Overview

overview

10

Static

static

3

0f6ce02639...df.exe

windows10-2004-x64

10

17dbf09aca...d0.exe

windows7-x64

3

17dbf09aca...d0.exe

windows10-2004-x64

10

1b624e343d...55.exe

windows10-2004-x64

10

2faa75c50b...6d.exe

windows7-x64

3

2faa75c50b...6d.exe

windows10-2004-x64

10

4be1f370e8...6b.exe

windows7-x64

3

4be1f370e8...6b.exe

windows10-2004-x64

10

576cad65a8...60.exe

windows10-2004-x64

10

6aa8d5d0d6...df.exe

windows10-2004-x64

10

6eeb3d69d9...69.exe

windows7-x64

3

6eeb3d69d9...69.exe

windows10-2004-x64

10

77b8709187...06.exe

windows7-x64

3

77b8709187...06.exe

windows10-2004-x64

10

7f4e227924...bb.exe

windows7-x64

3

7f4e227924...bb.exe

windows10-2004-x64

10

8a870280a0...35.exe

windows7-x64

3

8a870280a0...35.exe

windows10-2004-x64

10

8db6f54494...1f.exe

windows10-2004-x64

10

b21367ffaa...ef.exe

windows10-2004-x64

10

b62068be50...da.exe

windows10-2004-x64

10

be5114d10d...f3.exe

windows10-2004-x64

10

d191282ff4...7a.exe

windows10-2004-x64

10

de9167b772...91.exe

windows10-2004-x64

10

f6dc0b4c65...d6.exe

windows10-2004-x64

10

f85eca1ce9...65.exe

windows7-x64

3

f85eca1ce9...65.exe

windows10-2004-x64

10

f8dfa98c4e...be.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red1.zip

  • Size

    8.2MB

  • Sample

    240510-r71l6see94

  • MD5

    45d677466232633242693b3722013ca9

  • SHA1

    9f01f4e83a41f4d7ff833c68f2674dab9081658c

  • SHA256

    9bf42d30009d4ddad615b803ba623f0520c82c23439142288ce711002d7b3292

  • SHA512

    5a94b7eae0600e5877cdc0516b7fccfc1ab43dc634cfc949e6ca0287c8ddeb10da9c5daa6216f74b6e6691fafb783aabe1a81f0d17cad721d44d17457e88b31a

  • SSDEEP

    196608:7fLgqoLQbbFyYgoqmwbih9B0EtuAEfcDTK40LkO2:3roLwbFyYgoYSrtf5

Score
10/10
amadeyhealerlummaredline519555252953459874205637482599@nmrzv88@qwerabusedizadumudlamplandemihannasapapikdiscoverydropperevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67
Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

@nmrzv88

C2

147.45.47.93:80

Extracted

Family

redline

Botnet

@qwerabuse

C2

45.15.156.167:80

Extracted

Family

redline

Botnet

5345987420

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

redline

Botnet

5637482599

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

papik

C2

77.91.124.156:19071

Attributes
  • auth_value

    325a615d8be5db8e2f7a4c2448fdac3a

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

mihan

C2

217.196.96.101:4132

Attributes
  • auth_value

    9a6a8fdae02ed7caa0a49a6ddc6d4520

Extracted

Family

lumma

C2

https://plasterdaughejsijuk.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Targets

    • Target

      0f6ce02639d4d4caede8c3432a529ff995f9d50cbfec335bbe9dc19b8f5c9ddf

    • Size

      390KB

    • MD5

      fbe11448c95eb3d859b67811a5027ccd

    • SHA1

      f3ad51fdea8d704a2ac80be6fdf81bc1fd99e72b

    • SHA256

      0f6ce02639d4d4caede8c3432a529ff995f9d50cbfec335bbe9dc19b8f5c9ddf

    • SHA512

      a048298718fd19a810bbffdd73e39027c1458f085cd3ebca042ce8470979c1b5830d1e4f16f7fc3ccc96dd546f78d850c90c3493887cca66e0ecaa4c34f911c4

    • SSDEEP

      6144:Kny+bnr+Wp0yN90QEa35FPZiqimkWn7ZNjQBLvam3+eYNKV5HJuZMBrCFXkK9xMH:hMr+y90s37PZq+k+v4fJAMdgXACDYv

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      17dbf09aca5536c41f48cdee19e90cc995aeb0b0973ec6bca572f03b1ead46d0

