General

  • Target

    r1.zip

  • Size

    12.6MB

  • Sample

    240509-wzn1magb2t

  • MD5

    60c2b38730a06227df058699de96abe8

  • SHA1

    4660587615daa86f615e56992c4df296437a1137

  • SHA256

    f6a395732f5dfe45c1b53e1a544f31826d5f310499de2170e9064ac9605a913e

  • SHA512

    ec733239a019533b50ea162d013815e6d3e2333ec588a0f5215a3a7d0ddcecae89b77325d9c29d8289a781a8800c2ab33674d92592d621c541eab4cabf85c749

  • SSDEEP

    393216:6jK4oly4Tt9kDp2g/gYsjyqriZ/5K/yqxTUzEM:6jCXTQp/LsjyqrU/58nYwM

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

lumma

C2

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Targets

    • Target

      03cef1108b01e5304207d3fb3a53f024ec18e0178c6dc16454723a9c7852ab25

    • Size

      514KB

    • MD5

      21d5e26d80e17d90723eafe2e81f0380

    • SHA1

      8cf32bcc5746e7097e8457cb8072e6af5c3cc078

    • SHA256

      03cef1108b01e5304207d3fb3a53f024ec18e0178c6dc16454723a9c7852ab25

    • SHA512

      265217e57e46b8e9df248deda746bb21b96a1a07b5feb70f5b117c3495f106fabc1e68db9f79097532065a4f6466eee397b8f7062f9d6b452e7395394371822c

    • SSDEEP

      12288:UMrvy90+M2xY8uiV4qLx52eJe9d/Z3Of0c:TysoVp3zov/Z3Of3

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b

    • Size

      1.0MB

    • MD5

      22b5f7bbf08fd60f2ee850f51efede9e

    • SHA1

      9ad6d7fdfda1459be16d4e59547a0d933f7c9551

    • SHA256

      062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b

    • SHA512

      6fcb688dd391ed951fef4cd75c8935f65dde1f99658eb8b3438f40837050eb77cdd5425b0325c0b4df069a8dc83bc9ae53d464612f76ebb4914f222f22272744

    • SSDEEP

      24576:XypmCQ2FZ4/Ldo7RGJawprnjhmJcVGTEq:ivFsLdQRIrjYc7

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      1c0cc29edf3fda05ac6cd12ee7acdaf9ca6233c60ef212f53b42d088f670c7ac

    • Size

      390KB

    • MD5

      232287f5d562489800292f58e7147c69

    • SHA1

      6b9b9011bd9a0580c06a3777ca9b55fe2795ca43

    • SHA256

      1c0cc29edf3fda05ac6cd12ee7acdaf9ca6233c60ef212f53b42d088f670c7ac

    • SHA512

      514849f08ef74213c0a9950145b9fa8564028d189d03588fdf023f21da03555a09a910d46ae89561628e556bc64dc02467bb8dfc4b303affb071f30847ab4b15

    • SSDEEP

      6144:Kxy+bnr+ap0yN90QEpKP4ky5OqsVrV8q/9uYF0JwNampLy4dom+/2YLxSjr:LMrWy90ziVrV8qP0JcXpv42aUjr

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      1c46e1db345610fe8ef6a2fe37c7407b77ab614fd47b00a74971f892275e38f7

    • Size

      514KB

    • MD5

      2245adfded81f5615b3656bb86678766

    • SHA1

      5a564c26741b1918ee9614d3a032e5fbaa4831c0

    • SHA256

      1c46e1db345610fe8ef6a2fe37c7407b77ab614fd47b00a74971f892275e38f7

    • SHA512

      74d29b952864b9596037cdaac4e5e8f4435521082aeed7178051e3ef12f07ac23489e2c93b5db259707d11cb07b0a6b74e979ec41ed875d1bedbbbdc1ecbd28d

    • SSDEEP

      12288:HMr7y903dIEV7W7qQAKEh+1mehzeG0XIBJny4:cy+IEVSzrEg1mq+gp

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      20811d5e089d4e2f65301bba6dbb3776615b8a82ea39cd03d088665a7bf27384

    • Size

      1.5MB

    • MD5

      22911db4f8ba085ab5a96d55b39857a1

    • SHA1

      d583bce9bfe82d3b8c69f182fc854c305f99657a

    • SHA256

      20811d5e089d4e2f65301bba6dbb3776615b8a82ea39cd03d088665a7bf27384

    • SHA512

      38d972095a46d503281eb0eb94c9b1d447021f2778086633f43a28a28600c0edc148065eb31f1b4ba841ea87e8db74863ec80444013cfb1a6c466a0c1cd4969b

