Overview

overview

10

Static

static

3

0b4bb67302...ca.exe

windows10-2004-x64

9

10f472a1b5...37.exe

windows10-2004-x64

10

1208df4133...ab.exe

windows10-2004-x64

10

22c8884d0e...34.exe

windows10-2004-x64

10

277f52adcf...94.exe

windows10-2004-x64

10

3a484bb7d4...29.exe

windows10-2004-x64

10

3bdb06aad8...f3.exe

windows7-x64

10

3bdb06aad8...f3.exe

windows10-2004-x64

10

3d03f2fde9...00.exe

windows10-2004-x64

10

40fbde6d35...71.exe

windows10-2004-x64

10

53b6f1fa7f...02.exe

windows7-x64

10

53b6f1fa7f...02.exe

windows10-2004-x64

10

6286d393c9...52.exe

windows7-x64

3

6286d393c9...52.exe

windows10-2004-x64

10

66b71ef5ba...21.exe

windows10-2004-x64

10

7c73d83c0a...75.exe

windows10-2004-x64

10

bccb41d4cd...17.exe

windows10-2004-x64

10

c1c526ed2a...52.exe

windows10-2004-x64

10

c726b1e0ec...ab.exe

windows10-2004-x64

10

c8c3182273...54.exe

windows10-2004-x64

10

d1e8dbd667...dd.exe

windows10-2004-x64

10

d4fbce6f6a...86.exe

windows7-x64

3

d4fbce6f6a...86.exe

windows10-2004-x64

10

d7873c75af...a3.exe

windows10-2004-x64

10

e25842dbe6...9e.exe

windows10-2004-x64

10

fa1fbbcbd6...cf.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    11.6MB

  • Sample

    240510-svrzyafg56

  • MD5

    6a94dc2b56d46cef13edab2aa435c7a7

  • SHA1

    ec31265a6ed47d40b2918e30890a4bc039381d86

  • SHA256

    2685b451d5bc5d1cd7c159a87efdfacd5a60c314491404e6e60e752ba3db90cf

  • SHA512

    4a9666c92fcf984974c65892f3ff5af316a2a14e72d90c66bd9ca916768a6f54ccd8f6e7901a2f791bb1ad2b7b398af2d5bbf259bfa886c6f74033029d4bb75c

  • SSDEEP

    196608:gbaEnldWo6DhxDepFuqrJWMBXRe+HRYN50dHvczL1ZZ7QXdnH31:6hn2ngoMBheaYGdHUflQpX1

Score
10/10
amadeyhealermysticredlinesmokeloader53459874207001210066crazydumudgenakirakrastlandemihannasabackdoorpaypaldiscoverydropperevasioninfostealerpersistencephishingstealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

crazy

C2

83.97.73.129:19068

Attributes
  • auth_value

    66bc4d9682ea090eef64a299ece12fdd

Extracted

Family

redline

Botnet

5345987420

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

redline

Botnet

mihan

C2

217.196.96.101:4132

Attributes
  • auth_value

    9a6a8fdae02ed7caa0a49a6ddc6d4520

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

amadey

Version

3.87

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

gena

C2

77.91.124.82:19071

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

C2

45.15.156.142:33597

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Targets

    • Target

      0b4bb67302386646ed679bf7dbfd9e44d9c5eb985f2c043ef415113edb2b2eca

    • Size

      3.2MB

    • MD5

      ebae2001c178349478be67bcab2f95e3

    • SHA1

      53f98b5a0e55f4fea161e69ef617e6225270914b

    • SHA256

      0b4bb67302386646ed679bf7dbfd9e44d9c5eb985f2c043ef415113edb2b2eca

    • SHA512

      c8f48338abb5e7c95dc316cc25352286344fa297cfc507328379f23fc819c47490bbb529ba5854a6ccd99c8345c773d8800dfed48ce914754464d2ad13adc378

    • SSDEEP

      98304:PeI0efBuRWQ88ctBoLsh/Q7G9ao7cwdizRS:PeIdBuT8bthSG0oc

    Score
    9/10
    paypalevasionpersistencephishingthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

