Overview

overview

10

Static

static

3

0dfc7afcaa...c4.exe

windows7-x64

3

0dfc7afcaa...c4.exe

windows10-2004-x64

10

104ab96ec5...91.exe

windows10-2004-x64

10

150d5d207f...74.exe

windows10-2004-x64

10

19408d20ed...1b.exe

windows7-x64

3

19408d20ed...1b.exe

windows10-2004-x64

10

209f361ec5...19.exe

windows7-x64

3

209f361ec5...19.exe

windows10-2004-x64

10

32df5b0360...59.exe

windows10-2004-x64

10

5a9212ccca...d1.exe

windows10-2004-x64

10

6547f1c95b...de.exe

windows10-2004-x64

10

71abd07878...2a.exe

windows7-x64

3

71abd07878...2a.exe

windows10-2004-x64

10

7d7131e841...77.exe

windows10-2004-x64

10

981d198e1d...05.exe

windows7-x64

3

981d198e1d...05.exe

windows10-2004-x64

10

9be0387d86...b9.exe

windows10-2004-x64

10

9d44150fdc...7d.exe

windows10-2004-x64

6

b7da28873d...d0.exe

windows10-2004-x64

10

c6bd926d58...44.exe

windows10-2004-x64

10

d599ef82af...3c.exe

windows10-2004-x64

10

db2419395b...f8.exe

windows10-2004-x64

10

e7b8d2cb79...0b.exe

windows10-2004-x64

10

eeebcd7da8...f5.exe

windows10-2004-x64

10

f1ae7fab47...cc.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r2.zip

  • Size

    11.1MB

  • Sample

    240510-rx7yhaea76

  • MD5

    d6e76ad63206741517623419d7e6232b

  • SHA1

    ad3fbd400ed45edd22986a79cecfec3706f6d5cd

  • SHA256

    fea4a5268fd3fad5b4772bcf4ef021d104110cff4b7bd43f6ad10ebcab7b0916

  • SHA512

    d24203a8014f4867b12095a6e311ee7f8ed9724c80581961480b8b9830f0f2fd1c61dddb052b2c4fe9e05c0e4c8fb16aa67dae20a070f68963df34f807ebacf8

  • SSDEEP

    196608:EDSuk9boOsd6PSehcYACe6bkYegAgZyX/bM66InR/9C+nZ5j1Ns6DqfFbLNoFzsB:E9NdoSeqAe6bneg3u/fXRwSZ13s6DSrh

Score
10/10
amadeyhealerlummamysticredlinesmokeloader519555252953459874205637482599dumudkiralamplandemihannasabackdoordiscoverydropperevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

5345987420

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Extracted

Family

redline

Botnet

5637482599

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

lumma

C2

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

https://mazefearcontainujsy.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

mihan

C2

217.196.96.101:4132

Attributes
  • auth_value

    9a6a8fdae02ed7caa0a49a6ddc6d4520

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Targets

    • Target

      0dfc7afcaa9349ea50b58920f20c7af6071f07f3aba206d96b30716dd61b95c4

    • Size

      537KB

    • MD5

      b2a8d89ff748f4bd5fc18ae429c2868a

    • SHA1

      073223ab6c0eece379bfe739bd998da924da9e6c

    • SHA256

      0dfc7afcaa9349ea50b58920f20c7af6071f07f3aba206d96b30716dd61b95c4

    • SHA512

      15fe353ecad3bb37f4dce11aaa81e41eeb1ec219c11e465efd5338fea53fef976fde9edebdb0eee96fe78f25235af0cefcc58050b7bb8c21d2bd9c1c53a4cb5e

    • SSDEEP

      12288:BJgGeX0H4pTsQ+ygfjIWX4d4+W8V3dJZMIoyQG5bDan0Xp:BJgmH4SpIWxIJZxolGa0

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      104ab96ec5c48fc27c7e1536ff21081aa1efc5fcfdb8ff48716f9c44afbda891

    • Size

      334KB

    • MD5

      b42aeb4b9d29f6b7bdbbd0505f58c5e9

    • SHA1

      8958434f4aa7ec7ad89af115f6b640119a2b5635

    • SHA256

      104ab96ec5c48fc27c7e1536ff21081aa1efc5fcfdb8ff48716f9c44afbda891

    • SHA512

      595a294eb35bf19628bb684ecf9b5289834913a55faab29d1edb222075a963ca91a9e674e55e019cf5afb1200a39c894938cf5df92eae3b465ea96ef560f05d2

