General

  • Target

    r1.zip

  • Size

    59.3MB

  • Sample

    240510-sdvdqsbf9y

  • MD5

    52efdf01662abb5764d09e2c198762c1

  • SHA1

    95fb35c74213d6e579d4c02f02e734134bcc7bc8

  • SHA256

    e26fabd2c7ff2793a03e50751c6b5c5606cd0dcc9f0fbec237db01080085c327

  • SHA512

    968ac8a3a2939e5f5e62e89525e99198d6cff412973bad317e471f35e2d691ce06ee95d878b9cd8cf34079faaab946a3c9ab2a2428e45da234bf4e3d41cb5504

  • SSDEEP

    1572864:jiAYbTKgJol5kjVEtpaxs2kwji1p/y+9aOlcj:jip/TJol5knkUi1pnFc

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

5637482599

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

redline

Botnet

mihan

C2

217.196.96.101:4132

Attributes
  • auth_value

    9a6a8fdae02ed7caa0a49a6ddc6d4520

Extracted

Family

lumma

C2

https://mazefearcontainujsy.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Targets

    • Target

      10893005755e760cedfd88c67f168c3e2f1e26fafad63a929c1e953e718f49d7

    • Size

      389KB

    • MD5

      f66ede1e06a086d548beab7306b19c2b

    • SHA1

      e3473b146cbe237f60308ded64136d2e0d0e0138

    • SHA256

      10893005755e760cedfd88c67f168c3e2f1e26fafad63a929c1e953e718f49d7

    • SHA512

      892cd0b6b431c432f1defc9e8519389ac731c4b635e5e8b610790495d7e02ab7cb0057d3ce349a893bca34d9d21185b7f69c744258984ba1ea5947ddb322cd69

    • SSDEEP

      12288:EMrZy90J4zMV/aGuDCQsgBYCpxsHJKBCs7:tyc4xHDCQzzzsHJKb7

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c

    • Size

      390KB

    • MD5

      f8cfb1df4bcb4f9f8b7b9d0708e16d69

    • SHA1

      93755a42eacd228ef291a3136a1394593c678faa

    • SHA256

      188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c

    • SHA512

      12b8522f261a7e3d0b91a41cfbf93b80bd10ffde1f8b53c548e8aafcca765cd92f511b71d05a298b7712e9f30b3cf81eced8ffe73ebee48b3230d5402cdf3f68

    • SSDEEP

      6144:KQy+bnr+lp0yN90QE4JX36Yol3tvc630ZEnOOZ38ow6db8IEw2+ogF1AmoTMJrTH:0MrFy9003obIE3dwooI+c1AlTM0Mq8X

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      1b3c0e579787bcef84732f5265ff9b365cdc639dfb3b301ffbfb808167567506

    • Size

      390KB

    • MD5

      f721e921a1d0ce588d0614c7257f90f4

    • SHA1

      339b731d73e585d123b3243ef3f3f95ecd92e4d1

    • SHA256

      1b3c0e579787bcef84732f5265ff9b365cdc639dfb3b301ffbfb808167567506

    • SHA512

      302847dea588564672f5335a1e312d34a99b166c601369e3ab99a01b7c2b1201c56b4b87859b3d8658c316e37004ac8b16a40ad304e1a3116172e36fa9071898

    • SSDEEP

      6144:K9y+bnr+/p0yN90QE/TmKPN4KfD+HXyLx+SPntq302ViNF4XLmMdmIi5:zMrny90lyMGKfDwaPO02ViNF4zk

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      265074d78c68ba95d07246920d7362962c973dc99f27f0f0a587385fa5df10d6

    • Size

      332KB

    • MD5

      f5db97e3fb356e1566ca0b936eb39b5a

    • SHA1

      6c5d9508a6e3e984dab15d33a78139ec2b61a388

    • SHA256

      265074d78c68ba95d07246920d7362962c973dc99f27f0f0a587385fa5df10d6

    • SHA512

      23f5c86847407d952d9f8b1081dcdeb1e65073f9938ff5adcc27e9407a16e8b7737eebb7a9771602a8864336441d83b6ef92d6708752bc2aca43323320674742