    • Target

      10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837

    • Size

      235KB

    • MD5

      ee5e79d00a13fde9e96a1f9953f35fea

    • SHA1

      788be8b6304f138f5c7bdf00fe98562de6f2790d

    • SHA256

      10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837

    • SHA512

      26b1209bb16d6e5ed3dabe6fc18e6ec425197ecfd26f2038d9d796cff93d25597c774ca01fec5d975457ef7e544b9d7f7d09372e391c1823b4a7e3bcf94d0c49

    • SSDEEP

      6144:KCy+bnr+0p0yN90QEdHyEL9MR1SKgfYLNYs1Ul8C2N:6Mrcy90zgoYLWs6l8V

    Score
    10/10
    amadeyhealerdropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      1208df413315575653953f79f71da4afa0f3816339cca881a3bd12be0cc7f0ab

    • Size

      515KB

    • MD5

      d9913d9f643c9aaedccb2c7e055ed031

    • SHA1

      f9812f588b1a16b6d292bd553695404858dae7b6

    • SHA256

      1208df413315575653953f79f71da4afa0f3816339cca881a3bd12be0cc7f0ab

    • SHA512

      51ce523840bec8f71baaab82b7841abbb825276280142cb67a84276558bb640a5fee511c865862868cd1f15ecddaeaf6e4c0feacf826751d37229577384dae00

    • SSDEEP

      12288:KMrxy907uK8EElOOinxnMP+vIPGBEARwMrXu72wuL:TyquPo/nZ4LPGBEAdrXu7bo

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      22c8884d0e33db7ed2cd497936f31b5efeaa43a037af2f4c61a1a768919a6334

    • Size

      479KB

    • MD5

      c08646927da5c5d8a10d00dc194d535c

    • SHA1

      b5ebe052683cece0e76c3bc4b6ed3ea69135fd6d

    • SHA256

      22c8884d0e33db7ed2cd497936f31b5efeaa43a037af2f4c61a1a768919a6334

    • SHA512

      4adfcf01a79d1c51f2d59ee76e8f123b7b978aca5e9d6b25806a06c69c1fd35c929c95b9031f060b9bda894bb251d8d028a7d0f7cce56e2f9a8a1d126091e5db

    • SSDEEP

      12288:6MrCy904vqxlqBUm/MdW5c1u31PTaEtfhacB+GDm:syL8qpMAXhTDaoDm

    Score
    10/10
    healerredlinedumuddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      277f52adcffdae3b95ac4c1b928de6c4a507600023471054f5c9d34f3b852f94

    • Size

      389KB

    • MD5

      be20e8d108cf9e94319678c0f61393d4

    • SHA1

      9ca7da9916d071095a2985ecb2408f24f9978453

    • SHA256

      277f52adcffdae3b95ac4c1b928de6c4a507600023471054f5c9d34f3b852f94

    • SHA512

      4a60a1bb61a320deabeeebb508685a024c2b6c1d065221bc5a2682a90193300899d49e355675b84293875486cd08e94d582c95df886ca3330bef74cb0921afca

    • SSDEEP

      6144:KPy+bnr+Lp0yN90QE9dx9l253NzJGHDRezddZ5ULvrGEf51/HmbTME:FMr7y90P25uFEnwrGEr/YT5

    Score
    10/10
    healerredlinenasadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      3a484bb7d4882d8f4ab5dcb7c60a4d1397a642611888b68c5e13702926794729

    • Size

      390KB

    • MD5

      e5623dbb07c715bf40d82dd36df6cd45

    • SHA1

      1e636843ca903406cf011d2359e300737cbc9176

    • SHA256

      3a484bb7d4882d8f4ab5dcb7c60a4d1397a642611888b68c5e13702926794729

    • SHA512

      3cb7f3805046123b7b6297783478c41f7a02a154fe49957e4a866b0ea29b1dd697ef0a1cdf4240603d4b4e08a26d4d1220d89e86cdcfecae350c1fe9512317c1

