Overview

overview

10

Static

static

3

036028e386...a7.exe

windows10-2004-x64

10

0f5fae4716...8d.exe

windows7-x64

3

0f5fae4716...8d.exe

windows10-2004-x64

10

1998a377c7...11.exe

windows7-x64

3

1998a377c7...11.exe

windows10-2004-x64

10

2b559f1c51...29.exe

windows10-2004-x64

10

2d1e7e578c...8f.exe

windows7-x64

3

2d1e7e578c...8f.exe

windows10-2004-x64

10

52d5102aa9...ea.exe

windows7-x64

3

52d5102aa9...ea.exe

windows10-2004-x64

10

5365362210...13.exe

windows10-2004-x64

10

5460a1d2c8...37.exe

windows7-x64

10

5460a1d2c8...37.exe

windows10-2004-x64

10

5eba1ca0e7...01.exe

windows10-2004-x64

10

69b4a94473...6c.exe

windows10-2004-x64

10

7b7ce936fd...c9.exe

windows10-2004-x64

10

82e97b51ca...5f.exe

windows10-2004-x64

10

841ea03e18...82.exe

windows10-2004-x64

10

9b8496e95e...b6.exe

windows10-2004-x64

10

bd06bfc269...a3.exe

windows10-2004-x64

10

d77888ac75...7b.exe

windows10-2004-x64

10

eadc8b7eba...10.exe

windows7-x64

3

eadc8b7eba...10.exe

windows10-2004-x64

10

ef11bf7b35...d4.exe

windows10-2004-x64

10

f0d33c78b4...aa.exe

windows10-2004-x64

10

f5c518fe92...4b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    10.5MB

  • Sample

    240510-rsjecadg53

  • MD5

    f530b56e343baaf37e14ec59e4eed46d

  • SHA1

    eb0b1f6f32480504d1f179b6cd3173a1919e24b7

  • SHA256

    f66854431dc57070e060e776be18cba0992366fab22b71f8cf929b91c81a6c26

  • SHA512

    af55e5142c1f83d3d73ba85043c345a0cd55b431d35187c77d34bef83147196a69a0796e6d39e874835e375f27b160af4ff388dd325f170d1f0d771bf268e09c

  • SSDEEP

    196608:eA5wvF/vmpK96sD3Xghs1kTC69qBLJXSKMQWJ1MSsJMmHD+8YXJ3evI4ZHEW:pqQwXrAoBgQWJ1SJMmS8YXJAI4ZHX

Score
10/10
amadeyhealerlummaredlinesmokeloader534598742056374825995816944817001210066@winbinlowdumudkrastlamplandenasapapikbackdoordiscoverydropperevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

5637482599

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67
Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

@WinBinLow

C2

45.9.74.149:48852

Attributes
  • auth_value

    f7d8268222997f5a0b2fde81e0514f51

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

papik

C2

77.91.124.156:19071

Attributes
  • auth_value

    325a615d8be5db8e2f7a4c2448fdac3a

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Extracted

Family

lumma

C2

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Extracted

Family

redline

Botnet

581694481

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

5345987420

C2

https://pastebin.com/raw/KE5Mft0T

Targets

    • Target

      036028e38619a2b41891058cbbec38bbd4ebcfca4ce732fb7db9ad8f372c62a7

    • Size

      390KB

    • MD5

      3c37601b22fd9a0a2a2b8292dbf7d939

    • SHA1

      04e36bfd794fb057f974ff87af40da195812f3ff

    • SHA256

      036028e38619a2b41891058cbbec38bbd4ebcfca4ce732fb7db9ad8f372c62a7

    • SHA512

      e9539f61a9343c93123cc8877b3362d8837bcc78903d5dbe524460e49943b7df8451ae0d0785ded0c0bd8dc6e221aecfdf3c236adbb393003eed4674153e8759

    • SSDEEP

      6144:Kzy+bnr+ip0yN90QEWXOmWct9LTwWXJRjUQYoB2rEb8NVKsF3rE3:ZMrGy90UXRrt9nbvJBYCo3K

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      0f5fae471624fdc2019d0988b658e0832f13a78b6b310cc8c3c1314c3e0c9f8d

    • Size

      1.2MB

    • MD5

      3addd1da95cacaab48c74e7787e6bc9b

    • SHA1

      ee33af7f80b3af72bd876610855d990fe757ba32

    • SHA256

      0f5fae471624fdc2019d0988b658e0832f13a78b6b310cc8c3c1314c3e0c9f8d

    • SHA512

      7797f245be9fc0c1140a2b57ef568065638db688479c42241d11efa7654120a18afb7f0b15dcf040d3463637bf5275248b2d5ce75edeef5de1dd9dc74f49ec60

