Overview

overview

10

Static

static

7

05b48b2909...29.exe

windows10-2004-x64

10

143e14de3a...c5.exe

windows10-2004-x64

10

2c899ff55c...31.exe

windows10-2004-x64

10

2e0a9b6a39...9b.exe

windows10-2004-x64

10

4250b0250d...ee.exe

windows10-2004-x64

10

464a716862...38.exe

windows10-2004-x64

10

4d09936a4a...bf.exe

windows10-2004-x64

10

59c1607382...01.exe

windows10-2004-x64

10

61f1416a77...2b.exe

windows10-2004-x64

10

68ca177d42...f8.exe

windows7-x64

7

68ca177d42...f8.exe

windows10-2004-x64

7

6ba0db3b66...b3.exe

windows10-2004-x64

10

8b549a8688...5b.exe

windows10-2004-x64

10

a8dffd83e4...8a.exe

windows10-2004-x64

7

b6b53c7022...c9.exe

windows10-2004-x64

10

ccc5c313f4...94.exe

windows10-2004-x64

10

e04ecd64b5...1b.exe

windows7-x64

3

e04ecd64b5...1b.exe

windows10-2004-x64

10

e38bd93e74...28.exe

windows7-x64

3

e38bd93e74...28.exe

windows10-2004-x64

10

eab14d8dad...38.exe

windows10-2004-x64

10

f943251c5b...1b.exe

windows10-2004-x64

10

fb49b50c0d...90.exe

windows7-x64

3

fb49b50c0d...90.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e6564b70fa3d9a9e989ad7c1bb2b027f2e5447273c0bb64f84c7940828ecb0ed

  • Size

    16.5MB

  • Sample

    240510-qjx1psbg57

  • MD5

    02dce2c23adba83e6b24c76234304713

  • SHA1

    647ce3ee7fdbe196db5bf916578d5eb517d903b8

  • SHA256

    e6564b70fa3d9a9e989ad7c1bb2b027f2e5447273c0bb64f84c7940828ecb0ed

  • SHA512

    4edbc8c739ac92515439bca01b3922348f5b5a2d6f98ba0b702e4768cd75e07b1fc5b056a03bc7d86c28e554172e1f688a4cd38aa9a5c729c3a308a91e504ec5

  • SSDEEP

    393216:AGO0HgyGCv3L6564s7Ts4EZXBpVrFaSOsGZJGC8Wq:AeAtCv3e5BpVFDHGZJS

Score
10/10
amadeyhealerredlinerhadamanthyssmokeloaderzgrat7001210066dumudkrastlamplandemashamihannasanewsbackdoordiscoverydropperevasioninfostealerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67
Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

redline

Botnet

mihan

C2

217.196.96.101:4132

Attributes
  • auth_value

    9a6a8fdae02ed7caa0a49a6ddc6d4520

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Targets

    • Target

      05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729

    • Size

      515KB

    • MD5

      311bcc98621f1612a7a0bae8b412dd21

    • SHA1

      e6208f01069780dfb69fc831895e3b97cd900842

    • SHA256

      05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729

    • SHA512

      84aaeae41c97293674a99209e67e09ee915f6c533ef735792493981f7ce8cb6e66b69fa403c6d7fb9a0b9d8041af71484affe045c6582ce98337a4479d596059

    • SSDEEP

      12288:LMrhy90ADACn1dQ4Hr1nEb3crjgrngFOW:Syf1dQ4Hreb3crsr0OW

    Score
    10/10
    amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5

    • Size

      390KB

    • MD5

      302c8027c8728a76aebbdaa358bcf27f

    • SHA1

      b377bb11e4b31fac3779736dafd77d3930e68349

    • SHA256

      143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5

    • SHA512

      bec37bef66ef5ab381607b0ce2f3e4852b9c91e44187376e5065026db2b62150f418ea58b7646011c86bf096e4d22de36f28f8f54efbe137bbf54bc081615c8e

    • SSDEEP

      6144:KBy+bnr+6p0yN90QE7f11dRzGQkV6oNImWSzVGBmIqS8a0lCG:rMrey90lf1zcQkHNwSzAd0YG

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731

    • Size

      479KB

    • MD5

      31617cece5388ac8787754c9406975d7

    • SHA1

      b3315488d6a9295329123bbbce1fd14ae7ed91a6

    • SHA256

      2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731

    • SHA512

      d3c6bcab9038bcd8de94f30909c7eb12abe56d9a6b04cd46440118f5eb1243499cf87839401a9915ab24c6091d4ce23ddea26ea0cc25fe13ae920d894414f6a7