    • SSDEEP

      6144:Kry+bnr+Cp0yN90QEsXzkP1aViNXxVkSdLx/ZivrDucWC:dMrCy90eiNXxVkSv/irf

    Score
    10/10
    mysticsmokeloaderbackdoorpersistencestealertrojan

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      150d5d207fadbb612a41c8c9dae6ffe50c8cffd2db96a1cb75a5c779cbd82974

    • Size

      480KB

    • MD5

      b2bd84c5900716a004ee100a29e7de7f

    • SHA1

      6b08dd3460398f5339bb513f37aa4756476b58ac

    • SHA256

      150d5d207fadbb612a41c8c9dae6ffe50c8cffd2db96a1cb75a5c779cbd82974

    • SHA512

      1851b7ac20c259cd2cc2dda50aa24228f8549800bb9972bccf7b47197eac27b9e4337fec15556b40a4719170bba061f4e2441c6e868c1983ebf4d612c89a8d18

    • SSDEEP

      12288:LMrvy90+QotLWwaMn0jXPM63xigzNPkA2c/Q2i/A:QyVL+tJvPi4

    Score
    10/10
    healerredlinemihandropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b

    • Size

      306KB

    • MD5

      b309c1dadd09e6991ed90c6ccac7badb

    • SHA1

      845485b9ae931e443c488e65d44cb2bc4ce48e99

    • SHA256

      19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b

    • SHA512

      3ed5e276f089e112169d41de199b35ff81055913b5d17c2edc6e1d4087e4aaf594662d6b62ef96d9da67865b641d2ea09166d90139a9b5e0f98bac9ff0c0bbd6

    • SSDEEP

      6144:t7Zt9vSWh60RVAtljy114ZGaWCk1LixTtG3Xzd8nn+OJyL98p:5ZSWhH+Z81+Gzunn+qyL98p

    Score
    10/10
    redline5195552529discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19

    • Size

      1.2MB

    • MD5

      b22e3d28fcb85f140790e00b67bf0048

    • SHA1

      11daf8146bf98eb6f00d82e846be9890f3280724

    • SHA256

      209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19

    • SHA512

      061c481cfa66c6271c9f5c329942768a6109b13e404303ac1fe6912a45ac42a1b14d62044898cca104225a9cbbf079b24851436d62538d748bce6e8752f90d7c

    • SSDEEP

      24576:ll1NeljsInpBxcyc40xvOGe2ErJU8dtqF6dl0:lnHInpBxcyc40UBFU8+cdu

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      32df5b0360337fb2cb7c64f82fa3d8fde28ff3c1028c424475918553f0dae959

    • Size

      390KB

    • MD5

      b48f4d5e5ebbba5540571afc35141edb

    • SHA1

      c17c04823151ba15dc89d1dfc7ce39ab04f007ce

    • SHA256

      32df5b0360337fb2cb7c64f82fa3d8fde28ff3c1028c424475918553f0dae959

    • SHA512

      239ec2798b6fa61225c8e27f9d7068b3770d76d431cae4eba1417df71a6d9ab9cf802fc05e960c3ef358767f1ba43ebbeaadc6c82eee0055b3fe06bb1ac35de4

    • SSDEEP

      6144:KTy+bnr+Qp0yN90QEqBbYug653PMwusov9HGDMtgb99PpXrEd4+e2F1zdiZ5MoVY:9Mr8y90fh65kflNgQgbNrxOSVMf1d

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      5a9212ccca92111e18358da4163f1a5d4c12debc5b1d9ac429198c7ad68de5d1

    • Size

      514KB

    • MD5

      32ab0711c74737a7d5948b73ccc1ab6f

    • SHA1

      3bd68e686a0260a11aa4805a2655867c4e780059

    • SHA256

      5a9212ccca92111e18358da4163f1a5d4c12debc5b1d9ac429198c7ad68de5d1

    • SHA512

      2aebec7ee681bd7e5e085571347a9caed38c2dfd5c705ee5fdb23da1258079bfb77b278427dd46811afc7f2f98afa2c818abb44e305cc13d4e43c8d1dec0a7e3