    • SSDEEP

      6144:K6y+bnr+2p0yN90QELJRVtUdXkWcnZNTQR52pX5B9I9/VULECcHnlRHnnXUQtLQ9:6Mryy90VnbyWpDy9/ihcHnl9XXtLQ9

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      3bdb06aad8f213ba8c98a80c76648a19cb074038ed82c6e1c890c4181bbd59f3

    • Size

      725KB

    • MD5

      be424b59326042345df5cd6256365a3e

    • SHA1

      3bd378a515541c0cbf6160e7b86a503fae60bbc6

    • SHA256

      3bdb06aad8f213ba8c98a80c76648a19cb074038ed82c6e1c890c4181bbd59f3

    • SHA512

      cffd36825844a4cbd10606940ade0458da9cc96cc38b0704b3e7e5d4d95a17976c96ae7c220d790b4aeaa3e02c23ce8213579bbd51ac8025567acaaf2f6f3806

    • SSDEEP

      12288:fOIxycqgrCPu3vKifWEZoVDoTK/Tw6ilT0Kb4qoqjeGlA:fpAgrCaSifFhKrw6iDoq

    Score
    10/10
    redlineinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    behavioral7behavioral8

    • Target

      3d03f2fde9b9bf8b3069d0b3bdf2625973d4f23daa92673be4185d9c0d5f2500

    • Size

      389KB

    • MD5

      bf563439432ac3c78acc59067f958e56

    • SHA1

      23ccf3dce712ac5e26a59aba66593b785b8f7463

    • SHA256

      3d03f2fde9b9bf8b3069d0b3bdf2625973d4f23daa92673be4185d9c0d5f2500

    • SHA512

      93983179bc5dd6bc8fb1cc75bf93553b427d2b84e4bbb3f2407e8c0b554280a259f89667007e12157a32ce99f379cfbfe67ad61015b6ef8e0298d686ff521505

    • SSDEEP

      6144:KTy+bnr++p0yN90QEzo3Vcq21/X3pKBlMUepPXqKmCrjywubTdubmRVmjnVu6F34:dMr2y90sOq21/oalLvy3u42wWg97

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      40fbde6d35302d77db924d8a4db6569c23336d9205e82f12a82228cc100edb71

    • Size

      359KB

    • MD5

      eb475f3a8c4a25a19fa0abdc1e907952

    • SHA1

      8988b40a69f6cb754a42bc5c7871ed839629b504

    • SHA256

      40fbde6d35302d77db924d8a4db6569c23336d9205e82f12a82228cc100edb71

    • SHA512

      3199b26a1ce8049c64556a2a9d0465c3ffa479594ca01d7ce052ba64fd128ab9da6302bf55baaaf59479e3a4c53f0569d93d7bb4d1566d1d65b4864b4a20af09

    • SSDEEP

      6144:Kiy+bnr+Yp0yN90QE0u4z6ibeyRRmxXl7FiiOhCn2v2wTcpnC:2MrMy90N4z6iExV3OhCn2xt

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02

    • Size

      302KB

    • MD5

      c0e3f771bcbb789d734e7d3e1b1f4e65

    • SHA1

      02e6e5e508188955181ac98bb1b9c414d2c1aa9e

    • SHA256

      53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02

    • SHA512

      c983b76772a50aece42107a39c828abfa768fc33c8865df73de57e1beca2919e8cc7b8afe1d5ae3e7556273519e311d5e49ed6d52eaf895c3c3d7c34608d2118

    • SSDEEP

      6144:QWzRT5OXkMMnTDs7UNVS49kCNQSzrs5kLJhHVugiqtciLRcx:X1T5nD7NQSzrs5kLJhHVugiqtciLR

    Score
    10/10
    redlinecrazyinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      6286d393c93044fd5b8363ccad5324fadfde3e3d9b340ec908941eab3fe90652