    • Size

      332KB

    • MD5

      d67ab3cb264ae5190625cb455a83d79f

    • SHA1

      234b6c25d1d8768e4b3753c93b4cf54bb5ccd7d1

    • SHA256

      17dbf09aca5536c41f48cdee19e90cc995aeb0b0973ec6bca572f03b1ead46d0

    • SHA512

      9c75563fa91765b4aec47385a9f7bc17b5d779285ec9b9c7c39fed5e0335a4baffa2133e444b47d9535c449d09506c9ca0ecf4e9de62a10c977691815b338099

    • SSDEEP

      6144:C3TwjHHEJ9B4S9re5BAYhePRmygho+ASr/FvRbsW0fRaSZ+0Xp:CDrJ9B4S9rPiygO+ASBRZk1s0Xp

    Score
    10/10
    redline5637482599discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral2behavioral3

    • Target

      1b624e343d222ec9333b85d3af29b913b42ba3196fcb192f618e87ec4afa8855

    • Size

      389KB

    • MD5

      fd521013454248e86a636512dbe3d338

    • SHA1

      2c2b97dee16c2d7ced7d76ce594e03270ecb9e8d

    • SHA256

      1b624e343d222ec9333b85d3af29b913b42ba3196fcb192f618e87ec4afa8855

    • SHA512

      24d919b6d86e34a0cf3c2d5890af0109e95cbc65d05b9647895fc3db2cb4d9a8fc340a19b97bc1c66eb74d596f183a274ee868717e3166157385e4a3132b03be

    • SSDEEP

      6144:KCy+bnr+Sp0yN90QEnJi2omMch2DFto8CKsEIxqySgBZ+t4eDCpUDozUP:+Mrey90NJ7omMFFt+KiAgBYCe2pkozo

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      2faa75c50b323133e8cbf507e6a3a4846097090d2e2c1a5afb174f798ee42a6d

    • Size

      1.2MB

    • MD5

      fb2fec42f81a255012c589b29e4f086e

    • SHA1

      99110b60ce21039ed15f571a46159ed2409d2ead

    • SHA256

      2faa75c50b323133e8cbf507e6a3a4846097090d2e2c1a5afb174f798ee42a6d

    • SHA512

      0c36b9af63f1e1aef4cd1146c9b99902fcc8ca3bd61228b163336f10085170ae31889dc1837ca0b1c547818e4bf4b60450ff1b7599b324ac22bae8290fd5e3da

    • SSDEEP

      24576:EXixqeljPl1pVbGqvHnoPa+YioUMMn/NNT2CPQ6:EyTl1pVbGqsuM/L

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      4be1f370e880d06da141a2c9957de478c40592a3abf6312aa8c2ef401a37d36b

    • Size

      306KB

    • MD5

      d41a5cd7a3a7870992cfd75c5eff1637

    • SHA1

      8365910e5f8fff802cd8d928351270432128abaa

    • SHA256

      4be1f370e880d06da141a2c9957de478c40592a3abf6312aa8c2ef401a37d36b

    • SHA512

      893c73fe37c917bf3c8557c1344e03daef3d1264a0296847fbd5e667e0070b6c920a58f709ec96bb2c1afd22a485d366479f57911eb5073e4c77e6f43243604e

    • SSDEEP

      6144:vBZd9vSWh60RVAtljy11yiI8iz2jaYO9eGoW/JyL985:JZiWhHE4i6qfRyL985

    Score
    10/10
    redline5195552529discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      576cad65a899197ae35e757e578a7c10c29e57c266d1fa4931c6f98f3d2e3a60

    • Size

      309KB

    • MD5

      d3bf3e3b405c7e061c537049b66ab8bf

    • SHA1

      95c95f994c58ed18058aed197472e2847ccd6e91

    • SHA256

      576cad65a899197ae35e757e578a7c10c29e57c266d1fa4931c6f98f3d2e3a60

    • SHA512

      9d2cc83a1a32c3b6195373ebb251f972bb6635d8b891fe29fb3b7fcce1a7d2bc821c76d39e00f5be6d235186afa005e53a9a502474ecb7d0275e62162e297ed0

    • SSDEEP

      6144:KAy+bnr+wp0yN90QEj5F5OYc1u31g4TByCkUMPHSage8pG3zd2:cMrUy90Hxc1u31TTEC3Dp0J2

    Score
    10/10
    healerredlinemihandropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df