    • SSDEEP

      12288:8Mrzy906i3DhgK5RE1g0xJF7ceeeeDC37Ztoj8QXII:HysNDSF7we97Zc

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      6547f1c95bc0b060cd5e5f6b8e5e968b730cd21f758f6dd5371e802b13a5a1de

    • Size

      2.4MB

    • MD5

      b56c9c48c9be9fe4136433ba42ff386b

    • SHA1

      ca41a545b363d093d54478164341a674d14fc20e

    • SHA256

      6547f1c95bc0b060cd5e5f6b8e5e968b730cd21f758f6dd5371e802b13a5a1de

    • SHA512

      cd0d1d2515ddfa2f82c0a231ac628087ec07e12ae18f16725c8c00f143e42babbdf6fdaa364c3a73995b11c500229ed2b80fb0b49ee9c053b27d00c0318b30f4

    • SSDEEP

      49152:aMZY5u/t3C4s8PuNe0etckWRrdj3mCaEshhFeEsuHECTOz88kUOgL:4uc86Wc7pj3mCohHeXuHaxkUOW

    Score
    10/10
    evasionpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Drops startup file

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11

    • Target

      71abd07878fba4bfa822c83c9dd023f4bafbeedcce63770fad08edb14d06fd2a

    • Size

      332KB

    • MD5

      b1ee5f016286b3eaafcb51e97496641d

    • SHA1

      5f5700b35aeeac1a8e6df807e068405b55fd95ff

    • SHA256

      71abd07878fba4bfa822c83c9dd023f4bafbeedcce63770fad08edb14d06fd2a

    • SHA512

      582f9c7f452236a69b9bf7416ad5a76c37201281fd789ff7fefec7a053b06a969ef5617af27a00e5e609be6f8e1a96e84ee1acd963b01da508c590213c87e32e

    • SSDEEP

      6144:71xw5f7Qjiq+osPz6Z520DbS1RcygheoU4N4EQIE73qSqPk0iv6zx9+0Xp:7fZjB+osPz1YygsnnE987ak/0Xp

    Score
    10/10
    redline5345987420discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral12behavioral13

    • Target

      7d7131e8413b3c93cdef92a3c5fc4874d5c98935874642f451bb7fa887f9ac77

    • Size

      307KB

    • MD5

      b16e53bf8c31df4612c6d929fe180180

    • SHA1

      89b65a826c47294d98c3377d4255588874e126d8

    • SHA256

      7d7131e8413b3c93cdef92a3c5fc4874d5c98935874642f451bb7fa887f9ac77

    • SHA512

      c0b0173bf1440693c36fa7c0cbc76ba8643a2487694eb69255181433d69b29ffcf6089c49604600331570ad5a886f176052e79e7dbcc5e4219e0db4e17fb49b3

    • SSDEEP

      6144:KRy+bnr+ep0yN90QEuwSAldxTiKxsNsnqYzp2XzB6Keg:vMrmy90rrd0sn5tosg

    Score
    10/10
    redlinedumudinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      981d198e1de125ce89beae1c0930fc2c9f513d88c9048e0d41c6f12c41ab0e05

    • Size

      332KB

    • MD5

      b28f3b277093c42db25148fc25cc2dc8

    • SHA1

      49d46e4f908f65f6a420fd7367829f2807fad8c1

    • SHA256

      981d198e1de125ce89beae1c0930fc2c9f513d88c9048e0d41c6f12c41ab0e05

    • SHA512

      e99806bebe7f76e7f3ee10119dc481d3cf01a8138e9148791aebca1ba0da2cdb24fa5cad267d4baf7da6f49abee8e8f163139440134ff1bedb4dabd758754a40

    • SSDEEP

      6144:/3bwLnnURogoKFr+7hoIJeNRuygh2vt40ZznssmUl7G0EG1Z01R0xn+0Xp:/LzRogoKFrt4ygUvtbzssm74Z0P040Xp

    Score
    10/10
    redline5637482599discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9

    • Size

      514KB

    • MD5

      b2a6158e5066da9cdf80f68a45607dbf

    • SHA1

      9c0a1b48a8f821e1bfe1cb4266aed6fa30294c9c

    • SHA256

      9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9

    • SHA512

      c8a3d4dd40a4c1dcec017e78105426093d4be62bd931b72af4ab38cdce5cfef19eb3b74d2cd0c63e352bb6c3cd76ab08922f0ecc8c26f0bb159a7e393b914cf7