    • SSDEEP

      6144:m3bwLnnURJgoKFr+7hoIJeNRuygh5N4e7DF4AQILHZK644tsR+0Xp:mLzRJgoKFrt4ygHNPBdHZKAt70Xp

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      2d6ce3858dc5849cd0e5ce873e285bbd3b6a34ad11e20937b1827c8f3594abb0

    • Size

      274KB

    • MD5

      e37c96dcb461998f850d7f29636f4c7e

    • SHA1

      99e246345e6f7e42e1bbf87413af04ecde111326

    • SHA256

      2d6ce3858dc5849cd0e5ce873e285bbd3b6a34ad11e20937b1827c8f3594abb0

    • SHA512

      8e74a88d6396f1c687e70c4e54964a3bbd632038d4c775ed01f6564fb0651484f7e75e499cda7e159984f7d595b8bc0cb497b3762b4ebb133035d32986343670

    • SSDEEP

      3072:S++KoocagDG2XjkWhG2Lf7Ggq3L1JxPiilhkgowrWtctWaYUhP+OKerH80fNLtvf:tJeaoQWhlmgE5++WhsZrr9tCZnrwp/

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      3bb8a790f7feb85fb0d0f7d2087ce3d7e4eb5577393162c735eec885b66a044e

    • Size

      1.2MB

    • MD5

      f2060efdea36d0b964aacf58232d74c6

    • SHA1

      26c27e2c2f243cab2d85bbd3b4dc8b6f2590daf3

    • SHA256

      3bb8a790f7feb85fb0d0f7d2087ce3d7e4eb5577393162c735eec885b66a044e

    • SHA512

      bb051ac9bb0699feaeab22c94d8ae535ed392dc0aa440907475d421870c5f8f44101dd1ef306ee96946c646814cc6db36e9623ba18ac917c50dcfbf4686abb54

    • SSDEEP

      24576:F9lnCBXoonp1hwCMUkRvWOvqYCZ2ylmJ0H6r:FPRonp1hwCMUkk6pCtlo0ar

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Suspicious use of SetThreadContext

    • Target

      3df74027fece0dd6e6c9f46260e3c886ecbcfd4dce43ac64a90f1211d78fe588

    • Size

      724KB

    • MD5

      f4f787db36502a2e05f39da6a313e914

    • SHA1

      4f842c75ce854d86420f9790c47c81bdcecd7c5d

    • SHA256

      3df74027fece0dd6e6c9f46260e3c886ecbcfd4dce43ac64a90f1211d78fe588

    • SHA512

      0728509f9668750a075e73175e48f90625f5e62ef3d1e95641d654d43f749dacb1012110c6e445aa64308a64b0d23c447041ab0ec994300a6b06a1091523d52b

    • SSDEEP

      12288:hMrCy90ubk8a7kp52+3z2scqnKypirYMFBWzHKXRd1akvD6lKCjetDmzHu:zy5w8Qkp5/z2sc6KypgCzHKXf1vOHje9

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a

    • Size

      2.0MB

    • MD5

      e1ca89e321f8198d4253c9178eb523ff

    • SHA1

      fe072ee589998082c37b054c4d8e4f0a6aa4eeb7

    • SHA256

      3e36cb02ee15f0803929c4cc4ae0639ce652b40ae83519e020dc3e5273dde39a

    • SHA512

      af0d2629e4fce28b141f77762d351ff64c64fc965b9fd51bad073948841c6ea19655e34a7d1aed30837c67cac6e0e5f8af52e9eca07d58a77fdf3d213cd59f2d

    • SSDEEP

      49152:SxZh3SQ5yCsV/BuPeQePc/yRrkS2TCwuRI7V1GiTCBC3O:WSp/iucmAS2TCFIB1RTC

    • Modifies Windows Defender Real-time Protection settings

    • Drops startup file

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      3f3ae364814c4c229616f1792f939131d6af421c4fa431b81f955015d14c8168