    • SSDEEP

      24576:QyTuRq2rq3dv5GDA3BhnPJbCI1ej1a6LJg6fTvKBNdY88bSHv9kQFIyt:XTu5gGDAR1PFz12aau6fTvKljzP99Iy

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8

    • Size

      857KB

    • MD5

      237c39297542fa123e7be74d1eaae4e8

    • SHA1

      e4473b2e8bb53b9fc2b0f7e9c4e31721fcb9f0a9

    • SHA256

      28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8

    • SHA512

      a16b6f0ea0e24b4f5898ceaf363599d682d4ad38e4b1f67dbf13d1a2272a49b2d042362816fccde43de295f7354e0c1b62c0e7b9f7c1a378c3431fc4145f5a13

    • SSDEEP

      24576:lyJLHvLRaQFKWeHcPlaBbI29NLrunu79Tf:AJFKWG2cI29NnuCl

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      437213eb4b67386b44ee8203e45489fe45f788fa215cc4f60982184a2231a6b5

    • Size

      390KB

    • MD5

      23e7870a4f54dc6fc956afc6759af6c9

    • SHA1

      5d27746771ffca43b616dc354411cc1095c4c614

    • SHA256

      437213eb4b67386b44ee8203e45489fe45f788fa215cc4f60982184a2231a6b5

    • SHA512

      fefd9eb34cd8bf6916c6cf1e3ab22b4e691fac02a0bd147f5f0c981f56e5df5b7fe377d1ca9ec184f1617192705f2827c884118d83621f878ef20cea455babb1

    • SSDEEP

      6144:KVy+bnr+yp0yN90QEXDMl237e/srokwdpCUVrebbPg4g+AVmCN6bD4GbpDYHoArv:jMrWy90V0Ge/2wdEwn4DAqbVYIArv

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      54a19d5a7a4bbca3496b0edc5d80a240350e944513622d242341964e048d96d8

    • Size

      390KB

    • MD5

      279d33c6bc3c597a48c6625ba1fdefd8

    • SHA1

      0a1d3a2795b88a0071665bb3e9d0f48c0f0ed3a5

    • SHA256

      54a19d5a7a4bbca3496b0edc5d80a240350e944513622d242341964e048d96d8

    • SHA512

      d955c19fa86a344139dcd316674b752e34eafe34e80a68160abf98b7c1e165f487ea819cc6c85d47234703540169b6e0bc59346e8baa1f516b23c81ea8ea5878

    • SSDEEP

      6144:KZy+bnr+Ep0yN90QEJvmjdAmWMjgJZqWh93SUE/LUa1zmAX0TbUf/sduk:XMrsy90nmjdAmVjgDv3SUyDCYfcz

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      6407653fb96eb144397cd5292be81f74ffb0eb8949a8d73e1a21ee3c9e85f97c

    • Size

      921KB

    • MD5

      23035d801b41b05a6f6df0913478eb81

    • SHA1

      c00c74a50b7d973b64d70b10c8793dc0989d8f13

    • SHA256

      6407653fb96eb144397cd5292be81f74ffb0eb8949a8d73e1a21ee3c9e85f97c

    • SHA512

      82eba7b6998d46c337d4d731b8e81d9db3dc3193ed218d7c577c3d22928b22d8d25a3bdb714e6c472e6ac2a6f38d67ff906ccb707a0db37f3dab11c8ff7af66d

    • SSDEEP

      24576:Byve36Qov9lp/uRuA+QUdJFGmdbXVaI8Ui:0veKQU9DujUvFNbFNj

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      6dd993cadea9e368a14c0ab840b0e2d0dd3ca3d699734998da4237aed7f2354e

    • Size

      390KB

    • MD5

      26876f4a5c21fe2a876e64ae3b9045e9

    • SHA1

      e59a29178e77d2d1b3c2bc30361734bd30c66bad

    • SHA256

      6dd993cadea9e368a14c0ab840b0e2d0dd3ca3d699734998da4237aed7f2354e

    • SHA512

      830e3c58d2040582c40847e0229bf29bf540ac5558d05c7e24dff8b5b07e82007f6824ca370b009806451a0db86895775c3575dd32e60dbee5f0e2bfdfa5d73a

    • SSDEEP

      12288:/MrVy90Eq1lOrOvngS/o3QSoEOOBmMvv/:OyZOvDo3ovY

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      764d92d88ba9348555a1351396433cb6b93afd1bc3dcf27a5a06c2bb7aed5c5f

