893f50e0966996c562c5eb98c6

    • SHA1

      c40d0c633b13045071520280d46f4e46bb13585b

    • SHA256

      c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52

    • SHA512

      a046db8a5d6517a1666128eec70ccf1d1a7e43d3a82b1a611a0682098c13be1f2f4a95eda33b5a5458c963cac460d684e7fad34404b23fbc4243b37b788e55df

    • SSDEEP

      12288:GMr+y90sHo/b58xomWqrWmDmuKRiEXYp7FMkCeHQYbuQCvZReT:kyXHk58xosWgmuKcEAFXHHQ2WG

    Score
    10/10
    amadeymysticredlinegenainfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604

    • Size

      491KB

    • MD5

      dd10174f7fa3d017558c8310bf07d851

    • SHA1

      08d795a3d2334906da989e46a7e57d4ba9aa9f41

    • SHA256

      cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604

    • SHA512

      a714e8babdc8d8a0a9f8e6ef6430d4f1cde70d3d80a902a1e247eb93bdf76e91fa89c4132708e0c632469b725c625ae65e30a908f02018f10b23460a02ec9d05

    • SSDEEP

      6144:byblvlO3FlxJyFVsxRc4jdcE2rnfUT2pMBUdwrKkUfzK4V19X8GnYkCDWFElr:bOlvlGIsThKrnfnMBBSzK4VwGYF6FYr

    Score
    10/10
    redlinelampinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    behavioral17behavioral18

    • Target

      dce60a71ca88a61a579b58be67a969e9f1f6620feaff4c7102883b680d0162cc

    • Size

      3.8MB

    • MD5

      dcbb8546ac03e3ee841683345965b5aa

    • SHA1

      f1200632683ac24499e819d076d999759b6e8c24

    • SHA256

      dce60a71ca88a61a579b58be67a969e9f1f6620feaff4c7102883b680d0162cc

    • SHA512

      964cd4c3c1afcc069c59383e6de2f1d3f1f7fb873bb11c1552dd095529bcf6e6dd2b482a3b9f1862408dc6df15a5beb7d9a5f7bd1cd1e8a787e246fc6da76ed3

    • SSDEEP

      49152:DtLCPo0lVRu6n4Vb/QNM0LZb5H5lK4tM5pRLoPPunS9NYnmJtE82FwIsUCGPdvmI:xSdlVRtngb/kM0LZbpCpi5GnsCw8dV5

    Score
    1/10
    behavioral19

    • Target

      e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e

    • Size

      857KB

    • MD5

      e51f5ef0b3d5038c9e1b0b5516244e8c

    • SHA1

      d1d5a940665d849f900e8a369c29f0fac7c1374f

    • SHA256

      e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e

    • SHA512

      b5f4eccb3c51b84c315b966ea819b338b0cb8b6970b8c85749f123f9a6c06b0b76e64b29c303afc816b4c338860388d6f3c47e2a10f99828a7bd004de001c19b

    • SSDEEP

      12288:7MrFy90I/vsuqkr+jSMqxvObV/znJyyd34t6G6Gxzbj4kx2R2V/dBAo+HES2VN9T:myN/vXx+6GR/t37sJbj/fLAZ6Nlb9d

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      f358ce518b566bea6bdd08924ef70ab740c7135042e1d38e8776afca44f4c2e2

    • Size

      6.1MB

    • MD5

      dff304091a81ae5204d3c2d959b8b919

    • SHA1

      46a965af549abd1cd9a5f5dc10ac3775e6e1f7d4

    • SHA256

      f358ce518b566bea6bdd08924ef70ab740c7135042e1d38e8776afca44f4c2e2

    • SHA512

      0a1b7e83c5db4f3ab567c79f3654698543d2055b1ab296632fd30711f44315024b15b9c19b22162a6c6072118eac7e8506660ee4141bafbd5cc6f980082aaa25

    • SSDEEP

      98304:Ve166GzhKA37Mpd/LYMbK7JOa9WJDOAR598zW5E7Zpshx+gsV5GQrTIrmp0dFyo:Ve1szhv3SOM0J19Em9UYgsfPvIrmHD

    Score
    9/10
    paypalevasionpersistencephishingthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral21

