General

  • Target

    red.zip

  • Size

    9.0MB

  • Sample

    240510-skqn5aca6z

  • MD5

    fc20541143bbcc733549002a41e4963e

  • SHA1

    4d4d44fe3e57853f2d301bb5b506f90953c6a37b

  • SHA256

    19ef966a051fb80a7e9a4c226171784888184c9e12f75a8cc5d88da9ecab375f

  • SHA512

    37647960aade7c293db5b9ba3b174881cfd79779433fa78ea804c726b0adec4d3f49557f35836ff0344dea04f13d798cd22f44f2925a47aa0213424847cbd9c2

  • SSDEEP

    196608:EAF1AyxOqbDPBCFHWCVWIGJR9khf3Rn9M/iYTknx:EAjA6bD2WCkzMMp0x

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://5.42.92.67

http://77.91.68.61

Attributes
  • install_dir

    ebb444342c

  • install_file

    legola.exe

  • strings_key

    5680b049188ecacbfa57b1b29c2f35a7

  • url_paths

    /norm/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Extracted

Family

lumma

C2

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

https://boredimperissvieos.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

Extracted

Family

redline

Botnet

mihan

C2

217.196.96.101:4132

Attributes
  • auth_value

    9a6a8fdae02ed7caa0a49a6ddc6d4520

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

amadey

Version

3.87

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

naher

C2

77.91.68.48:19071

Attributes
  • auth_value

    62708e72becb72a24cf8843b46acc6a1

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Targets

    • Target

      06ca8c24aac1dfc98dcff3632bd9a2a735d5a57c7e634d8c9100f6446b5423f2

    • Size

      390KB

    • MD5

      cdb9f33e3db3faea925260edf3aeb4c9

    • SHA1

      f5c2a6b9bf59a9901d79f6b3c123140433def0ba

    • SHA256

      06ca8c24aac1dfc98dcff3632bd9a2a735d5a57c7e634d8c9100f6446b5423f2

    • SHA512

      1579fa476abc80b2180471e95ccebb0adb6c2beb7e970867d699b7fd03dcf977e5695826ba20c7b3855ddd4d0f04530c3df1a8e8eca458643261a13bf14a4042

    • SSDEEP

      6144:Kny+bnr+5p0yN90QEfWKctyhWbGhdlACOpb6xtV6LcfkvlsVAAxuL:hMr9y90AfMlwpWwLcfb9x8

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      0a65c977910ca28680d005dc6473013f3db66862b80fc54be76caaa774022bd1

    • Size

      864KB

    • MD5

      c86ea9744ea3cca905b7657585568de6

    • SHA1

      ba018b2d08a84d2e411b27e314cb8a23a06865f8

    • SHA256

      0a65c977910ca28680d005dc6473013f3db66862b80fc54be76caaa774022bd1

    • SHA512

      720bb844157dddb335fd3660b32ee9bec30ae3853fe5b26d3194ea517481a9f6b265b977e5d8bbbc92316f7ed9d173380192d93ab3b4fe2521d26462798c05b8

    • SSDEEP

      12288:9MrBy90lDtGyHT69dmXPVxG0IYjxSkZiUnt6YdipFOj47Ec0yWLcp6pSa8YmZ41:kyQtGyHh9xV5QFpQj4T0HLc5NtO

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      131675744e12e01eb73fd34a82dd03d2d5ab80bd88b854836a13d0065e536c29

    • Size

      1.1MB

    • MD5

      cdbe20f934581f5c98cf64bba69e40c7

    • SHA1

      4952ea7971e0cf5e9e9db73003b789af8df9c9b2

    • SHA256

      131675744e12e01eb73fd34a82dd03d2d5ab80bd88b854836a13d0065e536c29

    • SHA512

      5da129aace6efdeacffb11f38ad3aaffa9737dd6617c0968f1db6b95e149e380fad2418dad7584c033d4827519609841e1837009a1b00a31136895631b861360

    • SSDEEP

      12288:TMrzy90lhQNUVdkipE9ZCoTsNl/lewqlgMVyaOZW/ybxUfAoAp3LlrGvP8cemBD4:MyA1CKoTsPleJdmOwxaWZtSBCYg

