Overview

overview

10

Static

static

3

1d059ca891...d4.exe

windows10-2004-x64

10

1d90edda9f...51.exe

windows7-x64

3

1d90edda9f...51.exe

windows10-2004-x64

10

1e44c41d8d...91.exe

windows10-2004-x64

10

1ed736973c...3e.exe

windows10-2004-x64

10

559234fc52...e2.exe

windows10-2004-x64

10

5a4570005d...a4.exe

windows7-x64

3

5a4570005d...a4.exe

windows10-2004-x64

10

61f1a776dc...62.exe

windows10-2004-x64

10

67045db960...01.exe

windows10-2004-x64

10

6d684b37ca...5c.exe

windows10-2004-x64

10

77cbabe9fe...cf.exe

windows7-x64

3

77cbabe9fe...cf.exe

windows10-2004-x64

10

8a73bb4899...c3.exe

windows10-2004-x64

10

8db3c27c31...88.exe

windows7-x64

3

8db3c27c31...88.exe

windows10-2004-x64

10

b72cfb2517...df.exe

windows10-2004-x64

10

c2ef692d84...7e.exe

windows7-x64

3

c2ef692d84...7e.exe

windows10-2004-x64

10

c39106a352...4e.exe

windows7-x64

10

c39106a352...4e.exe

windows10-2004-x64

10

ca6d56a637...da.exe

windows10-2004-x64

10

db14966ca7...cb.exe

windows7-x64

10

db14966ca7...cb.exe

windows10-2004-x64

10

e800205bb9...fd.exe

windows7-x64

3

e800205bb9...fd.exe

windows10-2004-x64

10

f8a2da44f9...41.exe

windows10-2004-x64

10

fc8b501a18...d3.exe

windows7-x64

3

fc8b501a18...d3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c5a3dbeea17ddba50482e7844a817171580f977dcea9ad7b655d39a934b93b93

  • Size

    8.5MB

  • Sample

    240510-ppekwahg33

  • MD5

    63f013d3eaa851a4b37bc58a4cb7f190

  • SHA1

    67e0bc19c3a32090ac6844bcaa4f00ee13b8dd0d

  • SHA256

    c5a3dbeea17ddba50482e7844a817171580f977dcea9ad7b655d39a934b93b93

  • SHA512

    c711e03d14dfaf58a1a566341bef053dd228e908c442fb38bfa90d43cc372d536af06aa9932babd64a579328205aba39b86f87c615f6b149a669d934aaff2e04

  • SSDEEP

    196608:Us3AAiQp3c+6iWLMg7/gkWHmjjG5KEaq0Xo8X9tnJiDkhRKzBm:N3A7Qp3c+Swg7/oGjLEzB8ttnRhRb

Score
10/10
amadeyhealerlummaredlinesmokeloaderzgrat51955525297001210066dumudkrastlamplandelux3romabackdoordiscoverydropperevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67
Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

lumma

C2

https://plasterdaughejsijuk.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

lux3

C2

176.123.9.142:14845

Attributes
  • auth_value

    e94dff9a76da90d6b000642c4a52574b

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Targets

    • Target

      1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4

    • Size

      389KB

    • MD5

      2983d487675b8e857be5cc87ecf3a3f9

    • SHA1

      5dee58d99ebb08bee6f7210ab933e0adeed7930c

    • SHA256

      1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4

    • SHA512

      f547d694a853e4f0924f54cd7d22d7b384b15e58b45749947df5a5b44c9981d8319c6a537c8b3e517e1ece5de8be98bf95251aee51258bafd948bad269e8b866

    • SSDEEP

      6144:KOy+bnr+ep0yN90QE+d2iPWnGyF4ts9EO6GGvo5o8egBZ+t4nDSKWWE3k33GMC:iMruy904d2om56j6RegBYCnprKk3O

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851

    • Size

      294KB

    • MD5

      19b2c4ee9781e95ecd5db74de6fef0a9

    • SHA1

      fd5f11a55b1d7be9afc06faa72b27d6d19706c17

    • SHA256

      1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851

    • SHA512

      ea137d3330c7fbdca25da29639447211fb36ca49f8e77f38b2b6428adae63ee097ce1564fd4edc0742b39c13854d868dc87f8f08bfa9b5698ad2149a7c1843ef

    • SSDEEP

      6144:hTwlNlUt5IpFvjcFRh2/GpOZMNG5L3cYp8eesbZ6O0:QlUt5IpJMLp8J3N8eesbIO0

    Score
    10/10
    redline7001210066discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral2behavioral3