    • Size

      515KB

    • MD5

      2154ece6d371bfbe7b76969405904f7e

    • SHA1

      39f7c2f9abe69a8dc9b42853d10e330b93c9858d

    • SHA256

      764d92d88ba9348555a1351396433cb6b93afd1bc3dcf27a5a06c2bb7aed5c5f

    • SHA512

      da64833b8c9a80598631242e5649164230f586d26e6171af7fac767496319a2e7147df082f7294a7faeb6e97843c03f4031ebfac1244ffab3804102e293a857f

    • SSDEEP

      12288:ZMr7y90W5WJa5xOzgYAkrlzdEEcjXAyEc6hoMzR3VFKTv2h:uyfxOpRzKEOAyEphtzhrKTg

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      9c51d813e0b6dfff0694c63e6d13665bb46ddf09cedb2159d701913f09142374

    • Size

      1.2MB

    • MD5

      2147c11ffa13334a34f408d09dcf41c0

    • SHA1

      a8d54ee44c76e334ed711da869eabbb138edc075

    • SHA256

      9c51d813e0b6dfff0694c63e6d13665bb46ddf09cedb2159d701913f09142374

    • SHA512

      491312f8f9c40fc85b5ec96b1c35515e401c61c42c126ec4d9ea44a01cb2e555b4c653fa5f4add5303ae28f1d11a02d301f850af8125e0803fc8c6abbe1223d3

    • SSDEEP

      24576:aFbBVjq4OlBp29oNIn8iagVCU8ubYEobt2j:ax8lBp29oNMYuwtc

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Suspicious use of SetThreadContext

    • Target

      b813f799e9c2f3b9ed25625bea968e14cbcad8bb1b3918ebcd79f631192ca017

    • Size

      235KB

    • MD5

      2180205f8ead587dd56762145e7f784f

    • SHA1

      401ccddf09243f26c09e7c8b2d8bb49552835010

    • SHA256

      b813f799e9c2f3b9ed25625bea968e14cbcad8bb1b3918ebcd79f631192ca017

    • SHA512

      138b9393f587ff03c898e001f3d0c7d12a480dfeed417c6c7c22ff3dbd319a68e8ec977e0c0fcd951e3a18676f3ba0e127bc5adc3b69fe0f7bf43182a4fbb32a

    • SSDEEP

      6144:KOy+bnr+Vp0yN90QEchQmyJXNcrGFySYCcHnlRHw7:aMrBy90mC+rGYYcHnl90

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9

    • Size

      1.2MB

    • MD5

      23f4a44c0cc77486d90c2b5d3db5dfd7

    • SHA1

      7c42f90496bc5d268c92f2c07846c32b7f7513f8

    • SHA256

      bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9

    • SHA512

      f4dc5891381f139f01e073b20d0c2c311633eba3cf92b045a739413083a17934f1201b56a48a444325e26b5827077a6ca79bc8aa7a7b3f7fb4e3c855fc222527

    • SSDEEP

      24576:My3sw5khZLecoTZ5TlNzhW4hXNcWCz4YPrwk3iRkrIoDb9nBziioUiDfy:7YhZmTTTlBMmXWt4C1kyhQ37

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      c1a9af1ad640c504ed95e8f26021a55d127de1e35d0794f2bdaddd1451de08d5

    • Size

      390KB

    • MD5

      27244e5f630cfab1b514ce4d15b1028b

    • SHA1

      36c5eed78b2ce9e253c2e176e6d6ae6a8ab849b3

    • SHA256

      c1a9af1ad640c504ed95e8f26021a55d127de1e35d0794f2bdaddd1451de08d5

    • SHA512

      2cdcfee74150bcd5e656009d0b701b8b972a8844f3b4fe48708aea1d7883c92286ed0368a6b24efa0902ea2c99dbe97a48a06ddccd69543cd6835f4023b3a7c5

    • SSDEEP

      6144:K6y+bnr+rp0yN90QEO8EikWGjZNJkp7w8ZWj9jJAVmAAhKAU4u:mMrjy90FEMvWj9jJrhKAu

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      cf90d774faa53f828a5c0c7fd9b7693ab9e6a5b59349863524aae5284b993f01

    • Size

      390KB

    • MD5

      23ce47783e241446f6c0ec7e33d8e709

    • SHA1

      866efc7de0880429d9ea6ba5d691401e0005e3b7

    • SHA256

      cf90d774faa53f828a5c0c7fd9b7693ab9e6a5b59349863524aae5284b993f01

    • SHA512

      b59e08b4ecd06c760819e348a6234c5eb94b4bed22c8053b1fd1f216ccb56249e4fb0c5ce6d4f2a149a616c0d063b6c05f8d8651f707eb0604972569053a2a38