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      204413b9cda0920c938a88543e17b0124930d45599fcfef01c7c4af30f9266ef

    • Size

      481KB

    • MD5

      cd9e74d31ad900df3044037332aad9bc

    • SHA1

      fa3492a1e9d6c352f7b72f39031b23ac640a74bd

    • SHA256

      204413b9cda0920c938a88543e17b0124930d45599fcfef01c7c4af30f9266ef

    • SHA512

      b1597ad7151a0c2fda644a72f869d81e0a834ec3c817c165e50ab137ecc0166db3e7ca6b5fe96b9bba88ca1f37b9335a973c77d0011d30d3c40a53d4495567c5

    • SSDEEP

      12288:xMrPy90rWE0e5pFBKxVQhKzJQVTw8v+4yxWG:6y0Wv8QakzSTfvan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      236732ce453b741f26e2fb94d54ade44d3d1ae332c52f6d420a1dcc1c8d05dd5

    • Size

      694KB

    • MD5

      c8032b42738527a70de1dadc4a7bff5b

    • SHA1

      f5f778df15d4e14503bea0f654cf9427ba050a38

    • SHA256

      236732ce453b741f26e2fb94d54ade44d3d1ae332c52f6d420a1dcc1c8d05dd5

    • SHA512

      babddfaac51c11952a79047852b01c499075acfe24e91dac46a5c590a31be1e4e71df5b1daf27254d9d608fa7345839790f8a550e04392de7f625c5d6b22a97d

    • SSDEEP

      12288:OO0Jg3ZJ7hWFArUqHsjumNFcF9gopM3bcgsqV5P3JkTC:OJJU7hWFuHyumzcCLUqV5v0

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Target

      23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94

    • Size

      307KB

    • MD5

      ca2ad17b64a10b961c2b14a7e47a8030

    • SHA1

      a339ebb686b832fc87af3c287f67d8ef52e140e8

    • SHA256

      23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94

    • SHA512

      ad5e5a03336562d58b02f2556eb833fe3c39d2a7c47584379059cc5a584be1efc981cde4c84a350a4bb244502a73fb7bf0bee7b03b4ef002bb6ecc17d3caff04

    • SSDEEP

      6144:Kqy+bnr+2p0yN90QEw5F5OYc1u31g4TByUo0b4jut7dJdVRbpDXtOBC:uMrCy90qxc1u31TTEt0cKt/tOA

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb

    • Size

      514KB

    • MD5

      eeed819879e60a78356884c79cc1176d

    • SHA1

      73182a6228fb1978bb85b750939e58083733dae4

    • SHA256

      3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb

    • SHA512

      ec81ffafd04adfeb3849df9b2fc7f501b652124b0d3d40c2adef0f53a95fa17385a955ddc5f6598893572ae8e3a067cc80f7ae5a2600f5ce1514395b7e83a8bf

    • SSDEEP

      12288:gMrDy90VStL+T5sUZjdKCjNhbdg9f23ulFmoU61Z/d0Z/+mxQz:zyAcIHH5r4rmj4W+m0

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      42aaf3452f3dbd3fec800b9307def7e1463e88016e6585d09719f8642ef8f491

    • Size

      389KB

    • MD5

      cdcecd3749891f697a0af96762cb9124

    • SHA1

      b31636aa34b1b3eeb7caefef82c37f2f093c6b64

    • SHA256

      42aaf3452f3dbd3fec800b9307def7e1463e88016e6585d09719f8642ef8f491

    • SHA512

      3e6576b30044df2139e96401cf30439229ca0dfc3f3df77d4fcad7aefb5f9ae2112df018e8fb655505d0ea79eee96ff2580aa148d60cd93fddc55255d37bd044

    • SSDEEP

      6144:KOy+bnr+3p0yN90QEHP8pAkeKHGqQ4ewNu043Hvyj6qxNnUvDrqmPB:eMrny90himqQXWMHG6qX+rx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      42d39578cc12683f8a0abd7ba86e5c4ac7851f250280f34750b593a37c4d87dd