    • Target

      1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691

    • Size

      390KB

    • MD5

      1b39c696c7ebdec56e5bd5e819ff51c2

    • SHA1

      13499e2a975747bbc7dfa629b93c79143980cb5e

    • SHA256

      1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691

    • SHA512

      bd4e865d924da4f2cbbb97f96cc5b31c88f4698fb5d4bc109e191336171aa87f64458960279732395e1ec47c4a10683809435612d9bce181f440a653ff2e3f8c

    • SSDEEP

      6144:KKy+bnr+vp0yN90QEITqYImmruIrRHY6y0ZJJqB5bu9CVCyXyNRK2h7nSXO/:uMrry90mTImmiazSBJlwuXO/

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e

    • Size

      514KB

    • MD5

      1942d1d3d93833f0a1d4f5381ce33a23

    • SHA1

      4056636db4625bb6b3fee03b4c1be992681affa9

    • SHA256

      1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e

    • SHA512

      a9569c93345b4565b8e9bd30a1b09400eaba1ddeb3fbcf00d53563d1ba34d4d6f4f5bba9ffe6852ff699de66e8177eab35ffc771741fd9d528e6802726aa3a6c

    • SSDEEP

      12288:SMrqy908fsn+JqW9WsGJPMj1kn4tBA6jmcRyqBq08:4yIEqwWsKmy4YikWJ8

    Score
    10/10
    amadeyhealerredlinesmokeloaderromabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2

    • Size

      390KB

    • MD5

      1b4800daaaa7c169f68ec120ba2c3d92

    • SHA1

      a70c58e128758611b3a359e6620c3a3e81bcf767

    • SHA256

      559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2

    • SHA512

      da8bee5a9df9b4263d8b2b3feae9131e06a3f3e1d9e502da1996fdc6eb2190eaccfd5b6f0b338b0ba2723c6432878f8b5a017ec78dd2c2a52d357ab654fa82f4

    • SSDEEP

      6144:K6y+bnr+np0yN90QEo05rDWFqSlrjVfhz4y7mqtimt3n5jkH3IQ:6Mrvy90m0kBBF4y7mqtpZUIQ

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4

    • Size

      332KB

    • MD5

      17c66b0d4e0365acb6ae8471066f11ee

    • SHA1

      b110e57ad1e2c4d59709a733028dc9dc78244899

    • SHA256

      5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4

    • SHA512

      9d7ff2c650cb283a0857707d8079f094c6d82dc0a483a01c6579fe902c7e19d5de64b2b72aa2a06402cdfda283911759013f3dae03a10ab723d851065cc75052

    • SSDEEP

      6144:blZwB/LgLN340nTaDpOU7riHRkygh37YwmL6ewFKbTm1OazSI+0Xp:bnhLN340nTP+ygB7YwmuTE3mhw0Xp

    Score
    10/10
    redline7001210066discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562

    • Size

      479KB

    • MD5

      1b385dfef9c3683b4849ce42c7b6b5f3

    • SHA1

      8aa540ad4ad25b905fdfadc3e351ba1c49e3e9b7

    • SHA256

      61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562

    • SHA512

      20e65a503be4341c386046a617c4875e006527eebd214299d971650a22c245450bfccd600d9fd9e2d0b6d1a9c5dd719037b2477452e29ddf4bdaaf20b83998b3

    • SSDEEP

      12288:MMr2y90GYO4OtK8z1J6Rxt0wptqtOTy2A8xADCvc:qyGV8z1YRgOuUAkc

    Score
    10/10
    healerredlinedumuddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501

    • Size

      1.2MB

    • MD5

      178421ab07fbeb11767d3bda7c24a4d4

    • SHA1

      c2fda877254635b05fdda955b6a01651251ec00f

    • SHA256

      67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501

    • SHA512

      0a48c98fe000cd134b9712e2c812bf92523500b99190b9fe82d4f9e02a05305cabf37daf24ef0feffc5a0bee08d8c7a766c87a29f724652e523c95ef22a58ba2

    • SSDEEP

      24576:dyvPA4Sk2aRNRajD7T6B/M2+cjk3w3nz9KXwsvJO6ejg/vi6a:4H3SpaMmk2zk3GzglvoDA

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c

    • Size

      359KB

    • MD5

      18eaeff3ae40e541cbd0cdfdc2298885

    • SHA1

      2fe4663c9d407d97bebcd035d901321dd1d9ef3e

    • SHA256

      6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c

    • SHA512

      83c4ef016804df631b4169aac8ff88210d74017b8b19afa7e791bbf9e6c852de2ce64482ce6c29530b4557e75c40f84a827993b3d0f414a0d3306890652bfd16