    • Size

      315KB

    • MD5

      bf89c72f6388b3884699e8081c8314c4

    • SHA1

      587f7e952669cc84756181deff315132cba078d4

    • SHA256

      6286d393c93044fd5b8363ccad5324fadfde3e3d9b340ec908941eab3fe90652

    • SHA512

      fa90330bb2e3a16579de6ae76bda2371b7e18e246ebcaa7432d010f2743e944bbf5e494941bb2d3192cc4816fa97e64cefe31f61817cd6cf18b38e9cc81b02ce

    • SSDEEP

      6144:pR99pI60nbM8uPZy3+8KIDP3uSEykJUxDyvPH3ef5AvnKXHS:pr9+60nbnuY3PEykJ2M3ehAsHS

    Score
    10/10
    redline5345987420discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      66b71ef5ba881cda863dc50bab8ede20c8bdff7c699aa7b767f476f2b83eb421

    • Size

      480KB

    • MD5

      c02ec5e8fc2fe204743dec04b2cbccd6

    • SHA1

      d717abef0062b1d3e57d98ccb9f85ccdc7b327bb

    • SHA256

      66b71ef5ba881cda863dc50bab8ede20c8bdff7c699aa7b767f476f2b83eb421

    • SHA512

      0e38a7a0c888c838c86e6fe0deb81670013eb115ead38c897234a092667b9b7ba5422929ac7a49d7d65abcd9980df20775561e56c78cc77c56d25c5a6db3b265

    • SSDEEP

      12288:ZMrhy900QM7wc96iwcErPP03xzz97vGNbVSgUu:EyBuLiwcG4zzZvGFEgUu

    Score
    10/10
    healerredlinemihandropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      7c73d83c0a0062c5cead0597dac9f90beac93ae125536330571cadd52acefe75

    • Size

      480KB

    • MD5

      ebf83062f40b343b023a1b0f6642e146

    • SHA1

      ab96700bba473de2cf6aae2705628430b640a981

    • SHA256

      7c73d83c0a0062c5cead0597dac9f90beac93ae125536330571cadd52acefe75

    • SHA512

      7a60dddafa0f3690af046a64c608b2ca2d36fc6a79d3a381fef13bdb0bb059c92293db70af6a1f6fd4908c92de8ea4dc635eae68c064c49a518c8b1f81ce4549

    • SSDEEP

      12288:0MrAy90IlVP6Jn5Xb8ubn85+G/Ndq4RfED9PgIP42:Uy7lVCTXoubI+G/NdRJ+9IIP42

    Score
    10/10
    redlinedumudinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      bccb41d4cd07f22dc7128aa361e7b2b43320ef072e11627fd143b376cdee0817

    • Size

      389KB

    • MD5

      ecb22f79e71a59c4894d1e5d8c1e5fc9

    • SHA1

      2207da5846db951af84b3bcc1cc8fb55ab05cb95

    • SHA256

      bccb41d4cd07f22dc7128aa361e7b2b43320ef072e11627fd143b376cdee0817

    • SHA512

      975684b217b7ccc5f5819b75de371efab9a70b2be15afef048b793159718d66bf8f78325747e8ee5c6fcf059aee692d00b640a697d9521768f912f7a9b32fc58

    • SSDEEP

      12288:FMr9y901Cn+QmrzXRYcvB8gBYCsmbp4cy9:cy3+zjRYc5zXbpi9

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52

    • Size

      476KB

    • MD5

      e8caa8893f50e0966996c562c5eb98c6

    • SHA1

      c40d0c633b13045071520280d46f4e46bb13585b

    • SHA256

      c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52

    • SHA512

      a046db8a5d6517a1666128eec70ccf1d1a7e43d3a82b1a611a0682098c13be1f2f4a95eda33b5a5458c963cac460d684e7fad34404b23fbc4243b37b788e55df

    • SSDEEP

      12288:GMr+y90sHo/b58xomWqrWmDmuKRiEXYp7FMkCeHQYbuQCvZReT:kyXHk58xosWgmuKcEAFXHHQ2WG

    Score
    10/10
    amadeymysticredlinegenainfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      c726b1e0ec6fea88dec580a790bb738a4976fe2f076a838067ec66bc403054ab