    • SSDEEP

      12288:EMrSy90QA01k9EdiY5c1u31vTEmyrZpYgGT7j+h5Va6e:+yoY9X9TwFpY57atTe

    Score
    10/10
    healerredlinedumuddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b

    • Size

      1.2MB

    • MD5

      2f8765ddfb5eb9cf565d416a2fef07a9

    • SHA1

      ceb22309b872f04d9c5df1e6fe3cc35fa616e6cd

    • SHA256

      2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b

    • SHA512

      6489262e8b6394e895ef7ea59c94f8b460affbb17130a1136df23b47f1cc50f3c09db0fd10319484e28679ef65d583c15086b38b5d0d27858906e4f4504f7b85

    • SSDEEP

      24576:Cy4hgIcCM5IddKY63yg7MVZeoCNElcacqdf36HXe:p4hdcidKY63jwSDEa923

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee

    • Size

      390KB

    • MD5

      2d00f96e74fa01be6c570782f56ca124

    • SHA1

      17ed1713ade7f79ea2ed1bb9130871ca56b0c072

    • SHA256

      4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee

    • SHA512

      6b359ebae2e3607603393e1ff2d950987194e77089ef6dee3513b17defc0c0d20950ce3554e76e68500e4b4ed23138bfdc922088881958a1dfe0a9c65e416575

    • SSDEEP

      6144:KWy+bnr+rp0yN90QE0PZI9HwPGTICcWt4JZe6vzwYFeXx3Rhye2coLju:SMrvy90iXVztj1MNSeB+S

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      464a7168620633d6f4e27494eec6c1cedff2ae39e5ffda7f9913f43efd93bd38

    • Size

      480KB

    • MD5

      2e6a4fc6e3fb6ef41f3e9a1c0245473b

    • SHA1

      e8b2387fff202d400c02a75b92d31c95400abc95

    • SHA256

      464a7168620633d6f4e27494eec6c1cedff2ae39e5ffda7f9913f43efd93bd38

    • SHA512

      e9f733e6de8dcee03191129a06f1e72f8858fe89662914be2bc39d595fa7681d02d536136f200836c3fd624c4bf478283d85289fb2c141b21d818debd6281ef9

    • SSDEEP

      12288:JMrVy901LN4BkGvpYh66jV8uL3jl8TzH//:oy8GBkqpEt9jSz//

    Score
    10/10
    healerredlinemihandropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf

    • Size

      1.2MB

    • MD5

      2ff65e9ca8a0b92b2f9ead3ba8dd7ed2

    • SHA1

      bc118c8a4ba9391e5bc4315eef3d0dd83afaebfd

    • SHA256

      4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf

    • SHA512

      4fd459726173efd0412638d81884d4636b385098696b6dee1b403b809a3eb79c2202394ca4ca5e8f3f1630e83e02af723a78931c58242cf161abe1974b32137a

    • SSDEEP

      24576:YyZkbJInDZr4+HhuBykcdH3B3laSprA5MBkWUhLfYTemxmdza8xPjo:fZkbSDZTHc9cdH3aSBA5I4FduaPj

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01

    • Size

      390KB

    • MD5

      2eceda61e6e0bef77aa4e2d0e99f765d

    • SHA1

      05a5e56dec75029e3b8e483d649e7b5ff6f8daa2

    • SHA256

      59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01

    • SHA512

      fc20de5d3d22d2f7b331aa892563cbdd0d496cbbf4004048cacc6bb0af9e45e0c0df64df3b1d19119fb5f2b1c76e773aa36e81051dab31c74e6705894b22c5d3

    • SSDEEP

      6144:KNy+bnr+qp0yN90QEPnSCpusoviHGXWnzdpGWXAL6A5202cF1zV5cPMdDExP:bMruy90B/0lUDdwL6m203zVJdDExP

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b

    • Size

      1.6MB

    • MD5

      2f1c41adf7b880f2e9f9b1b0286a143b

    • SHA1

      606acc7a67ec4f0241b3850a1b0ce2241774c9de

    • SHA256

      61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b

    • SHA512

      c1b593f1e6600aa2124262f90c0a1ad77f46dc1e87ce836c1d9bf2160352d974f5cbff78100bc7c380071b3de8d0ef3cd653423efa26e73c005beb59a6fa0596