    • Size

      308KB

    • MD5

      d1692bfe69b9eba7c632642192c2387a

    • SHA1

      132970b55855bcff595ac8af257b27c4b0fcebc0

    • SHA256

      3f3ae364814c4c229616f1792f939131d6af421c4fa431b81f955015d14c8168

    • SHA512

      715b107c3e4a7772159c0de693ccacf36a2f62f54dc3cac0b4c7f6e0f8f25996472803be965eaadea3906e100e4f8557782cee76399a8787d91f19ec3107cf06

    • SSDEEP

      6144:dMbygE5HGw3GNc6xTQROzphoTjgEV9YCHtWRKZl/I:AygE5HGvWSpmnr7p3nI

    Score
    1/10
    • Target

      54ca5c456ca4541c7a54027ae67295d9bdec93f29d76b9e8ab36e1fd52b1b876

    • Size

      390KB

    • MD5

      e2ff92ceb1b36894ab6449df6190d5fe

    • SHA1

      e62b58fb4e8a161514f89711a1684e1db6100572

    • SHA256

      54ca5c456ca4541c7a54027ae67295d9bdec93f29d76b9e8ab36e1fd52b1b876

    • SHA512

      dbed33a08c20707d07b024fec719db94a797828ae3644fb2d81ab7ddfc504e04ed863b29e1fabcbbea4403af4b1ce70c104e4ab4efe226d2a188f9bc3f23b5ab

    • SSDEEP

      6144:Kgy+bnr+mp0yN90QE5OQxmN7o/L8EAr2zsmgutzuXdMyFIVZ/dxGL:sMrOy90DbxGT2zsNcCXdMyFIVfw

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      6ade7d6ec7a6381185b43d64ae2429ee9c4ee1ccf584c5bfe5887d96d03e3680

    • Size

      924KB

    • MD5

      f2a435288af42881303cdb4793ee7400

    • SHA1

      9f5bd3e4f31299347372107b08b89938437393df

    • SHA256

      6ade7d6ec7a6381185b43d64ae2429ee9c4ee1ccf584c5bfe5887d96d03e3680

    • SHA512

      18a69e04bd6ae02bf78bb2673dbe3b7710c889afa62189238db4837f1230d5debc6b97f02a8a8d677f5df5cc19b6fc735ef1502a35c05a060d767a9fcd550e5d

    • SSDEEP

      24576:oyWuYzzI8C7pWy5JAFCCMr58qneW2i4IFoYYOiG:vmzIls0OMr58qneni4EoYYj

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      7abba1ebb59dafe06cecf717ad708d5d5e873cb2cd6cfa536b3cf5eef782c19b

    • Size

      983KB

    • MD5

      f96ab377e21347c5e38d5af7a8917d70

    • SHA1

      71ffd7a11f3ea4ca942f5e37c4ee26a579768db5

    • SHA256

      7abba1ebb59dafe06cecf717ad708d5d5e873cb2cd6cfa536b3cf5eef782c19b

    • SHA512

      faf6d7f33e5d90290319169b374e77504649ecb6ca8377e5424d006967a3c552e3860da4b3fe926f341e86ec7e4dac36dc3f9eb0d0745eab84acfc6ac23299f3

    • SSDEEP

      12288:h2pQArdk+4w8eaVYVpoeQEbc0L2NcsWrQ8Av7VT5cO1utoW3Z11609QZ:h2p9dk+4wv2YVpoeQbVvRtC3Z4

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      809359f8fb559a3e0706be1ec11da34660665a2a47a87b69f26c35bc7ece21a0

    • Size

      332KB

    • MD5

      dfdd7e6f5deadeae335e639e7bc7247c

    • SHA1

      219556800d2be759004fc5a5776d5fa770f8c852

    • SHA256

      809359f8fb559a3e0706be1ec11da34660665a2a47a87b69f26c35bc7ece21a0

    • SHA512

      8d84856c7e7dc90ce96be856704b739980b159d3fa9fbd9fe328405aea712a4d4857407602d0a7f4c4d9d37ba610187dc9e1b8b2f8b989e2f80613a30ecbe406