    • SSDEEP

      6144:Kmy+bnr+Lp0yN90QEjHCyMnb6yUchr1x18mlQVMhyoVAWgWMvmy:aMrzy905Ob79hdEmJYvmy

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf

    • Size

      1.2MB

    • MD5

      185f86ba2e9a422cdbc2d5084d00f57f

    • SHA1

      68d18b2eb55b0e52f3b60c8a29e297b4e2593418

    • SHA256

      77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf

    • SHA512

      ab31a0d8ca9d6258f0ac08e0e2fe036bcae54115eddc129760bcf8b43ea51e6f284d6fd533850233c753cfdb864826ea9758866e4b4c5dfdcef7df0137f49d73

    • SSDEEP

      24576:2l1TeljsInpBxcyc40xvOGe2ELrnqDgZBJM:2nlInpBxcyc40UBfqDi/M

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral12behavioral13

    • Target

      8a73bb4899be69e1a77d74c46f81ca29b85b5c67b642e09f9735dec87b8b4cc3

    • Size

      478KB

    • MD5

      197bdb6ab21ca786f3cb4bcbe996e12b

    • SHA1

      a067fa595f44157386ca833d0728f75821b8712f

    • SHA256

      8a73bb4899be69e1a77d74c46f81ca29b85b5c67b642e09f9735dec87b8b4cc3

    • SHA512

      bbf0934029cfb446996c77a8eaa93bc9486c0f682ebef4b23ff4c11ae931239ec326fbb940760784d388bce9f2b098b1bdcbd274a4bbf1a5e3196c5c34cb29a6

    • SSDEEP

      12288:tMrgy90l9GeSNya5c1u31FTGuKfuvXUG4KSiCT3:Jys9G2eXPTtvv73E

    Score
    10/10
    healerredlinedumuddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488

    • Size

      332KB

    • MD5

      179e52553d0fb86da8b84cdef81b8394

    • SHA1

      728405545c126f7e0ca2beee8b650e1f125192a9

    • SHA256

      8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488

    • SHA512

      4fc9150ce2b1bf507da3e0352c0338d31e47230fb3950dcf18a4ab761f73b76ddc3eb40d4fca6a8e071babcf8d7ec7540ab6dcda1f4c655559d25c566421d96b

    • SSDEEP

      6144:RlZwB/LgLN340nTaDpOU7riHRkyghbiSLOboK16cN/LmEbQbq0h+0Xp:RnhLN340nTP+yg5iSCbv1T1bvD0Xp

    Score
    10/10
    redline7001210066discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf

    • Size

      514KB

    • MD5

      1a923777979bd128a48a6763dc11d9e9

    • SHA1

      49fedd0810c09f8ba69ec86fd6640b15d51b5e85

    • SHA256

      b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf

    • SHA512

      590fdd6a3a9a3ca0acf772624b47eb40016390d484bf0a3e61eea2afb091b8387c29a24ec6e9113240281e4b4b380e060bec08a1d400ac7f92ad6c24f2927aa0

    • SSDEEP

      12288:pMrdy90UCukTJyxW8iKhhYuEzBuu2wgmF2bq:MyxFkTJy5zP9bbq

    Score
    10/10
    amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e

    • Size

      493KB

    • MD5

      1761d24d7f96a35e847190277919f80c

    • SHA1

      18ea3a12a53ff44662b84b1d32f69f3500830a37

    • SHA256

      c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e

    • SHA512

      e3c82cc5735f8a6db600d8d6c54445dfb32d2880bac7674e3a339ad3062b892715489f523242095f76214b2eeca027c36343e9e4af23ae362e14882245f4cfbf

    • SSDEEP

      12288:M3LL2O80nTAiKyg82yeGz5uKIN1LGab5P6L4CvZ55s+KD0Xp:M3LA0nnzmLGkPxCR5v

    Score
    10/10
    redlinezgratdiscoveryinfostealerratspywarestealer

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral18behavioral19

    • Target

      c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e

    • Size

      294KB

    • MD5

      175e3db636d9fd541cc11991815ea662

    • SHA1

      c5e30c78f298c1aa26768bc036795e19ed7e60d7

    • SHA256

      c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e

    • SHA512

      06b1bc8a9746e8dfd1a4d72e98b8b76a1f543ae0c72c9e0233dce81451d7521f586da373e69459170a8d9442da4883f8247cfb9714227744c765c892583ac5c9