    • SSDEEP

      24576:gye1lDVXnpy0e+JaxMbVa2H2t2BCl1EDD9uh4iVtjGE0Nx:nEneZxoDH42BClumNVL0N

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      68ca177d42ab79022ede5d703f2f3b4e3de42fc1ae56a531b50f66f3339721f8

    • Size

      2.6MB

    • MD5

      2f7129366c456459ebadc1dd90c439f2

    • SHA1

      9ea7a9df8898f50dbeac35a8f2f20b43644fb1fa

    • SHA256

      68ca177d42ab79022ede5d703f2f3b4e3de42fc1ae56a531b50f66f3339721f8

    • SHA512

      32abc0a370d950b619a7ebb13bb2b497a318ff0043345a5523598465d8a8bf7000d2d5b52e1cac62df6fd21ba143b1df43ff0b392a8c39e8df7e49d5982ae294

    • SSDEEP

      49152:zKC9Pmf3aSVILfYuExL71E7gLkPjDv5DIuZ4/vR55kmjCoyfR5L:zP2JeYPOPjlDxIr5Oo6V

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral10behavioral11

    • Target

      6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3

    • Size

      515KB

    • MD5

      3133d51b9cb5dff2ffb1eb479a3a8197

    • SHA1

      c7751780b417509447b6374f2044c4a70bd3aea2

    • SHA256

      6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3

    • SHA512

      4d0249966b11f4933be1aa3126d2ebd6d93700ff22f858457c0cde49a6e691f89d6480068f00d26b5aaa07b48f71ec0ec67f6ad6951d92815777801153789ae2

    • SSDEEP

      12288:2Mr3y90Mp419rk/h+B4egjTgl+ZP3SFgHEgD/r17DZ:ByDp4vg+uegjTgl6PQeESr91

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b

    • Size

      390KB

    • MD5

      2e8378a779c529d72cae6f125711e88c

    • SHA1

      4b1d1bab9924629cc6b968efc89925468c90cdb9

    • SHA256

      8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b

    • SHA512

      24dbf09588cf022952aabbd463efa15a209f9511fa20bbce46e8c24d785658449632d429dd30bac24750e0bc697be4b8b8dc0b217540195a0264a72f0957145e

    • SSDEEP

      6144:K3y+bnr+Kp0yN90QE5HRKn43pGULDIfkdamIgLWFlv1/ea+AFw5YMdc5bcg9xb:lMriy90rUn4zLDIcABv1x+kLiecgjb

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a

    • Size

      3.5MB

    • MD5

      2e74d6fa9f7ad6604f4474d3a88df538

    • SHA1

      94ddd1699392c49aea7f9a610ed5487ea5d30a07

    • SHA256

      a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a

    • SHA512

      38725af1c782e2378327ed536ff71e50b429b0fa1eca4299ddaee229ff16d9a18cebfcb44db81d799dfa19278e9f8d961598c1a94c15001be8c8c9daba2667f5

    • SSDEEP

      98304:yHWz45HmcCm7AKb1UcPwX7fVhIdG9k3kKoN:yHWzG1IBnwu

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral14

    • Target

      b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9

    • Size

      1.2MB

    • MD5

      3084e5a05ec994a172379bb42d1f4a6e

    • SHA1

      d5705086a050a075520d1e19aa047f924e079ba5

    • SHA256

      b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9

    • SHA512

      7988b8ced595a143db70f1e668bb0e645fa19621e363061379cd5b042ec6444bf8f9a14184bd65afb126a851e8acfb23eee6f71bce930d135c9eab36d87e06a0

    • SSDEEP

      24576:my9QoTLxsXrQ8m0Y3lsvmLEBXibYVetVVosYmmL9hK:19Qwss8ytLqqYjsJmJh

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394

    • Size

      389KB

    • MD5

      2eeefdf643f78c415d5773e6839837b2

    • SHA1

      797a0d8433f1b575915a9cb2952795535fb3546d

    • SHA256

      ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394

    • SHA512

      96c66dfb44902289d99a122c9e8b2804a236e61351e81ad56f5406fd935a2c5e65fac58da2bb8dd8f2738e5d7e1251128413b5247a1cfc421e1b5dc6c960272f

