General

  • Target

    54a724762de2b08068bc2bf0fc6c7404bb89bdf62f75cac32b4fb8687c10c747

  • Size

    7.2MB

  • Sample

    240513-j4xr4seh65

  • MD5

    5c11f61a444a73d448f0d97e102bbb19

  • SHA1

    c6371282cda2168be1eb9bfb1599cca28209d558

  • SHA256

    54a724762de2b08068bc2bf0fc6c7404bb89bdf62f75cac32b4fb8687c10c747

  • SHA512

    73edb556643b78bcdc203ab4f98dfbf620c6965b694170d9fd713c0761c409dc61bedd35352b8c5b74dcac7492ea4d97a60da19a91083a256e8e6631c17a67fb

  • SSDEEP

    196608:v94YhswUyeXgSy4T2wh3YNuhfTOq/yqZzE+wZvK/MgQuqwSc:FXuwely4TFYgrH/yqZzE9K/PL

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

mihan

C2

217.196.96.101:4132

Attributes
  • auth_value

    9a6a8fdae02ed7caa0a49a6ddc6d4520

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

lumma

C2

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

grom

C2

77.91.68.68:19071

Attributes
  • auth_value

    9ec3129bff410b89097d656d7abc33dc

Extracted

Family

redline

Botnet

divan

C2

217.196.96.102:4132

Attributes
  • auth_value

    b414986bebd7f5a3ec9aee0341b8e769

Targets

    • Target

      062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b

    • Size

      1.0MB

    • MD5

      22b5f7bbf08fd60f2ee850f51efede9e

    • SHA1

      9ad6d7fdfda1459be16d4e59547a0d933f7c9551

    • SHA256

      062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b

    • SHA512

      6fcb688dd391ed951fef4cd75c8935f65dde1f99658eb8b3438f40837050eb77cdd5425b0325c0b4df069a8dc83bc9ae53d464612f76ebb4914f222f22272744

    • SSDEEP

      24576:XypmCQ2FZ4/Ldo7RGJawprnjhmJcVGTEq:ivFsLdQRIrjYc7

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86

    • Size

      389KB

    • MD5

      1e6d0394a9335f03d83a7f498df12ec8

    • SHA1

      aa25774159336873d0799b11546d7cec88ebca87

    • SHA256

      16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86

    • SHA512

      4bb7c4a3706e4056f6cc38e46dafab8e6bd463a148d5bc46197f7957f750d51c6d98903eeebe5b560283d1e15536bebad88c364e3776d5b804d99f36b8a17393

    • SSDEEP

      6144:Kqy+bnr+gp0yN90QE+rBmAS9kW2PZNK9zG1evw+IsQnjCgK83sE6ZnRC7D4I/FWB:uMrIy90wsAS/kBQk6o7D4I6d

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4

    • Size

      389KB

    • MD5

      2983d487675b8e857be5cc87ecf3a3f9

    • SHA1

      5dee58d99ebb08bee6f7210ab933e0adeed7930c

    • SHA256

      1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4

    • SHA512

      f547d694a853e4f0924f54cd7d22d7b384b15e58b45749947df5a5b44c9981d8319c6a537c8b3e517e1ece5de8be98bf95251aee51258bafd948bad269e8b866

    • SSDEEP

      6144:KOy+bnr+ep0yN90QE+d2iPWnGyF4ts9EO6GGvo5o8egBZ+t4nDSKWWE3k33GMC:iMruy904d2om56j6RegBYCnprKk3O

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      51d640efcf425557c7e898a690d229994ff2fc0610138596398e8cdd60583244

    • Size

      390KB

    • MD5

      29559e945f56a313b5e9264dd6ca7a3b

    • SHA1

      008abf8dd4f1da5ce1cac168e042ef8bcee54607

    • SHA256

      51d640efcf425557c7e898a690d229994ff2fc0610138596398e8cdd60583244

    • SHA512

      f2dd23e29d5ef28323a0b4741e6ab5c79deeba8dd27bc0565826700e87350ab5f74059e669be30f28054e2e52af57519193099abe75b56be2f65d7071542c14c

    • SSDEEP

      12288:TMroy90EgA20duD7uAomGFLqcHnl9movoHz:LyVgAy7uGGFL5Ha

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a

    • Size

      514KB

    • MD5

      805f458c4e4cafdc121c09022e7065a1

    • SHA1

      a7876edbb4b0df6770d9de1b3eec3d10b9341f0b

    • SHA256

      68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a

    • SHA512

      49ae31bcc03ce37884dea632ae0e2f2b46a145d2fbf081f83ab9854aef849a6988a3bc614676f50c9ea2fa209fad269cec271fffaa08fdca610494aea4ecc840

    • SSDEEP

      12288:6Mr+y90vfhcrO1YnhEibozGpgA5UcjKy+:8ykfOrcYloyaKKD

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      764d92d88ba9348555a1351396433cb6b93afd1bc3dcf27a5a06c2bb7aed5c5f