    • Size

      307KB

    • MD5

      c3144993ffb5e02297c6ff3f4819def7

    • SHA1

      4c89bd13f54211cef5a2d4c7588f4aa133206b6e

    • SHA256

      42d39578cc12683f8a0abd7ba86e5c4ac7851f250280f34750b593a37c4d87dd

    • SHA512

      3d308a292866753ae68de637f1389d221df569416844a813729477adfa46b37739aebf6df3a9d1f0dcafe895efa6d273b855073bfa0e97869265b522c69557dc

    • SSDEEP

      6144:KUy+bnr+7p0yN90QEF5F5OYc1u31g4TBy+1y9Pb6I:sMr7y90Rxc1u31TTEpb6I

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      4f4e29cb128488d30d32248cb2cc720bcd2a3a531f5757ba469b1e3291917c50

    • Size

      307KB

    • MD5

      ff629d5a8b6c5119b595f0dbf64ae3cc

    • SHA1

      1d19a95932445aa394199c9c28f128d8e6ecb203

    • SHA256

      4f4e29cb128488d30d32248cb2cc720bcd2a3a531f5757ba469b1e3291917c50

    • SHA512

      f04b5e039818ccf823aa9a8836c392d457ddc3ad2e24d62acdba1da7ac429fe4e0c0547992b00c7a66f00524f6dcea85f8716d5ec8157e4c26835a077e0c708d

    • SSDEEP

      6144:Kyy+bnr+Dp0yN90QEJ5F5OYc1u31g4TByTF8ttF2P+9UZbrBu:mMrjy90lxc1u31TTEytL9arBu

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      566c1670c8a5f43ec35b831518b15cf388fbddff2c3ba3ffc8167ac1bf0a1fb3

    • Size

      492KB

    • MD5

      c40f810518e4290ab7fc1e07e5c83ff9

    • SHA1

      9f8bc2e44eb00b71047c04864e007225eb9779c9

    • SHA256

      566c1670c8a5f43ec35b831518b15cf388fbddff2c3ba3ffc8167ac1bf0a1fb3

    • SHA512

      044be66f51e52b07e77105dcf1ab2b1c099636eaa557124e5e442b6c6383564d578c21f1a6a0a0a0caecb433a16a3f552b27aa5e714cccaf9bc01f2b741335fd

    • SSDEEP

      12288:d4w4rJNNGCt//w5qVN2iu79mnxhyC4GNq/SBoCe:/4rfN5Xw5qVN2H79mrymyR

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Suspicious use of SetThreadContext

    • Target

      5b49e20d688471002a1cc866e323e32a0e0a2f1e92fd2f057979cd27a850f44b

    • Size

      390KB

    • MD5

      c2d23a53e4099c1c7126c1e6e332fb12

    • SHA1

      22f111c42bff48f88be368920886195dc990b3fb

    • SHA256

      5b49e20d688471002a1cc866e323e32a0e0a2f1e92fd2f057979cd27a850f44b

    • SHA512

      7251bc4c9dca30f08baafa1e4b9572a20d026a351ba7b5482190f605b41087a25da0f259e0742adf796f556a42b5d09e1a05d0909ae947a830fdd30ffa280bc5

    • SSDEEP

      12288:5Mr/y90WOOEnMEY4/7kJByGYpEzPCGDk:myZpEYgO55zaGDk

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      6a07da5bb14797863c49fc62e415bb280c201c446e8d5746c3ae106bf92ceed3

    • Size

      480KB

    • MD5

      d0af8af8d2bcdbd767a498fb7e6f8691

    • SHA1

      541130793b06d9e8862d9855c3ca8f4f0e57f2fd

    • SHA256

      6a07da5bb14797863c49fc62e415bb280c201c446e8d5746c3ae106bf92ceed3

    • SHA512

      674829bcdf6da9937c5c3da750ceb5545895d19fdc4c91944f26d98340b10daea3c6b75b694997b42927fbbe2e40bf351882a2cec791e051d6e82c5c1c5fb615