    • SSDEEP

      12288:7MrVy90uCP6AGluvgTtGOTN8F3a56b3WEwjXh:iyG6AGsgTtLma6b2h

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      9d44150fdc90939c6efc8d7882f0d89238b77267f40bd7b9e9fdff66d41f587d

    • Size

      175KB

    • MD5

      b0762cb364c4a6dcaf988e98769222a2

    • SHA1

      383306a9f9e8adc5f893ff3913131e6610525c95

    • SHA256

      9d44150fdc90939c6efc8d7882f0d89238b77267f40bd7b9e9fdff66d41f587d

    • SHA512

      6e2ca96e53ffd5d89d7b800f21c7636b87935fcd8261aac4a936c96a0a3e103ee9704f7cec541c0babfc6ba66e7882d44ac4f7037219ac07c6e6e6273d3056ef

    • SSDEEP

      3072:KNy+bnr+O1R5GWp1icKAArDZz4N9GhbkrNEk1pRroMK6y6S+:KNy+bnr+2p0yN90QE6KMlz

    Score
    6/10
    persistence
    behavioral18

    • Target

      b7da28873d43a4b6acac44b82b109a2489323a219d2cece98db41b834a2f30d0

    • Size

      390KB

    • MD5

      b62325de4a16fa8ef1be00aa14a9fbaf

    • SHA1

      e4a6a42b2ded3585cc3df5a8ae50d737af8ab89b

    • SHA256

      b7da28873d43a4b6acac44b82b109a2489323a219d2cece98db41b834a2f30d0

    • SHA512

      a19baa59e652f92c1159e99c96a752214c2971ae245cc35853b0a7f6d4c010c0380ee6483aa3ccf81d2368f14f2a210e6c457bbfa559e0b7316fdf40330978e4

    • SSDEEP

      12288:KMrRy90wf9rYI/TeNvhlroLgBYCmThEW7Sfz0vip:bytNYwTs7Zzm1EW7SF

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      c6bd926d58aa119662ccfb970124884439404950b8aa818378fa47a61a658a44

    • Size

      390KB

    • MD5

      b2971e22c8fca83829bad2afae84a0c1

    • SHA1

      4d3a11d21db1e95e86e79382e8600da710158713

    • SHA256

      c6bd926d58aa119662ccfb970124884439404950b8aa818378fa47a61a658a44

    • SHA512

      ad5eb42328d4bc03c8b01ffa2d7ffe85c84394695c233e052a7840fef288e120e5b14e9abcc7c3fae8fada583de7cb9eb19060d23e2d596f900a9cb9b9a74f7b

    • SSDEEP

      6144:Kiy+bnr+Up0yN90QE/QeKcFaMM8MIB88hU3846ZmHwTCcHnlRHSjpiR0NUcP:eMroy90qeKkaMMM/e8l8HvcHnl9eP

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      d599ef82af0badf49dd8c6cc5d7bad517685798e47a31291d482c5768dae4e3c

    • Size

      1.7MB

    • MD5

      b6a277fb73fd2368881e3a1bdfdbee91

    • SHA1

      e266dfa6fd70b7c708e94888ee5c20145de5cf09

    • SHA256

      d599ef82af0badf49dd8c6cc5d7bad517685798e47a31291d482c5768dae4e3c

    • SHA512

      fa58f5ea05bc17a43d77863a82f0de4bfc4ade606d36219d2bf9a2ad2100d427e1007e6a7953f45831f901a3039427fe8acadddd2017a3c9d37bc7aa51c3e5ca

    • SSDEEP

      24576:ky4lOgHEhO36BRximoOF+Is5qO+6XRuyCmjvoQYK83vXtayzWT8oyzzGoDzlJfzD:zY2G6BRL+IaqOXRuylUQYLPRoNCW

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      db2419395b2091b54fbda644944d811a11fcb035dba5ab2e6d4b5ee327abbdf8