    • SSDEEP

      24576:GyBVRwC3In5QtVwW0AlvMvuLnS7D+H3Hv:GYRIn5QtVwW0AeinUaXv

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral2behavioral3

    • Target

      1998a377c7bb1ac8d7d9ef4fdd72c4bc6479d87263d40908ca9ea76e5f8f2011

    • Size

      989KB

    • MD5

      3c50d977f47d3c9b4d9a0fb9e62b20b6

    • SHA1

      744f98ec0a9bc23236ce1baa143bbc259afead77

    • SHA256

      1998a377c7bb1ac8d7d9ef4fdd72c4bc6479d87263d40908ca9ea76e5f8f2011

    • SHA512

      78d8a2af91556548a788ac10c50d2d7483f88c8233469dc565e9fd514e08445539a947999892eb486278b4d424d5a049dacd9dbbdf77dfdfda26e4e0f7f3f349

    • SSDEEP

      12288:78pKXIOOVTcldbSBDvIY3Mbw8xiMA2aCLolxjBOTmuOZiUVxQMb12:QpKXNOVTcl8BDvIY3wwIaLfOUVxQ

    Score
    10/10
    redline581694481discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral4behavioral5

    • Target

      2b559f1c510907c1a260b6482b36dce3ba603f08fd80d98ee793787a12104d29

    • Size

      1.7MB

    • MD5

      39f8521dd657ab5aaae4d2c76202614b

    • SHA1

      155a43d23930b1b7ccb1e7f0ec560063d8b5bd0d

    • SHA256

      2b559f1c510907c1a260b6482b36dce3ba603f08fd80d98ee793787a12104d29

    • SHA512

      6d312b975fee87af2f9e2f7a5f47db421e8d1074c74e730bd834ce8605aba80fa2174e17658ba501747c2e4f1007f93b41428fb6827c485269b61ba19718f773

    • SSDEEP

      24576:Xy40POuk6AxshWoadVb7uEla50CTd9Zijzers8QScFfv2LO5RM1u9773VaVAR3:i40POyWBd7uEl5Yd6+gRd2LyRZ9daU

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f

    • Size

      315KB

    • MD5

      3d4c73f2d10c4ea03e9f55af41a02d7f

    • SHA1

      e9f70b120dbab724b88c37161e5df5d8607d7500

    • SHA256

      2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f

    • SHA512

      05122b99c10edc0ea4b69f471daf0ce182268d505166e05a69757016f7f87b5e031911c8efd0e6722691b236df5bf2bef74f7a315d9c6c2c6d1e363bf9d98f27

    • SSDEEP

      6144:rI9pI60nbM8uPZy3+8KID2YuDUtMXVgbhAZdxldn+kXHS:s9+60nbnuNYV2glAnjJZHS

    Score
    10/10
    redline5345987420discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      52d5102aa94d913408cacb8480a5007f4757bac252d6379b467616eb62442eea

    • Size

      274KB

    • MD5

      3b2f6dcd799e06d8804c55bc9128b9f4

    • SHA1

      67bfd5573dc98910ab128d825d92c16fa29c48c8

    • SHA256

      52d5102aa94d913408cacb8480a5007f4757bac252d6379b467616eb62442eea

    • SHA512

      05db7c5138366ff685398a45be1fab7bfec70967f116babb1ebbdc15a112cb28964efa7ba614b9d9cc76dedddf4974d057432bc5b1882e1379c426db930a521c

    • SSDEEP

      6144:0JeaoQWhlmgE5pdj7yKUtYowTgEd71anT7fxwp/:ceaZpp57yKuY5TgO4T+p/

    Score
    10/10
    redline5637482599discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      536536221030ca60a298f443a202be11047ecd20614f20fb85ec8e3b3915e013

    • Size

      390KB

    • MD5

      3bc5b2426cd5cab7c9ca7e5737d6d7c8

    • SHA1

      8fae227b631bd835a2fcb586a104949bb6759045

    • SHA256

      536536221030ca60a298f443a202be11047ecd20614f20fb85ec8e3b3915e013

    • SHA512

      1931cb86b9aac7a3cd519b357df7cab9907e1c7cbdc3dd13e9366ed01cf1420e450ed56b4813754e3d6c91c21ee1eb53bfe628f9fa99f4b9925bdf3246f9da75