    • SSDEEP

      6144:Kwy+bnr+sp0yN90QEyOOcgDn3CM/XeWEDBmCfbAHreBzNMReKIRuOyIk9AvXTLSa:0Mrcy900n3CM/YmtUNPKqUBAvXH

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      6fca9c5ffc57888f92c438ff3dd7d9247b7f7e696e9a6b1b63c3aa2a801b0625

    • Size

      515KB

    • MD5

      c138f8ea750795895b64bd99b1fcd8da

    • SHA1

      b815664dadb4d1ff91862b2af099b84b230e1aeb

    • SHA256

      6fca9c5ffc57888f92c438ff3dd7d9247b7f7e696e9a6b1b63c3aa2a801b0625

    • SHA512

      d6056b12443f399230bc7a469f11ae18fbe83915ac64966d4650ebeade16f6ae5033a7dc66415bbdc4e5f740a7568b1ee18dafb4ded14bee85b3c40e3350a6ee

    • SSDEEP

      12288:kMr2y90vRliN0WXndhbap8sQM9oVgswQWT3l:Kygi0andh08sQM9oVbol

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      9a7761a218bd7bd89d897848e3eafea1a05f151c3ab44668124ffa35c4d3a743

    • Size

      527KB

    • MD5

      cda96eb769b520de195cae37c842c8f3

    • SHA1

      a1c8d0bbee8c109fabf1cf26ac3e9af0fc110341

    • SHA256

      9a7761a218bd7bd89d897848e3eafea1a05f151c3ab44668124ffa35c4d3a743

    • SHA512

      11fe27e375077ad59f0adee3de6ccc32783244d68911b82d76e5a49001dcd3f1e0311abcb1f7e6f51a11dc057cd17b32ae4af36cd25d227ce8f0710ca5cc2e44

    • SSDEEP

      12288:6piut3k/AJLoyg8UwaEHQ9Ec131pHBF3tZ60juFF0Xp:6pi1/A8zEw9Ek31dD3P60V

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Suspicious use of SetThreadContext

    • Target

      9c63b1ba6018935ad5e5fbb92f79d2bbd6eeb9ee0520ed5cbe7b9e1213eb33a6

    • Size

      1.5MB

    • MD5

      c30d6278694817d3cc99f6ff5265da74

    • SHA1

      350567243f65ea38c3bcbc24fc93272e4e46217b

    • SHA256

      9c63b1ba6018935ad5e5fbb92f79d2bbd6eeb9ee0520ed5cbe7b9e1213eb33a6

    • SHA512

      3963175ae52c90b743dbcc1b38220ab2abcc10916558053c1a6f13ac52ca426aec2394ddf5220f482c48ad9e08955704b4764289c26f50a45ee648297b5b4a89

    • SSDEEP

      24576:cy51XtT3ttYzCJsw66AMLRzIdYiQceweiSKE70EpUSn6qY0I+mUNNqU:LHXdttB0uJKjQTkE73pBDY0I+JNg

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      c4172a7d8d27c8367cd7a3b7b3d410e4678ddfd8748e6bf631c21e8f639c7efa

    • Size

      297KB

    • MD5

      c2f5800951ca0e25d1c9c4a304584dc5

    • SHA1

      ce90444d162d1a9309374f052bac3bd8b12e3884

    • SHA256

      c4172a7d8d27c8367cd7a3b7b3d410e4678ddfd8748e6bf631c21e8f639c7efa

    • SHA512

      6280df39b12c1069e4c54173674ffb00494eda397ff212a5ee21679d5fb3f696b1dec2ccb6ddbc6519b6728df361786934c15646517dc2806993260f25837d2a

    • SSDEEP

      6144:sk87zE8yF+JnF/1VVsNx0X4j2UwnGp6m7Bzg5+671wW4WvCoCe:187zE5iwNo4cGBK+cwWMoCe

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      c69d581e2c9751820b591c60023bbffd16aa66ad26d0c76b20574cdac2cc7be2