    • Size

      515KB

    • MD5

      2154ece6d371bfbe7b76969405904f7e

    • SHA1

      39f7c2f9abe69a8dc9b42853d10e330b93c9858d

    • SHA256

      764d92d88ba9348555a1351396433cb6b93afd1bc3dcf27a5a06c2bb7aed5c5f

    • SHA512

      da64833b8c9a80598631242e5649164230f586d26e6171af7fac767496319a2e7147df082f7294a7faeb6e97843c03f4031ebfac1244ffab3804102e293a857f

    • SSDEEP

      12288:ZMr7y90W5WJa5xOzgYAkrlzdEEcjXAyEc6hoMzR3VFKTv2h:uyfxOpRzKEOAyEphtzhrKTg

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      853890cb435781965f3dc9618397058d03c8d3e59706ede7d308b4afe12cbe68

    • Size

      514KB

    • MD5

      1e403ea018e300ab5fa01dc6722fd8a6

    • SHA1

      b84fea8ce4026eb79d8048b8c2af1d21ecf1364c

    • SHA256

      853890cb435781965f3dc9618397058d03c8d3e59706ede7d308b4afe12cbe68

    • SHA512

      51c703ee4d4c66c3c94d54f96691490b9dddd2260472b48f728f09712b081726e60bc6e1a1df1fe4306b99ab594065512bbce2f44587be7a7461a53dd7c6e244

    • SSDEEP

      12288:fMrdy90UdEtCZ8v/PXBqYmXzGNmIubtV4xM6ijMEV:yy7ut3nx0XKNmIucBEV

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      94cb7f4064a3c804b1fa19c3f5dc17ae361ced8153e20bd02842c65e16d1e3ae

    • Size

      307KB

    • MD5

      24113d3ed2dc8ba8789b2874addb0750

    • SHA1

      2901dff1dd1b5b619d48c8d04d22c185922e651b

    • SHA256

      94cb7f4064a3c804b1fa19c3f5dc17ae361ced8153e20bd02842c65e16d1e3ae

    • SHA512

      409754870b1cf18269d84a798f69e11cb54540d12217fc0674524ef0e3d42ce38d199d45b7e1b7cb96a70fff87704561b6208bb58bc2628881b9a3d7422aecc7

    • SSDEEP

      6144:Kxy+bnr++p0yN90QEA5F5OYc1u31g4TBylzQbR/JOF:HMriy90mxc1u31TTEtQb1JOF

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      b37eb33077f476edc8499adec33a790467d8728ec752146ca687a56407fc5af6

    • Size

      307KB

    • MD5

      235ce5bf310f42d5677df1efbabbda6b

    • SHA1

      2463a0dbf1fa683da0fe57a1d146ac7540be2979

    • SHA256

      b37eb33077f476edc8499adec33a790467d8728ec752146ca687a56407fc5af6

    • SHA512

      cb5ca76c4ccee243caa978550fcbd611cbf00fae872e3289cc429fd834f49414aeca54db771b3b4c1089f644735b05f8611d2ea192f053c9f29a3ffa0edafb74

    • SSDEEP

      6144:KUy+bnr+op0yN90QEm5F5OYc1u31g4TByeLlzKwFZYXeS46:gMr0y90Yxc1u31TTEeLlz5kl46

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      b813f799e9c2f3b9ed25625bea968e14cbcad8bb1b3918ebcd79f631192ca017

    • Size

      235KB

    • MD5

      2180205f8ead587dd56762145e7f784f

    • SHA1

      401ccddf09243f26c09e7c8b2d8bb49552835010

    • SHA256

      b813f799e9c2f3b9ed25625bea968e14cbcad8bb1b3918ebcd79f631192ca017

    • SHA512

      138b9393f587ff03c898e001f3d0c7d12a480dfeed417c6c7c22ff3dbd319a68e8ec977e0c0fcd951e3a18676f3ba0e127bc5adc3b69fe0f7bf43182a4fbb32a

    • SSDEEP

      6144:KOy+bnr+Vp0yN90QEchQmyJXNcrGFySYCcHnlRHw7:aMrBy90mC+rGYYcHnl90

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      c1a9af1ad640c504ed95e8f26021a55d127de1e35d0794f2bdaddd1451de08d5

    • Size

      390KB

    • MD5

      27244e5f630cfab1b514ce4d15b1028b

    • SHA1

      36c5eed78b2ce9e253c2e176e6d6ae6a8ab849b3

    • SHA256

      c1a9af1ad640c504ed95e8f26021a55d127de1e35d0794f2bdaddd1451de08d5

    • SHA512

      2cdcfee74150bcd5e656009d0b701b8b972a8844f3b4fe48708aea1d7883c92286ed0368a6b24efa0902ea2c99dbe97a48a06ddccd69543cd6835f4023b3a7c5