    • Size

      390KB

    • MD5

      ea4c8fd3c2d26a95dad5562a25fdfddd

    • SHA1

      9c667037c530458e8d1487d63264d48ee61468c7

    • SHA256

      c726b1e0ec6fea88dec580a790bb738a4976fe2f076a838067ec66bc403054ab

    • SHA512

      bd344a8ed2c93baa2b1e5077d8e103f096c6a4e9d2bdd01578374f8e97eb28c5527dd9b0dec268b93995ce9133459d9db3aaa274cdd7fa48368b57795702909c

    • SSDEEP

      6144:KXy+bnr+Qp0yN90QEnqqTiS9Kz/8ZVyVgfrxGW5VY5p5xyCVQe5P5XxGnnmJ0bGe:BMrEy90HdfrxGW5zCVQI5XxGnBGy2e

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      c8c3182273e1f34a2e9b4a2afb39aa5e5fa9ae93368dd9487b95f7ca43f17d54

    • Size

      1.4MB

    • MD5

      ee2b40ddaa498948143e583523b15aef

    • SHA1

      b246f477308da6a2973d755c1cd023465049b234

    • SHA256

      c8c3182273e1f34a2e9b4a2afb39aa5e5fa9ae93368dd9487b95f7ca43f17d54

    • SHA512

      bf9a360e1f67e00a77eba27c9939a720bda97f5d6c51fd65401f496eff7289b1862f76aa67c44bdf8df66efcaaef488d1f855ef0059453c0c2ebee7d1ae5af94

    • SSDEEP

      24576:Gyg7pPRAxomGgmAKDEfFDbHQkIrak7dzFh4gUnTpnoHruMyAl0lokb6lOjKVyX+v:VkpJAxwcKDEfRQkYa874gUnTp4WAl0lG

    Score
    10/10
    amadeymysticredlinegenainfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      d1e8dbd66731cd0a95e444d0fda9ebdc32fdc49845c43907cd292619ac4e88dd

    • Size

      307KB

    • MD5

      be44ddb40e085d64a8405eb231963d84

    • SHA1

      089450ca5957daa8a8a3a346c6e497000c25e5cc

    • SHA256

      d1e8dbd66731cd0a95e444d0fda9ebdc32fdc49845c43907cd292619ac4e88dd

    • SHA512

      aedd56e83d7927b377ff827536ef601ef40b119ac3eef701b91d02d8ef2f11df222469a08064121118413e161ae5fef8060bc71df7c5675583ac5f8e3bad3c63

    • SSDEEP

      6144:KNy+bnr+op0yN90QEwwSAl5E1S3+/9+S/k0KB5Njk:HMrUy90JrwS2ZKbu

    Score
    10/10
    redlinedumudinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      d4fbce6f6a714d781d28b578580461d8811477b0156700a58b25cdce361c4186

    • Size

      332KB

    • MD5

      bc7667c9a8b990da87c094cedd6eb6b3

    • SHA1

      e47843e711378f3cf738eba4341f44d410ca8e17

    • SHA256

      d4fbce6f6a714d781d28b578580461d8811477b0156700a58b25cdce361c4186

    • SHA512

      b7319862ce5b0f1b17506da2c19d90b5def5e0d9313f789755d4e492c83926b185793850ba7fc756ebdaf00fafa39eb51b27a4d62ab7472ebc546751eb16c1c6

    • SSDEEP

      6144:WlZwB/LgLB340nTaDpOU7riHRkyghfOQE6q53Ppu9VA/4X2WFU23+0Xp:WnhLB340nTP+ygFLE/xuU/iU0Xp

    Score
    10/10
    redline7001210066discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral22behavioral23

    • Target

      d7873c75af8bf0f44eedb5171fcab5b70d157578f4a43aff8aaadb23058cb1a3

    • Size

      390KB

    • MD5

      bcf3bf79ffad508d0c6614b13a236386

    • SHA1

      b6123c6da65ce8c9f1d79f74e9b6f2da2a3db14c

    • SHA256

      d7873c75af8bf0f44eedb5171fcab5b70d157578f4a43aff8aaadb23058cb1a3

    • SHA512

      98b8f97c949e8a65ccdcf316c2f5f2fc5fe22618ea2a80ce4395ff66297fd03f324ba3825feaf2997d6dbc596a3527ed495795165ccf5621d1a5cc60f4fb5446