    • SSDEEP

      12288:tMrMy90bKGAGuZhqDSqJCo1zBxA1PSezdo0rrk:ZymyhqDkif4S+oF

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      e65fa291263fc43fdfd3ce7a071b11f1ea2a2f55c02321bfd476a1d4c33e7bd8

    • Size

      1.7MB

    • MD5

      23a30eea537944585019e0227cf6ce12

    • SHA1

      5a1c4526a3fda1e2367e48d5a67e3f259c357501

    • SHA256

      e65fa291263fc43fdfd3ce7a071b11f1ea2a2f55c02321bfd476a1d4c33e7bd8

    • SHA512

      5052e8c1881a454e227a06f72e378676e4542cf6bf6ed8bc545e178aad9b92d166b5a02d5d0744dbec9591e6e7f887868a2bf9594718cc91c767c443be5e817e

    • SSDEEP

      49152:lIuk/VPr7CBoZMyhPa58jwlvh+n2m6ir9RLcf0:e5/p7ha5Ow1h+n2mppRLcf0

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      e81854abc9bd7ae970c918e0839982609691e44919d3a96eee12840676c28e1a

    • Size

      1.0MB

    • MD5

      250d1ecad815535932db86d951b6f70d

    • SHA1

      9d56851eda02a979043c33ec98883e2655bacc30

    • SHA256

      e81854abc9bd7ae970c918e0839982609691e44919d3a96eee12840676c28e1a

    • SHA512

      ede2fc99fe086f427355d95e2b4fad0289da828f3105c5c2b9b48a8aee213928299725b55d066df7ce2f3c139ecdf38ff418bf20ac36244678f0f0d0a7a05c65

    • SSDEEP

      24576:wyt+dYi+Bu0wW31dx/UEvzxRTkICQ/digppmVnXrBh:3tmYiN0t3VfB5VdpAV1

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      ed835b70d57f3901ebdd0814415cbc64776d5bb9ee43a7077c0894540d7dde6c

    • Size

      390KB

    • MD5

      2115f838100aacbc3124baa1083c9d98

    • SHA1

      7eb9e1272fdcbc6deec8fbdc06d609c69a0a88fc

    • SHA256

      ed835b70d57f3901ebdd0814415cbc64776d5bb9ee43a7077c0894540d7dde6c

    • SHA512

      7a8645ad4437cfa1833f826b9ed83dc329ecf14ceed774d5aea2982f305ee3c89cb69f4a72e31e4d78bc8ecb70937198a732c36e5b0914cce9f42fcf18bfd8d2

    • SSDEEP

      6144:Kwy+bnr+Qp0yN90QEHQvEyqANvRS5KRQrw6kd7lmm39LBGGHlXve5oGvAe:wMr8y90QEyqANc6Qr5KAm9HFXaone

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      f48c36cb917c3b50876b9e4240a3abaae73007be0713d0630ca8279bfae862ef

    • Size

      359KB

    • MD5

      2787331b97e3aa4d3322ea6e057cdbde

    • SHA1

      63a7e7bc5543dd7d46541dcedc7c75137d347fe0

    • SHA256

      f48c36cb917c3b50876b9e4240a3abaae73007be0713d0630ca8279bfae862ef

    • SHA512

      683f3aec82d00db1e691311a6e770a7ce828bb64cd1672261e9454d50580c7957d76f31b173b74f7fc1a14359b328970470b3002a74b09997f276503b5692bff

    • SSDEEP

      6144:Key+bnr+Ip0yN90QETAAaLHM+RkWt7ZNm8gbAm6NzpjsRsyDDK16sP4/7lw4t:2Mr8y90tAAao+ObAmmZsWyK1b4/7Ge

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

13
T1053

Persistence

Create or Modify System Process

17
T1543

Windows Service

17
T1543.003

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Scheduled Task/Job

13
T1053

Privilege Escalation

Create or Modify System Process

17
T1543

Windows Service

17
T1543.003

Boot or Logon Autostart Execution

19
T1547

Registry Run Keys / Startup Folder

19
T1547.001

Scheduled Task/Job

13
T1053

Defense Evasion

Modify Registry

53
T1112

Impair Defenses

34
T1562

Disable or Modify Tools

34
T1562.001

Discovery

Query Registry

18
T1012

System Information Discovery

31
T1082

Peripheral Device Discovery

5
T1120

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral6

redlinekirainfostealerpersistence
Score
10/10

behavioral7

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

Score
3/10

behavioral13

lummastealer
Score
10/10

behavioral14

amadeyhealerdropperevasionpersistencetrojan
Score
10/10

behavioral15

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral19

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

amadeyhealerredlineromadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10