    • Size

      924KB

    • MD5

      b4279fa1a8abab99f422a93f4d79f2f9

    • SHA1

      ccb6ae065ebbb6744b787bf780123a5c22a72042

    • SHA256

      db2419395b2091b54fbda644944d811a11fcb035dba5ab2e6d4b5ee327abbdf8

    • SHA512

      755a9e8fcc2d709c51926d540f7fe57bb5a6633a797ee72de4e71dacf67798cf8ae16919252035f5ec1aa583158b4d06225a2642a67808557174b70ebb664967

    • SSDEEP

      12288:XMrPy90RZnSp8CTLsV3LprI9+sTyIEhbWNAdsJwNywGEsUJRKEtj4L3S3MMm:Yy8SiCTLkrI9+bIEANAu9lUJRKElP3A

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral22

    • Target

      e7b8d2cb79d76cc4434f9525644c524179ad84cea43f8c12ee7ad387710dfc0b

    • Size

      390KB

    • MD5

      b463b4e34c4eabc3471a7e831ca821bf

    • SHA1

      190840beaff3dadf2dd733e2cf26602553034caf

    • SHA256

      e7b8d2cb79d76cc4434f9525644c524179ad84cea43f8c12ee7ad387710dfc0b

    • SHA512

      1b44e81ae0523a111aad4496950c22ded9dc1f979c1ac23492e70001fdba211f9bfe8e9a693fadc1457af61c00c8fabdf580526f791e5940d87a94b47a750ae1

    • SSDEEP

      12288:AMrRy90F1S5fisieQUG5qigHRcHnl9u5zXRQT4:hyG1SlisrQUURcmHKvQ8

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral23

    • Target

      eeebcd7da83427c994c4399d2aeda8161beb9d76926f8245160789de2d6613f5

    • Size

      479KB

    • MD5

      b3c22b2fa8a7fe06765490744b903edc

    • SHA1

      f64b9aa84ceba7f393ac0524b29a8b00ba4cc688

    • SHA256

      eeebcd7da83427c994c4399d2aeda8161beb9d76926f8245160789de2d6613f5

    • SHA512

      4ea73b73b29383fa68a95625a7767d00b7aeaa89d085c920d9f22dcd686a38057f8916c10a87069c32c22a6e31d4aadd4869cfb4ec213f44812b0b602bace7eb

    • SSDEEP

      6144:K3y+bnr+Sp0yN90QEyzbzTuRPXMgISpYTtIzoKB9rgsJktcYlPRfqq+Uht6euKPJ:FMrqy904zb2RfRiTtIUZSkcYjTNxv

    Score
    10/10
    redlinedumudinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral24

    • Target

      f1ae7fab47b54b57b64fe4b0569d28421b914cc77c243cf2d59a0645d15e8ecc

    • Size

      864KB

    • MD5

      b256e9fc25625b83e43a74ea8307026d

    • SHA1

      8bddc4828acbc99bb6b144ed6c2ca8ea918f9345

    • SHA256

      f1ae7fab47b54b57b64fe4b0569d28421b914cc77c243cf2d59a0645d15e8ecc

    • SHA512

      60bf45c3636a766acbe9e0614ee3f88709259e6a81e65b08f107648c17e4ae73de0cbd737e8c03dcc02401e8ee3c403aa2216b31e68fb9c5ce1ab76e3624624d

    • SSDEEP

      12288:EMrry90/YoqPF09KlVJVkFpsJHw/zCZjnNHTSNKdiWBCDnz17X2dvVvtXIHsnzdR:/yMUnVDknWCzCjnHOjzN2d5t70yrNhV

    Score
    10/10
    healerredlinekiradropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral25

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

Score
3/10

behavioral2

lummastealer
Score
10/10

behavioral3

mysticsmokeloaderbackdoorpersistencestealertrojan
Score
10/10

behavioral4

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

Score
3/10

behavioral6

redline5195552529discoveryinfostealerspywarestealer
Score
10/10

behavioral7

Score
3/10

behavioral8

lummastealer
Score
10/10

behavioral9

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

evasionpersistencetrojan
Score
10/10

behavioral12

Score
3/10

behavioral13

redline5345987420discoveryinfostealerspywarestealer
Score
10/10

behavioral14

redlinedumudinfostealerpersistence
Score
10/10

behavioral15

Score
3/10

behavioral16

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral17

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

persistence
Score
6/10

behavioral19

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral22

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral23

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral24

redlinedumudinfostealerpersistence
Score
10/10

behavioral25

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10