    • SSDEEP

      6144:CF/pvusFFxSzg1ksK43NvCoC9W8Fa/T9Hb5T2C8c:CF/pv5r1tK43NiW4ah

    Score
    10/10
    healerdropperevasiontrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Windows security modification

      evasiontrojan
    behavioral20behavioral21

    • Target

      ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da

    • Size

      925KB

    • MD5

      182c7282a0ce3f4b3167518c8a2f9d66

    • SHA1

      7277f55f22c18008840d4aa0c65721df2129d761

    • SHA256

      ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da

    • SHA512

      57895e1fe2d89271097e920e8eeaccbeafc861fde18aa85cdac7cf716cebb332fe201e2821512be04a92c965894526c3f7bcb8d3d7b010909cc8318f95ce79a0

    • SSDEEP

      24576:UylKFVXmbDRGB2xA30pIMporMtfc/FgIHs8:jEVGFGB2CkpIuPtfees

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral22

    • Target

      db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb

    • Size

      274KB

    • MD5

      17c694e79f6d36c7ddf2d0826847af9c

    • SHA1

      4a9ede0f5efe78a4807230fa8dc0ae4d9e6fd9e8

    • SHA256

      db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb

    • SHA512

      bfe84a7d6a038df984e6d789c0169771a567488137d01b8df27b67706aca915fddb14d510dc9c654281b25a2e65cf5c57d009b16cd78a0170ee13dd70e12b363

    • SSDEEP

      6144:SJhy0g57Kx1lgD0568wQ7tuMp2tHnAm9CMtM:SJhcx0568wbt

    Score
    10/10
    redlinelux3infostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    behavioral23behavioral24

    • Target

      e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd

    • Size

      983KB

    • MD5

      195bac3e181550a1749e52bd3abfa2e1

    • SHA1

      4c44adf44e16bdb2d5891d0ca5534e25d8cd8811

    • SHA256

      e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd

    • SHA512

      7ac7714a302ee5d0a2592b1273fa20f3162a4c8e46519274b97bfed634a28fa461d19d212eb648b6c540bac10dc7d94b9651548d9d2bb3f58e39de1c4456a41b

    • SSDEEP

      12288:xNJJwXdk+4w8ea9YVhYu48bk0/jLvzVbJmeMIulognDsexGeMcQh:xNJodk+4wv+YVhYu4r6LvJFsngve6

    Score
    10/10
    redline5195552529discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41

    • Size

      515KB

    • MD5

      1b6ca4b3887874447697d2dac0664cf5

    • SHA1

      0b2ef46a6bd9883b04ecaf8ae6fc47df13e2f8f2

    • SHA256

      f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41

    • SHA512

      4435a0bfc90dd2574a28ce91d519a4566ff85413fb13b5c6690d2e868410abda41ebd05e4129f20fdfafb989d5f2bf424ef84234925ebb33123e0a434a4d6a5d

    • SSDEEP

      12288:XMrfy90fa+YaQ3g3aNwmYu4neyzKmErzq93TU1cFdsJ:4y0a+YahqJYuGey2HAEJ

    Score
    10/10
    amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral27

    • Target

      fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3

    • Size

      1.2MB

    • MD5

      1a16ee68f1207233e67c2c808805a723

    • SHA1

      e2867e17c5b2cf680cf121ecfd388dc4f9380035

    • SHA256

      fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3

    • SHA512

      7330de14cde4232c5020944b2a21f11bb9a238762b71e0947315bbb749a749c9d1b0500a03bd8722edc3f748fbf03d3045eb6e41e101e4340c207af9c24d40b0

    • SSDEEP

      24576:7OG/5S/uUaFhBylaHU3TMzhIhH4aZGjpUwMHqsOL+QX:7OGfFhBylaHy8DsON

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral28behavioral29

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

Score
3/10

behavioral3

redline7001210066discoveryinfostealer
Score
10/10

behavioral4

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

amadeyhealerredlinesmokeloaderromabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

Score
3/10

behavioral8

redline7001210066discoveryinfostealer
Score
10/10

behavioral9

healerredlinedumuddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral12

Score
3/10

behavioral13

lummastealer
Score
10/10

behavioral14

healerredlinedumuddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

Score
3/10

behavioral16

redline7001210066discoveryinfostealer
Score
10/10

behavioral17

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

Score
3/10

behavioral19

redlinezgratdiscoveryinfostealerratspywarestealer
Score
10/10

behavioral20

healerdropperevasiontrojan
Score
10/10

behavioral21

healerdropperevasiontrojan
Score
10/10

behavioral22

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral23

redlinelux3infostealer
Score
10/10

behavioral24

redlinelux3infostealer
Score
10/10

behavioral25

Score
3/10

behavioral26

redline5195552529discoveryinfostealerspywarestealer
Score
10/10

behavioral27

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral28

Score
3/10

behavioral29

lummastealer
Score
10/10