    • Size

      308KB

    • MD5

      d5f61fc6a8c52e0a93619aa88abf0823

    • SHA1

      e8ab904b74f798424102a1739f810f09f1987d60

    • SHA256

      6aa8d5d0d6b96fe2a165ee46c9e31059a444b4fae6660eee669539f88bf869df

    • SHA512

      3b5a5f2a02c8788cb4e7245073766e30d3bbb4cb635ae648502d80ceed32a876b0103bc90ecc4fb1749f84d354cc3ba91034aad95f3fd1ea82fe12eca0b6b85f

    • SSDEEP

      6144:K0y+bnr+jp0yN90QE3lEY+zbPsn4Jkb2LPrKRc57uiL4P7:MMrby901b+zYebLPrKG5fL8

    Score
    10/10
    healerredlinedropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      6eeb3d69d9979df74b9c482de2344395f5470b94f07494b4a4dd74fb5d286069

    • Size

      527KB

    • MD5

      e37cabc57eb01eeee18f0fe54dbf50ed

    • SHA1

      2d8fb6568c8b5bee977bf86c45295ec17943e1ae

    • SHA256

      6eeb3d69d9979df74b9c482de2344395f5470b94f07494b4a4dd74fb5d286069

    • SHA512

      115cc30d1e2c0ac66ed22908e2f433209d318b79b58e2df5b2b2e44b3890208c87abe5147d21009b3f5362f7bca79324ae1c44d916232981813fdd2e8c89314a

    • SSDEEP

      12288:HZIeNiEvQJt6ygIYBz0birVU2fROWON90Xp:HZIsvQwzHHh1

    Score
    10/10
    redline@nmrzv88discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      77b8709187b6802be16e005b1139331349304c04ecd4e741e8609229f0134806

    • Size

      1.2MB

    • MD5

      d1e1389d7394ab7fd98f90373af3c315

    • SHA1

      b64dc6b0be03d27fc358ce333fbdf56eab28447b

    • SHA256

      77b8709187b6802be16e005b1139331349304c04ecd4e741e8609229f0134806

    • SHA512

      0399874bcd6c22dbc7813a0284bed230d3c9bf6100e47b3674d4e623608da032b2583c78e0292b7d5344e0d0841074d69f55a1682946fa04b164ef944c6bde9f

    • SSDEEP

      24576:jqhdhAS3onZANlQWEwhv8Pu7CRydP3B0IyIV62:jgponZANlQWEwSyCRydP3qI1V62

    Score
    10/10
    redline@qwerabuseinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      7f4e22792482af87ecb52079082a4c33f24544a6b37c4e5da40ac1ac7f9ca3bb

    • Size

      332KB

    • MD5

      d84439daf93489d765085cc2f32f6cc5

    • SHA1

      0590cf46425d0e6872b91aacfa9ee77ba360910e

    • SHA256

      7f4e22792482af87ecb52079082a4c33f24544a6b37c4e5da40ac1ac7f9ca3bb

    • SHA512

      8640f95d913066e653a3014e40dc283667e4b8ab09f8494b87f99371632cb3910e7cda9850c10d974a6ae336e750d68ac0154fe124bd88d2c5bcd1d87dc39c22

    • SSDEEP

      6144:UFpwxf1gbCn4EXza9J+0rrCJJRgyghmqL7D1XkA59Kje+0Xp:UXbbCn4EXzt5oyggqLV0R30Xp

    Score
    10/10
    redline5345987420discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      8a870280a0dc165cadf46427c4e47c56d3fa42aa2cf823a54358bf48f5102435

    • Size

      332KB

    • MD5

      f98aa564c242bfb196410e0790d86bec

    • SHA1

      c882a94a6303f80aca544fad54502ae09289d107

    • SHA256

      8a870280a0dc165cadf46427c4e47c56d3fa42aa2cf823a54358bf48f5102435

    • SHA512

      695ccefb3486c9a1e04eafa38f9a58b66360b0529dcaec4b73925985220be1f244b19ce59a22cd0f179245380d87bd2e3bb3f5aa394b61fede1a80f756dc2fbd

    • SSDEEP

      6144:03TwjHHEJ9B4S9re5BAYhePRmygh6BSJ/Yt7wuo1+Wjnhx+0Xp:0DrJ9B4S9rPiygcBO/q++6U0Xp

    Score
    10/10
    redline5637482599discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      8db6f544940545b4e7f0eef92bc68e65f5e9efd3707f33b7e5594777d56ed71f