    • SSDEEP

      6144:Kdy+bnr+4p0yN90QEfWPhKGKoAptKI8B5qf03QyCFcmRQoIe0lfrmkzOScRIvN:zMrky90xWPMpgIb0gyCFcpTeIPLvN

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      5460a1d2c84823a33909daab1fdc811ef8902f88377e1cf46112a9d0cdce6e37

    • Size

      278KB

    • MD5

      380a33366b16a0894082c78984ba8345

    • SHA1

      9ae5f79b7bdc0d1a1141c5a9d318fe8680149e14

    • SHA256

      5460a1d2c84823a33909daab1fdc811ef8902f88377e1cf46112a9d0cdce6e37

    • SHA512

      81cd5aaec512b832e69f071c62339578b1c8ec5170962887899f5164ff3c236275e71c63708c1083872c536b8e80ca5057c3f011b556994993c72faf6bb0cac6

    • SSDEEP

      6144:oA4BeDwJ7SRiJVN2FdyxSDQdMP5cIieWIJQjTWuo:oA+z2Xyx7TA

    Score
    10/10
    redline@winbinlowinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    behavioral12behavioral13

    • Target

      5eba1ca0e7f43344f323005e13fa132f591c4f904c89b0c249ed3226ebd05e01

    • Size

      919KB

    • MD5

      3798d7397297e366a26153993de02af0

    • SHA1

      ddedf24c83ae1c4a0e7baf2cdfe59463a10b56da

    • SHA256

      5eba1ca0e7f43344f323005e13fa132f591c4f904c89b0c249ed3226ebd05e01

    • SHA512

      077211deb71636df685b3cf02350989fa49e76787dbbd88ae220c6bcb16cded5f1cbf734b76c4ccfdd77a6ae138c045f9f49b51b57195f7829a74e72472de557

    • SSDEEP

      24576:Jy8rhw3n0b6BVnDlL2dEl/W0gJUku6tREpqM:886kb6HD12dEFWtJUb6tREpq

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      69b4a9447365c1cc607cb7e8de4957fcb1ce9841892d9533740403ef7e5af76c

    • Size

      389KB

    • MD5

      37e149c79f6c343a6e5e070bae845e45

    • SHA1

      fa31552438049bc5ac502c437a18a522e693c644

    • SHA256

      69b4a9447365c1cc607cb7e8de4957fcb1ce9841892d9533740403ef7e5af76c

    • SHA512

      55c547884baba9d02f7a87db9863c027aa23d880d1829e3c043bb91482b152f5c9e1dd9b4b54eb3dba86d3ea59d4e180eac5e43260827b1543685522f6e9e556

    • SSDEEP

      12288:tMrcy90kZOXq38EVpLdCLA9sgBYChe8WkPObqU:1y3OO82pL4LAxzToV

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      7b7ce936fd017fb3d3de8552a69b50012fdf9778cf317ec09212df4830d993c9

    • Size

      390KB

    • MD5

      3878b03638487d7fcda504b7b6112f6e

    • SHA1

      62a91750f680cce74a674c1188230b30a9c8284e

    • SHA256

      7b7ce936fd017fb3d3de8552a69b50012fdf9778cf317ec09212df4830d993c9

    • SHA512

      b5b7e76d64b969687670e23030ebcc39a9b50c893268670f93c0dd923d3e4e9c3e224b80c6e1ba15419fdee4bdf0720104d2559466e60d88947addc3ec221aaf

    • SSDEEP

      12288:cMrTy90xzhDbGx71diTJXu8RXxZm+a+LfafLIpD:fyOzJGQVxg+aU7Z

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      82e97b51cae4985f5a2abc5bbe0fe4c23fb25fa8072e45d5e34ec789cb7fcc5f

    • Size

      768KB

    • MD5

      39bf80eb44acf1a81fada3d27fc3d228

    • SHA1

      ab1b7c12d61733d2ff88c01c76fff9d8bdd15b0e

    • SHA256

      82e97b51cae4985f5a2abc5bbe0fe4c23fb25fa8072e45d5e34ec789cb7fcc5f

    • SHA512

      726d3d9f8990f6e0ad6d00d35dfb69d316bfe474a94bb429cb34a580b86c7e3750bcb0d05e6bb0731efea28123beb399da4d2d492351a9f275165d45f6a47096

    • SSDEEP

      24576:XyHqqDah9D/bplKzYEkXOsb/xnZIuPhG:iKqSD/bHOYEM/ZiuZ

    Score
    10/10
    redlinelampinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      841ea03e181082fcf7f5533397a6731021c045058047518f2795b78fd69dda82