    • SSDEEP

      6144:K6y+bnr+rp0yN90QEO8EikWGjZNJkp7w8ZWj9jJAVmAAhKAU4u:mMrjy90FEMvWj9jJrhKAu

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721

    • Size

      309KB

    • MD5

      290ff81ba12e0d1d1a636eb5a3de8823

    • SHA1

      98ec545dbb97f4b7c55ee3fc91afe85d8e2d60aa

    • SHA256

      cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721

    • SHA512

      f168ae49314180c63bd492aa57a7f74b629f4a4398772ade9e4cc9dbcf3e8f8d228beb23c81a668edc4351c892e32c7c0867f91a77a6a667d7151ddbcec2e6f4

    • SSDEEP

      6144:KUy+bnr+sp0yN90QEM5F5OYc1u31g4TByQpv2+YtIpTA:IMrQy906xc1u31TTEQh2HtSA

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3

    • Size

      514KB

    • MD5

      2993a209322f7d93406fd78632f4a545

    • SHA1

      e141503a5dc185ee91e131b8404ee5f563ff1cd1

    • SHA256

      cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3

    • SHA512

      cb8d9e79b3ed4ba5711cd8933590ce1dd9e349f7a399c38650a1b3611c4a50a415f0b7de91701f3e77e8297d38bb433fc7fb3d53cfd1e46e76f99772aeabfc3b

    • SSDEEP

      12288:cMrzy90i9beiGTgODcYq3pB/npmVb66azq:vy/bhGT5Pq3Lhm/

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      e81854abc9bd7ae970c918e0839982609691e44919d3a96eee12840676c28e1a

    • Size

      1.0MB

    • MD5

      250d1ecad815535932db86d951b6f70d

    • SHA1

      9d56851eda02a979043c33ec98883e2655bacc30

    • SHA256

      e81854abc9bd7ae970c918e0839982609691e44919d3a96eee12840676c28e1a

    • SHA512

      ede2fc99fe086f427355d95e2b4fad0289da828f3105c5c2b9b48a8aee213928299725b55d066df7ce2f3c139ecdf38ff418bf20ac36244678f0f0d0a7a05c65

    • SSDEEP

      24576:wyt+dYi+Bu0wW31dx/UEvzxRTkICQ/digppmVnXrBh:3tmYiN0t3VfB5VdpAV1

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      eaef827c83066a0c63b264b2910364be1a6d933a04f4d9f48d9610d9ea2cc465

    • Size

      521KB

    • MD5

      804f822677de79f678f189d03a3dff8e

    • SHA1

      3b44bae19603206607b649854c5647977cdf8342

    • SHA256

      eaef827c83066a0c63b264b2910364be1a6d933a04f4d9f48d9610d9ea2cc465

    • SHA512

      1bb48995379688c2c6c5434f01dff8bc1d8ff63c1b9c1135452309fc76a2c94ee20f535b7a3d20db096809c0da4559b21c2382cd5d959b89799509e60a0c76a8

    • SSDEEP

      12288:C5w2J603Ipd5YygcklMzX7/8JgNW8a7V+tQbkdDGrHO3kv6hd0Xp:C5wg3IXzqfgKodDGrzv6hO

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Suspicious use of SetThreadContext

    • Target

      ed835b70d57f3901ebdd0814415cbc64776d5bb9ee43a7077c0894540d7dde6c

    • Size

      390KB

    • MD5

      2115f838100aacbc3124baa1083c9d98

    • SHA1

      7eb9e1272fdcbc6deec8fbdc06d609c69a0a88fc

    • SHA256

      ed835b70d57f3901ebdd0814415cbc64776d5bb9ee43a7077c0894540d7dde6c

    • SHA512

      7a8645ad4437cfa1833f826b9ed83dc329ecf14ceed774d5aea2982f305ee3c89cb69f4a72e31e4d78bc8ecb70937198a732c36e5b0914cce9f42fcf18bfd8d2

    • SSDEEP

      6144:Kwy+bnr+Qp0yN90QEHQvEyqANvRS5KRQrw6kd7lmm39LBGGHlXve5oGvAe:wMr8y90QEyqANc6Qr5KAm9HFXaone

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      f48c36cb917c3b50876b9e4240a3abaae73007be0713d0630ca8279bfae862ef

    • Size

      359KB

    • MD5

      2787331b97e3aa4d3322ea6e057cdbde

    • SHA1

      63a7e7bc5543dd7d46541dcedc7c75137d347fe0

    • SHA256

      f48c36cb917c3b50876b9e4240a3abaae73007be0713d0630ca8279bfae862ef

    • SHA512

      683f3aec82d00db1e691311a6e770a7ce828bb64cd1672261e9454d50580c7957d76f31b173b74f7fc1a14359b328970470b3002a74b09997f276503b5692bff

    • SSDEEP

      6144:Key+bnr+Ip0yN90QETAAaLHM+RkWt7ZNm8gbAm6NzpjsRsyDDK16sP4/7lw4t:2Mr8y90tAAao+ObAmmZsWyK1b4/7Ge

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

healerredlineromadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

amadeyhealerredlinesmokeloadergrombackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

healerredlinedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

healerredlinedivandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

amadeyhealerdropperevasionpersistencetrojan
Score
10/10

behavioral11

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

Score
3/10

behavioral16

lummastealer
Score
10/10

behavioral17

amadeyhealerredlineromadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10