    • Size

      320KB

    • MD5

      c7c86ccb7a8447c0fc280c1677d5bdfc

    • SHA1

      47c05e0511f3d29afe982bf266cb420cc85cb0fb

    • SHA256

      c69d581e2c9751820b591c60023bbffd16aa66ad26d0c76b20574cdac2cc7be2

    • SHA512

      5015e11b3d4857a07cfd27d5f176721b0eeede05e675ff6ffb2546126853164f580bedcc847d9ceaf9a9916478a8c41355015c2c2764124b7e47dd2521ab13e3

    • SSDEEP

      6144:K0y+bnr+Up0yN90QEqrKEP3ve7yRfsK6KRFjEXtaBv762LA0iRddbIq5xA:wMrQy90cKU/e7RK6KRdEXYp7tbiv1x5W

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      d6c7041aa6a01fcdc7f6a9f60c8eaf8edcbcc73cb1802bc3623346b3b3219693

    • Size

      332KB

    • MD5

      ce35bf4ea4182f8e3524a14e10e90972

    • SHA1

      c9a5c28fdbff5ad0a285291142abe592fe9e8688

    • SHA256

      d6c7041aa6a01fcdc7f6a9f60c8eaf8edcbcc73cb1802bc3623346b3b3219693

    • SHA512

      fd454377a77f900510b2855e6e9954cc7648277404cdd85b8e85b1f2d8e0667e9aea261c660b8d88551d1cdd816bc77d8719edac10b63067aa75f1fc7ee38341

    • SSDEEP

      6144:U1Bwp/lwz9PI8/T6f5mUz7S3RMyghFbHDju9DPUgAOGsf+0Xp:UPjz9PI8/Tzeygzbjju9YgAd0Xp

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      d9d3f90c8cee71d17c70e5d1c7d465726e06b1c7cb5b617fd47d203403a1e439

    • Size

      315KB

    • MD5

      cdff25efc7f7e69dc426b36f31b873ed

    • SHA1

      339a84e0af5d6442c2b11eea5f802635cbc0c776

    • SHA256

      d9d3f90c8cee71d17c70e5d1c7d465726e06b1c7cb5b617fd47d203403a1e439

    • SHA512

      f1ca99cbe6e504d5e695ccb31dafc3b8b4e01faaed77d3058163011add4a47159ba4629e98b422145cefbea0dc07216e5c36837545911f800378f636bf700fa3

    • SSDEEP

      6144:aH9pI60nbM8uPZy3+8KIDwZuNVXSZmn3qPOYTn/MHBXHS:e9+60nbnujZaMY6pjGHS

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

7
T1053

Persistence

Create or Modify System Process

13
T1543

Windows Service

13
T1543.003

Boot or Logon Autostart Execution

14
T1547

Registry Run Keys / Startup Folder

14
T1547.001

Scheduled Task/Job

7
T1053

Privilege Escalation

Create or Modify System Process

13
T1543

Windows Service

13
T1543.003

Boot or Logon Autostart Execution

14
T1547

Registry Run Keys / Startup Folder

14
T1547.001

Scheduled Task/Job

7
T1053

Defense Evasion

Modify Registry

40
T1112

Impair Defenses

26
T1562

Disable or Modify Tools

26
T1562.001

Discovery

Query Registry

12
T1012

System Information Discovery

16
T1082

Peripheral Device Discovery

2
T1120

Command and Control

Web Service

3
T1102

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

amadeyhealerredlinenaherdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

Score
3/10

behavioral6

lummastealer
Score
10/10

behavioral7

healerredlinedumuddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

healerredlinedumuddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

healerredlinedumuddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

Score
3/10

behavioral13

lummastealer
Score
10/10

behavioral14

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

Score
3/10

behavioral18

lummastealer
Score
10/10

behavioral19

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

Score
3/10

behavioral21

redline7001210066discoveryinfostealer
Score
10/10

behavioral22

amadeymysticpersistencestealertrojan
Score
10/10

behavioral23

Score
3/10

behavioral24

redline7001210066discoveryinfostealer
Score
10/10

behavioral25

Score
3/10

behavioral26

redline7001210066discoveryinfostealer
Score
10/10