    • Size

      918KB

    • MD5

      3d56fe60879ef137225e115ea42923cf

    • SHA1

      e13b6d13fe9d23e1e67b2b9136fc8ce25aa8a3ee

    • SHA256

      841ea03e181082fcf7f5533397a6731021c045058047518f2795b78fd69dda82

    • SHA512

      151dd3af640f2b75af8b5c56c79b7faa72c1b92b334157191afef4747ee6d138ae991f937b752535c932fdeabfef0e6d7cc661107c3207f8138cc5f3393662ef

    • SSDEEP

      12288:kMrHy90QFfLsOpAvhgQTDKstwuoHAb8ce092kfJZGwgb3N4R3pQZp86GqWLYWiyk:zyNAZvhPKstwuoHeBXjv16p86GS3

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      9b8496e95efc2095012f46230bd3642a47e89c4a73886f41db8e991f7fa863b6

    • Size

      642KB

    • MD5

      39da6d62eb04b947ef0c3b289cd76848

    • SHA1

      6fe12aecd3b54b2713c067bd1654977eca28c0b6

    • SHA256

      9b8496e95efc2095012f46230bd3642a47e89c4a73886f41db8e991f7fa863b6

    • SHA512

      ca056e94c745c20cd74978d38373a9f366c2083fc1955066f037cdf6f514e1fbb5b8e2b08c04416ab79340c00f48144afc779bcad17bd3f15062860d160aadf9

    • SSDEEP

      12288:zMrjy902S1PSTBNhq3yjD2NS6Gf2Lt7qYEvae+0/PRUnioKyNh7P6:EyGPy0ijD2lG+9qYEvx/ZUjHNhO

    Score
    10/10
    amadeyhealerredlinesmokeloaderpapikbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      bd06bfc2696394e32e12dc7d9c3585842b78bfbdc24f4157679058145abb22a3

    • Size

      390KB

    • MD5

      3a4cea3fc66e9b3d9560878ba1663cd9

    • SHA1

      591d5bef008232bbf43c90708e23f8d8e4eb2f22

    • SHA256

      bd06bfc2696394e32e12dc7d9c3585842b78bfbdc24f4157679058145abb22a3

    • SHA512

      701af6e157e20e8dbab2b81225a4895a3bbf2e5f6c2450e6d0b39b2d54203905f0d565ee59563746ea10fd3ef14dbd9348dc559f3bac600d295fbef27a83e2c0

    • SSDEEP

      12288:HMrCy90LK3WNWBSPa46LcHnl9nZF4rQKL:hywyYzHNF4TL

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      d77888ac75d20228b7b7d9e6605425cfb9f51ecf0f39863b19981b1598b3a57b

    • Size

      924KB

    • MD5

      39ebcf56ab4b2fb98a2e2590c5a5a588

    • SHA1

      90ef0140fb2cd50c8f3f507ec061532252882acb

    • SHA256

      d77888ac75d20228b7b7d9e6605425cfb9f51ecf0f39863b19981b1598b3a57b

    • SHA512

      c596ee775a66fffe2df60c2cc909f89e71b2c6d95fba57ca78ed5a13c962b2520b6e8460ddc9f3ca0e6cb8b9e5cde134ed157f0a9ec39cbfe13c2d7bb62149ff

    • SSDEEP

      24576:OylPVB7/z8r9NKS/rdlEGOapBK/Aoa2ZLZP:dlHopNKSjkapoFa4t

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      eadc8b7eba6e15614161bb91b8de6cff4d56f767901f6aceb9baed7b0fe0b110

    • Size

      333KB

    • MD5

      3c77db8ee7d08d76b14c5fc09137df15

    • SHA1

      cc7f65cf6094c1cef4533d73b969a3c0a719d5ff

    • SHA256

      eadc8b7eba6e15614161bb91b8de6cff4d56f767901f6aceb9baed7b0fe0b110

    • SHA512

      6c9d537c77b713356587a42fc487979058cd63b6d428802565aa9ac6f83beccd5fb23ed96ed32f09e07573c05e3018b1d96515f0762a9c5c0fe8b8ba44a3f288

    • SSDEEP

      6144:e1RwZfFQDOioMvzATd5W0jbSXRYygh2qjjjjjjjJ42J2VfdweP4ql732W1sV+0Xp:e/zDOioMvzA+iygAqjjjjjjjJafKxI3W