    • SSDEEP

      6144:Kjy+bnr+fp0yN90QE7c7Yla5bG+YvzSs5TpZ+xGYXJfcCcHnlRHuhyGXBcW:JMr3y90BsYlGFAzSk07JVcHnl94XBl

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral24

    • Target

      e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e

    • Size

      857KB

    • MD5

      e51f5ef0b3d5038c9e1b0b5516244e8c

    • SHA1

      d1d5a940665d849f900e8a369c29f0fac7c1374f

    • SHA256

      e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e

    • SHA512

      b5f4eccb3c51b84c315b966ea819b338b0cb8b6970b8c85749f123f9a6c06b0b76e64b29c303afc816b4c338860388d6f3c47e2a10f99828a7bd004de001c19b

    • SSDEEP

      12288:7MrFy90I/vsuqkr+jSMqxvObV/znJyyd34t6G6Gxzbj4kx2R2V/dBAo+HES2VN9T:myN/vXx+6GR/t37sJbj/fLAZ6Nlb9d

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral25

    • Target

      fa1fbbcbd6fb540be61aeb0eb89533d4e8d0fb64c2d0bcdd3f9263ff954a2acf

    • Size

      479KB

    • MD5

      d8ba35f7b821e33dd4e8dd1d4a1a1ff7

    • SHA1

      68ba16618303a524fe0ccb08c6c8f9ec76b95083

    • SHA256

      fa1fbbcbd6fb540be61aeb0eb89533d4e8d0fb64c2d0bcdd3f9263ff954a2acf

    • SHA512

      503c083575e31ff8d018b803d68ff369ff60600bbe2c3b68e8e33f753e8b4bd6c8fb81d497f03c2d3d429c42cceb27db706e964724703948d882f2d34c435062

    • SSDEEP

      12288:3Mrly909Cys0IXjepj9IOpG/yeS8Nksh+++WZxRe:SyCijnOEN3h++tvI

    Score
    10/10
    healerredlinedumuddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral26

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

11
T1053

Persistence

Boot or Logon Autostart Execution

18
T1547

Registry Run Keys / Startup Folder

18
T1547.001

Scheduled Task/Job

11
T1053

Create or Modify System Process

12
T1543

Windows Service

12
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

18
T1547

Registry Run Keys / Startup Folder

18
T1547.001

Scheduled Task/Job

11
T1053

Create or Modify System Process

12
T1543

Windows Service

12
T1543.003

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

43
T1112

Impair Defenses

24
T1562

Disable or Modify Tools

24
T1562.001

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

17
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

27
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

2
T1102

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

paypalevasionpersistencephishingthemidatrojan
Score
9/10

behavioral2

amadeyhealerdropperevasionpersistencetrojan
Score
10/10

behavioral3

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

healerredlinedumuddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

redlineinfostealer
Score
10/10

behavioral8

redlineinfostealer
Score
10/10

behavioral9

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral11

redlinecrazyinfostealer
Score
10/10

behavioral12

redlinecrazyinfostealer
Score
10/10

behavioral13

Score
3/10

behavioral14

redline5345987420discoveryinfostealer
Score
10/10

behavioral15

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

redlinedumudinfostealerpersistence
Score
10/10

behavioral17

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

amadeymysticredlinegenainfostealerpersistencestealertrojan
Score
10/10

behavioral19

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

amadeymysticredlinegenainfostealerpersistencestealertrojan
Score
10/10

behavioral21

redlinedumudinfostealerpersistence
Score
10/10

behavioral22

Score
3/10

behavioral23

redline7001210066discoveryinfostealer
Score
10/10

behavioral24

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral25

redlinekirainfostealerpersistence
Score
10/10

behavioral26

healerredlinedumuddropperevasioninfostealerpersistencetrojan
Score
10/10