    • Size

      517KB

    • MD5

      d41f1c7e31301333d4566921fa2e746c

    • SHA1

      96f01a64517b81d61603d8d63d0a541c46989f11

    • SHA256

      8db6f544940545b4e7f0eef92bc68e65f5e9efd3707f33b7e5594777d56ed71f

    • SHA512

      49b5db3895973f5a63fa5a08d047f9a9b14b82352cb65a5a87c7be12be1797a159276c75dcc16fc61a4c4dba545ca4cb29772a8a4e07f086a47367ca2d5718dc

    • SSDEEP

      12288:WMrPy90Mk+nx9EIMXo6ST4w8kur2PMHtpq01YsEc:Zy/vvDMXo34w812P6ash

    Score
    10/10
    amadeyhealerredlinepapikdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      b21367ffaa0009b30055944fc1052857ec46336d5bfe2efd3dab109667a56fef

    • Size

      1.0MB

    • MD5

      fcec5bd6e991dabef70f77e08e42bccd

    • SHA1

      3ae3b13a9757d327ed4227102d5b0b54712f19d4

    • SHA256

      b21367ffaa0009b30055944fc1052857ec46336d5bfe2efd3dab109667a56fef

    • SHA512

      59a2d1cc2576e55beff18f52573b6ac7baae8839dbbf536d5126f88d873375ebb9bb287606021e9c3c14533b004bde6bc3e28511fa646ef65cafabe6fdd4573b

    • SSDEEP

      24576:PyvzwYJvJY4834KiT25Y/fUlpyY4yWvHIPnpAOD6FA7dZJ7Rj:arwamDIn2i38WPIpDzR

    Score
    10/10
    redlinedizainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da

    • Size

      922KB

    • MD5

      d86f13a3db074ef7115f9b305cdf356d

    • SHA1

      d0f7e04a160f577a0fc1f2855d4b2a75705f6a15

    • SHA256

      b62068be50129166f539eb32a63746c4245a497e9b72553efdf326582cc5f4da

    • SHA512

      95d1cf4a6a8fc9aa0fcb81bacd78051ef8d06a27bca3e27053283006d9052e6a6329fb0cb5625c6cd9298760d379d043ae18dfbf9c55be002a23f8b7a33107b6

    • SSDEEP

      24576:ayCGAwe+RYdJNjQiVFX9ZD9I21pB3C8MMdMxeoG:hCUe+R4JNUilZDH/3MkMxF

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      be5114d10db820426670fbbb41db92b8671a5f55a0b396e2d54b44606067a6f3

    • Size

      307KB

    • MD5

      851a5f99a016bd43c7a70531d0676684

    • SHA1

      d079d1c95a771f7b293d4936e046f144599191f6

    • SHA256

      be5114d10db820426670fbbb41db92b8671a5f55a0b396e2d54b44606067a6f3

    • SHA512

      3205df87162fa5c10064d9361c78e7c07582c7da1d7f327e74d3758f477c585e5899e3b82b2a654307d295490f39e39b4d04fb25c27c1cc27f932380a2f4d361

    • SSDEEP

      6144:KFy+bnr+Yp0yN90QEIwSAlqDfNUkP85+kon5P8l:jMrUy90BrtW85+Tql

    Score
    10/10
    redlinedumudinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral22

    • Target

      d191282ff466919a5feb6c8682f696332eded6dd8747d336fe16593c6ea96f7a

    • Size

      390KB

    • MD5

      fc8a749534902b784a021ba891b2de71

    • SHA1

      824c3750ef168c3eab90a5761864157f47ec971c

    • SHA256

      d191282ff466919a5feb6c8682f696332eded6dd8747d336fe16593c6ea96f7a

    • SHA512

      26c9096fccc01a9c74f1a380a9d4052843711502d5da32d4a3c371f98b7abb3abf7905e08c94c4f8c717949950d0320cb3457cb615b9b6e085cbe8cf070e2769

    • SSDEEP

      6144:K7y+bnr+7p0yN90QE++Xq2qkWcnZNbQR5mbZvdLFhJauS7BfbCcHnlRHGb4kXyG:hMrry907a2RdL3AuWOcHnl9z0+Ei