    • SSDEEP

      6144:63zwDH1EpC80M4ydBrEBniBBu0RSyghQbunDJAEaOp1z4+ox8fX5DM+0Xp:6jZpqM4ydBm/ygqSnNAEaOp1C8fJDh05

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      80a61aa8cf25695a9f716e44c730ff90e095337b215aae6d732cf04f807bf34c

    • Size

      43.5MB

    • MD5

      dd3a6450fa298cdb5971a66bf60f9e4d

    • SHA1

      533a8b5ba8380e7d849382dd6b6e35385aff9d80

    • SHA256

      80a61aa8cf25695a9f716e44c730ff90e095337b215aae6d732cf04f807bf34c

    • SHA512

      2dac5dc47d70cb4044b985b02c39bcfc726d4befe349d5b5a62e54d01c222be9463adb9dd868ca81023a899a4e6926cb08b24ccf41ec9568c516c68949cfafc0

    • SSDEEP

      786432:CVTtG42LQOiWTx/iNFcFXBHx+rEpTyfgcRMQS7bYC/vswAdlk1MUO8:CPGFM0RwcFXBHx+wgGV4ydAdxUh

    Score
    1/10
    • Target

      855fd4cf224283ecfadcbbde8f8bda52096a389946f6890fa83b09e26cea10dc

    • Size

      1.0MB

    • MD5

      f4c9a2e04bf7425f92b4dfa743985d4b

    • SHA1

      ecc8cafe83d4ce841894c78a6add9841174738ef

    • SHA256

      855fd4cf224283ecfadcbbde8f8bda52096a389946f6890fa83b09e26cea10dc

    • SHA512

      cc22e3244b1e9a5373777dd645b864761963fc34ebaa09338a6cf16f0240de7b6d073203ebc70a45cfb0f41b23bfe6f60adc2322f1bc71f3bf92b9ac40872d68

    • SSDEEP

      12288:pMrXy90AnEbF79w5lfUQYeJ+CMGNfrZlcROl1Eh3CkczpbZ7wyYirGZUq0dTlpLx:iyUZ5wTf/IGhPc8lUspb+g2U/Tlpv5

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199

    • Size

      514KB

    • MD5

      f7e21fe46471f2c2ed069aef315b7804

    • SHA1

      dd6a5df8e71397f470e69c76f39d1c0cc9005028

    • SHA256

      a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199

    • SHA512

      0a7019ce31cadd53d2bc8034ae4d07e94efd48240077da373c914b86e16a9395e55d53721c5ebd383fa2bae16ae0ab95f8091f1f779f031d7dacf208e2b41fd6

    • SSDEEP

      12288:fMrLy90LKDglCRXwYt1wZvidrr2fIfvZVHex:MybklLYvOvqWIZI

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f

    • Size

      925KB

    • MD5

      dd93ee60c259b6d6649066385f4244ee

    • SHA1

      d07a767c2cc5a3f4e22536f80cd5403d48e79f31

    • SHA256

      b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f

    • SHA512

      77da63cbd5f5c49e42b7c8d31388ce5a5f310ab7435e9200ad94f74339d371dd8e4100c1de2700f908c44f849e293b4ae80d8354c03e9c20ab5057df4d2d126f

    • SSDEEP

      24576:jyvRZtvqBOv+fxZ0j5MqJu/2vUx4SoSoG:2vXtCVxZ06qg/lX

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      b46951fdb517d60cd2516aa317646c027a36d6b4e159c8d97dea70549b3b00f7