    • Target

      f5bf4176434a177447cba0b0c44a2aa84c6964ac958276a5f3d28429824e6a17

    • Size

      274KB

    • MD5

      db728cbf359c37fe47ef07fef8648cdf

    • SHA1

      6bbde5a35fb494a1b3ba4bdefce2e813e04f6853

    • SHA256

      f5bf4176434a177447cba0b0c44a2aa84c6964ac958276a5f3d28429824e6a17

    • SHA512

      79daac25200bd5b39c6ee63ff11d00dc684650e5abb1bbef1c459c2167906cb33d821e4fb838c591393f7f2258337e10d8018aa0cb35103e2a64be492c341e9b

    • SSDEEP

      6144:/BeaoQWhlmgEkiJUS+1zTi7IhVFzHoCuuiwpH:peaZ0wYZhjI4pH

    Score
    10/10
    redline581694481discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral22behavioral23

    • Target

      f6dc0b4c65662a9753e54800489b07d9f5a6a4c896a61d93f3a1a3e28d5bc9d6

    • Size

      390KB

    • MD5

      d34cfe3583bc421f5644a1fd7ed61f53

    • SHA1

      75ccaf032237a6b8a392fa4ab52577030f805e1c

    • SHA256

      f6dc0b4c65662a9753e54800489b07d9f5a6a4c896a61d93f3a1a3e28d5bc9d6

    • SHA512

      b608a0e2a670766d3530911938ced2d288a559ba109bf992799e4e0e98ddcb7c13ddef2ec0e2bcc9648839b65d519850a1da431ef1728078bb57af8d013b838d

    • SSDEEP

      6144:KAy+bnr+ip0yN90QEOZrg/uOH+aqFJOhbEM7bSnjHwVCcHnlRHVVE/iRzFmp:kMrCy908ZrgWBa25njHhcHnl9Yqmp

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral24

    • Target

      f8dfa98c4e38deff7955c243f9db7b01692e43c0997eca9e5e141cc565cf05be

    • Size

      908KB

    • MD5

      e4759911e541d7a543ea033b0928ddf4

    • SHA1

      e39c427a6cf47b16cddabfd2c7fb00038e1dbe1f

    • SHA256

      f8dfa98c4e38deff7955c243f9db7b01692e43c0997eca9e5e141cc565cf05be

    • SHA512

      7760d634d8a8b0a2e2c9847c4c367589607de2d7ac43112830289dbf3585902dd0f824ebfcab04040f701afa6b86884824aed2f032e6c09714ac8575b7bf9e42

    • SSDEEP

      24576:JymRvMfvH6jv/02RcWIfpZCzHKXYSvbx3ejLORx:8GMfPQc25Ifv+qHv9uW

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral25

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

9
T1053

Persistence

Boot or Logon Autostart Execution

14
T1547

Registry Run Keys / Startup Folder

14
T1547.001

Scheduled Task/Job

9
T1053

Create or Modify System Process

10
T1543

Windows Service

10
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

14
T1547

Registry Run Keys / Startup Folder

14
T1547.001

Scheduled Task/Job

9
T1053

Create or Modify System Process

10
T1543

Windows Service

10
T1543.003

Defense Evasion

Modify Registry

34
T1112

Impair Defenses

20
T1562

Disable or Modify Tools

20
T1562.001

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

6
T1552

Credentials In Files

6
T1552.001

Discovery

System Information Discovery

20
T1082

Query Registry

14
T1012

Peripheral Device Discovery

1
T1120

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

6
T1005

Exfiltration

Command and Control

Web Service

3
T1102

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

privateloaderriseproloaderpersistencestealer
Score
10/10

behavioral2

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

Score
3/10

behavioral4

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral5

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

evasionpersistencetrojan
Score
10/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
3/10

behavioral10

redline5195552529discoveryinfostealerspywarestealer
Score
10/10

behavioral11

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

healerredlinedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

amadeyhealerredlinepapikdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

amadeymysticredlinegenainfostealerpersistencestealertrojan
Score
10/10

behavioral17

redlinelampinfostealer
Score
10/10

behavioral18

redlinelampinfostealer
Score
10/10

behavioral19

Score
1/10

behavioral20

redlinekirainfostealerpersistence
Score
10/10

behavioral21

paypalevasionpersistencephishingthemidatrojan
Score
9/10

behavioral22

Score
3/10

behavioral23

redline581694481discoveryinfostealerspywarestealer
Score
10/10

behavioral24

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral25

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10