    Score
    10/10
    redline7001210066discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral22behavioral23

    • Target

      ef11bf7b35a28054917643092a94f68ccdbc57cd68005df66e6d81a0d2d012d4

    • Size

      389KB

    • MD5

      3acf2e92c0625f14957b8bba85a5a133

    • SHA1

      519645e11407ed3991cf6501314ea5d8cd4e7a64

    • SHA256

      ef11bf7b35a28054917643092a94f68ccdbc57cd68005df66e6d81a0d2d012d4

    • SHA512

      e181da02b0e85eb7362d0528e5f2da52140b607e44c0f01bf5f772e80992c4fe396d1aaab512e1fb57f7cd54258488a8bd00386ab23b57b932c8d1259dc000b9

    • SSDEEP

      6144:K+y+bnr+lp0yN90QEUO/bqnT1boVBqmroo3FgmF32GBzHPIRUMjRDDQdf:uMrty907zqT0BtUqoAIRUMjRwdf

    Score
    10/10
    healerredlinenasadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral24

    • Target

      f0d33c78b4822415ef8b626889ef19e5538cc85e78b11afdd7a1e3aa9b84b8aa

    • Size

      919KB

    • MD5

      393d6bd3d722abd31114cf500a6d31f5

    • SHA1

      027ab7af8553f0a73e95d6c9c8ddeb0e12af8965

    • SHA256

      f0d33c78b4822415ef8b626889ef19e5538cc85e78b11afdd7a1e3aa9b84b8aa

    • SHA512

      d97c315bd1aadb8f209099532d1d84265c305b7a0217dbbc172104c34be32d6a17d3473cfd89a44985d639e3e14bc723a3726b44fb857ab45120fc13feeac903

    • SSDEEP

      24576:fyp+BYZ6J6nTHME00k7UjgA69JsKL0AI6bnscKUph5E:qpZsJAH87UjOHaonsrUP5

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral25

    • Target

      f5c518fe92fb2a2cb7e24aef95c0ce906e790b67bbc704f3311706b11b6a7d4b

    • Size

      479KB

    • MD5

      3ab2ff06d401aa79ecc0a828734aa965

    • SHA1

      79f8c82403a2c4eba7333bbe8a8cea43043c1443

    • SHA256

      f5c518fe92fb2a2cb7e24aef95c0ce906e790b67bbc704f3311706b11b6a7d4b

    • SHA512

      b7d56a909168f4841e017122351439b13b932d8e79631294e3798df47e01619739248b238f2c89aab67da67f885013705ffe71881aac02fb23b157b1d0f4ad21

    • SSDEEP

      6144:Kay+bnr+Hkp0yN90QESbWCWKAw5UH4MDtIA/EzylcSAGRArr8wtc5VrgGL8F9KaE:iMrwy90Yf3UYeZMzylcyqFtucF30

    Score
    10/10
    healerredlinedumuddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral26

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

7
T1053

Persistence

Create or Modify System Process

13
T1543

Windows Service

13
T1543.003

Boot or Logon Autostart Execution

14
T1547

Registry Run Keys / Startup Folder

14
T1547.001

Scheduled Task/Job

7
T1053

Privilege Escalation

Create or Modify System Process

13
T1543

Windows Service

13
T1543.003

Boot or Logon Autostart Execution

14
T1547

Registry Run Keys / Startup Folder

14
T1547.001

Scheduled Task/Job

7
T1053

Defense Evasion

Modify Registry

40
T1112

Impair Defenses

26
T1562

Disable or Modify Tools

26
T1562.001

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

13
T1012

System Information Discovery

16
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Web Service

4
T1102

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

Score
3/10

behavioral3

lummastealer
Score
10/10

behavioral4

Score
3/10

behavioral5

redline581694481discoveryinfostealerspywarestealer
Score
10/10

behavioral6

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral7

Score
3/10

behavioral8

redline5345987420discoveryinfostealer
Score
10/10

behavioral9

Score
3/10

behavioral10

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral11

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

redline@winbinlowinfostealer
Score
10/10

behavioral13

redline@winbinlowinfostealer
Score
10/10

behavioral14

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

redlinelampinfostealerpersistence
Score
10/10

behavioral18

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral19

amadeyhealerredlinesmokeloaderpapikbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

Score
3/10

behavioral23

redline7001210066discoveryinfostealer
Score
10/10

behavioral24

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral25

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral26

healerredlinedumuddropperevasioninfostealerpersistencetrojan
Score
10/10