    • Size

      990KB

    • MD5

      f3f7b120102c92d22113a925a8b7484e

    • SHA1

      84c72e9a03850118992ae8e1b0ed7b90c408cb8d

    • SHA256

      b46951fdb517d60cd2516aa317646c027a36d6b4e159c8d97dea70549b3b00f7

    • SHA512

      e0a69d4dd4fbfac414484d004be58b0a91e82996239da83db9c4bceb6db7c400dd7e8d4dfa9fa994bc55894ac63cf7851eb19780b862da30b6a21d8ba5def1eb

    • SSDEEP

      12288:esaAPELxH8A/5+ldbqRZ7MCRMbG2uE64aVF7o7zF8nJduIZkUAEpu4Eb:8A8LWA/5+lURZ7MCRwGGakPnUAEpu4

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      bac70768466a80a4253c63add9d0601c8d645565be4c9ab0536b250c8e01a0e9

    • Size

      480KB

    • MD5

      f10f3830f74f4c146ecfe490b2f5bb60

    • SHA1

      95f1c364dd9957c7353e958870cbd0b56dd72131

    • SHA256

      bac70768466a80a4253c63add9d0601c8d645565be4c9ab0536b250c8e01a0e9

    • SHA512

      8e3ba81dcfc0c36100ded32308e3e787d2c64e6c644b2a376b9d684d5d54dbcad46522dca178dcd3c3fdc8e2a18d018b9c27f631fac67d80b6ce9bde77277376

    • SSDEEP

      6144:KYy+bnr+Bp0yN90QEMQSOmAfsDSwqGTD4TGYSQUb1BZk8OYHwi0GVSMmaLxcwJuj:kMrJy906OmMSwGF1BZk8hmaLxcwIj

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      f358ce518b566bea6bdd08924ef70ab740c7135042e1d38e8776afca44f4c2e2

    • Size

      6.1MB

    • MD5

      dff304091a81ae5204d3c2d959b8b919

    • SHA1

      46a965af549abd1cd9a5f5dc10ac3775e6e1f7d4

    • SHA256

      f358ce518b566bea6bdd08924ef70ab740c7135042e1d38e8776afca44f4c2e2

    • SHA512

      0a1b7e83c5db4f3ab567c79f3654698543d2055b1ab296632fd30711f44315024b15b9c19b22162a6c6072118eac7e8506660ee4141bafbd5cc6f980082aaa25

    • SSDEEP

      98304:Ve166GzhKA37Mpd/LYMbK7JOa9WJDOAR598zW5E7Zpshx+gsV5GQrTIrmp0dFyo:Ve1szhv3SOM0J19Em9UYgsfPvIrmHD

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

7
T1053

Persistence

Create or Modify System Process

11
T1543

Windows Service

11
T1543.003

Boot or Logon Autostart Execution

12
T1547

Registry Run Keys / Startup Folder

12
T1547.001

Scheduled Task/Job

7
T1053

Privilege Escalation

Create or Modify System Process

11
T1543

Windows Service

11
T1543.003

Boot or Logon Autostart Execution

12
T1547

Registry Run Keys / Startup Folder

12
T1547.001

Scheduled Task/Job

7
T1053

Defense Evasion

Modify Registry

34
T1112

Impair Defenses

22
T1562

Disable or Modify Tools

22
T1562.001

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

8
T1552

Credentials In Files

8
T1552.001

Discovery

Query Registry

15
T1012

System Information Discovery

17
T1082

Peripheral Device Discovery

1
T1120

Virtualization/Sandbox Evasion

1
T1497

Collection

Data from Local System

8
T1005

Command and Control

Web Service

5
T1102

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

Score
3/10

behavioral5

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral6

Score
3/10

behavioral7

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral8

Score
3/10

behavioral9

lummastealer
Score
10/10

behavioral10

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

evasionpersistencetrojan
Score
10/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

Score
3/10

behavioral17

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral18

Score
3/10

behavioral19

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral20

Score
1/10

behavioral21

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral23

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral24

Score
3/10

behavioral25

redline7001210066discoveryinfostealer
Score
10/10

behavioral26

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral27

paypalevasionpersistencephishingthemidatrojan
Score
9/10