    • SSDEEP

      6144:K8y+bnr+9p0yN90QEA748JHJlPx2r5z3HVK9ehKCCB2GTNXeD3zsvHclk:QMrty90mM8VJluVSaKCCEUXau

    Score
    10/10
    healerredlinenasadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b

    • Size

      1.2MB

    • MD5

      2f0b3a7a3e71a02cf6add7921d910dae

    • SHA1

      ca074b29a347d603cff8f6a0977c2838575fee84

    • SHA256

      e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b

    • SHA512

      4e5929ded1720be274600fb1212258b3cf68beee1eb15349f1fa78cbf3f9186498eda4c450e27a8f2ece52bdb11cfe7d65873239a6f0e07dd875cbb885e636dd

    • SSDEEP

      24576:7MRqNUuIoPlMdHs8fvIvv2qJCLHPu4CNXeHZST:7m/oPlMdHs8fvqD4PONuE

    Score
    10/10
    rhadamanthysstealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228

    • Size

      1.2MB

    • MD5

      2cf5d69da271a679e8aa11c6fd68bcbc

    • SHA1

      592e89ba9a032d875c9955e3c80e9d852f0bc704

    • SHA256

      e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228

    • SHA512

      b1fe414b8e9d1c7c56c5265a3c1386f9dd37c97af64a65f7a04e9460bbdae8d8143d84090392bb0bd51f053b1e3b21ca20b3c9953844de542059408eb9f2e929

    • SSDEEP

      24576:0jqhS297HFlZVrmEP33ZaogYUspWkRR5sC96E4:0WTFlZVrmEZikyw

    Score
    10/10
    redlinezgratdiscoveryinfostealerratspywarestealer

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738

    • Size

      479KB

    • MD5

      2cb6553c9840b3d0b75e3cb6dfceabdb

    • SHA1

      b795b91e6e19782f031fbdae21de93ea2b7be2be

    • SHA256

      eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738

    • SHA512

      3025a44d0ebb216787f8c39833aa68450592891f7d861a8e010c2f537ea7190192572c0a8a61591f1f889401dcc07ebf4a1b027c692438826b8097907aac9314

    • SSDEEP

      12288:7MrLy90YhqS1jB9dQopQaVuKga3WM3s0l5f+nf:Iy9UUldMJaCQmf

    Score
    10/10
    healerredlinedumuddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b

    • Size

      389KB

    • MD5

      2de3042570f5c1958092fccd52196050

    • SHA1

      825a3ed1c11fbbb29f78be5b760b7b2bd09b3608

    • SHA256

      f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b

    • SHA512

      bb05c46d754c4389cc6dd64341b44a27ba466c4786911543a5671b3371541afbb9c69c0052ec37417b7bef11b69d5314d889cc3e62ba5604140876afa1b23541

    • SSDEEP

      6144:Kvy+bnr+1p0yN90QELYTRHY6J0ZCPWEMjxFYWYUn3JSt2fgBZ+t4zDg7RJVrQ3N:BMr9y90I2CPzcnYCM2fgBYCzs7REN

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral22

    • Target

      fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390

    • Size

      333KB

    • MD5

      2fb6f6336ba7ce88d3c3ae8a9b3dc103

    • SHA1

      487a88ca63f36cfbddfd57a8e9c8f9c952e78a91

    • SHA256

      fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390

    • SHA512

      3c36c4746deff2be3d3f0f2642ca01372e114adae928ef4f5ffbc47f579633758188a8dfa47d82f75d920cdef1785427627a79422a3a829910801009f0c6478e

    • SSDEEP

      6144:El5wh/1gr+64UHVXwDMsFGbr195RQyghl1C1bq+C9hfCgH8fGQFG6M+0Xp:EHrr+64UHV6DygP1C1b5SC/fGl6h0Xp

    Score
    10/10
    redline7001210066discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

upx
Score
7/10

behavioral1

amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

healerredlinedumuddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

upx
Score
7/10

behavioral11

upx
Score
7/10

behavioral12

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

persistence
Score
7/10

behavioral15

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

Score
3/10

behavioral18

rhadamanthysstealer
Score
10/10

behavioral19

Score
3/10

behavioral20

redlinezgratdiscoveryinfostealerratspywarestealer
Score
10/10

behavioral21

healerredlinedumuddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral23

Score
3/10

behavioral24

redline7001210066discoveryinfostealer
Score
10/10