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral23

    • Target

      de9167b7720db28dc71aba69c32792f2bcfef4425545478b6b641677be8a0391

    • Size

      309KB

    • MD5

      fdf9a7c0cae94329d226d32d7d91f498

    • SHA1

      ac8b5a5a564bcd9aff895a5d98d1bda40679c691

    • SHA256

      de9167b7720db28dc71aba69c32792f2bcfef4425545478b6b641677be8a0391

    • SHA512

      976121688ed988b8bf81d0499ae262a78b3d837318566044a8893285b09eb10f117f0de6535c05120379f108388a83205fb00c428ef69e0c8eb6a5030342de8d

    • SSDEEP

      6144:Key+bnr+5p0yN90QEX5F5OYc1u31g4TByzCZJEXbeqEzaILim:aMr1y90Hxc1u31TTEzCZWXbBsv

    Score
    10/10
    healerredlinemihandropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral24

    • Target

      f6dc0b4c65662a9753e54800489b07d9f5a6a4c896a61d93f3a1a3e28d5bc9d6

    • Size

      390KB

    • MD5

      d34cfe3583bc421f5644a1fd7ed61f53

    • SHA1

      75ccaf032237a6b8a392fa4ab52577030f805e1c

    • SHA256

      f6dc0b4c65662a9753e54800489b07d9f5a6a4c896a61d93f3a1a3e28d5bc9d6

    • SHA512

      b608a0e2a670766d3530911938ced2d288a559ba109bf992799e4e0e98ddcb7c13ddef2ec0e2bcc9648839b65d519850a1da431ef1728078bb57af8d013b838d

    • SSDEEP

      6144:KAy+bnr+ip0yN90QEOZrg/uOH+aqFJOhbEM7bSnjHwVCcHnlRHVVE/iRzFmp:kMrCy908ZrgWBa25njHhcHnl9Yqmp

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral25

    • Target

      f85eca1ce903e035e1355a0ec74636f6d825aeaf8efa5c98472b6acad6536365

    • Size

      332KB

    • MD5

      e42fda1a40844c8de37c2dc02f66aac3

    • SHA1

      ff0598ce5e85269d0e2a1642d7e3a2a40f4c1f5b

    • SHA256

      f85eca1ce903e035e1355a0ec74636f6d825aeaf8efa5c98472b6acad6536365

    • SHA512

      1fdfaeb2066300ba2f83fa6aaff400f9661052ca7e31917f003fcfd8a1cbbbc604b874f554370b5e49f061de34c8782122029301261d0fff6742c2026546da8d

    • SSDEEP

      6144:G37wrn1UxfeUoqlrmVfhIIpe/Raygh4zekZYFnAGmCKjwoNlhMeC0FiXeU+0Xp:GrRxfeUoqlrmYOyguzexeCdoNlhMRXei

    Score
    10/10
    redline5637482599discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral26behavioral27

    • Target

      f8dfa98c4e38deff7955c243f9db7b01692e43c0997eca9e5e141cc565cf05be

    • Size

      908KB

    • MD5

      e4759911e541d7a543ea033b0928ddf4

    • SHA1

      e39c427a6cf47b16cddabfd2c7fb00038e1dbe1f

    • SHA256

      f8dfa98c4e38deff7955c243f9db7b01692e43c0997eca9e5e141cc565cf05be

    • SHA512

      7760d634d8a8b0a2e2c9847c4c367589607de2d7ac43112830289dbf3585902dd0f824ebfcab04040f701afa6b86884824aed2f032e6c09714ac8575b7bf9e42

    • SSDEEP

      24576:JymRvMfvH6jv/02RcWIfpZCzHKXYSvbx3ejLORx:8GMfPQc25Ifv+qHv9uW

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral28

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

Score
3/10

behavioral3

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral4

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

Score
3/10

behavioral6

lummastealer
Score
10/10

behavioral7

Score
3/10

behavioral8

redline5195552529discoveryinfostealerspywarestealer
Score
10/10

behavioral9

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

healerredlinedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

Score
3/10

behavioral12

redline@nmrzv88discoveryinfostealerspywarestealer
Score
10/10

behavioral13

Score
3/10

behavioral14

redline@qwerabuseinfostealer
Score
10/10

behavioral15

Score
3/10

behavioral16

redline5345987420discoveryinfostealer
Score
10/10

behavioral17

Score
3/10

behavioral18

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral19

amadeyhealerredlinepapikdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

redlinedizainfostealerpersistence
Score
10/10

behavioral21

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

redlinedumudinfostealerpersistence
Score
10/10

behavioral23

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral24

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral25

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral26

Score
3/10

behavioral27

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral28

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10