Overview

overview

10

Static

static

3

35bc4e4381...95.exe

windows7-x64

3

35bc4e4381...95.exe

windows10-2004-x64

10

3b67ac2053...51.exe

windows7-x64

10

3b67ac2053...51.exe

windows10-2004-x64

10

3b6c762231...ff.exe

windows10-2004-x64

10

434b1a9bd9...61.exe

windows7-x64

3

434b1a9bd9...61.exe

windows10-2004-x64

10

4869031eb8...36.exe

windows10-2004-x64

10

48bc2a90c7...f6.exe

windows10-2004-x64

10

4cb31f2944...3a.exe

windows7-x64

3

4cb31f2944...3a.exe

windows10-2004-x64

10

5951daaf24...9a.exe

windows10-2004-x64

10

60fc18182e...b7.exe

windows7-x64

3

60fc18182e...b7.exe

windows10-2004-x64

10

6830bfe3ca...86.exe

windows10-2004-x64

7

6bc897b262...6c.exe

windows10-2004-x64

10

6e5f213eb7...e3.exe

windows7-x64

3

6e5f213eb7...e3.exe

windows10-2004-x64

10

74375fb2d7...83.exe

windows7-x64

3

74375fb2d7...83.exe

windows10-2004-x64

10

91da85daf6...d8.exe

windows10-2004-x64

10

ac1a519838...39.exe

windows10-2004-x64

10

b8d6d40ceb...dc.exe

windows10-2004-x64

10

ca6e8bd0b3...3b.exe

windows7-x64

3

ca6e8bd0b3...3b.exe

windows10-2004-x64

10

fa3e143197...a1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    45.9MB

  • Sample

    240513-jp94wsdb4s

  • MD5

    ff7adfb4273c69939f4b7da94d891135

  • SHA1

    9652260ad6bd3941d2111236db5c37f1bcc7caa4

  • SHA256

    ebd9a15280a9fbd641ead11a6ab911fd72dcd48a6226e2e161005aebc9f70813

  • SHA512

    a155214c5b34916b6ce2bc7d1d1af378f2837045c85e22c6f12bc05a232a78b39221ac6975c73947d6c771ff9cbc4ddd17a876790e90053f86845c436ce90c6c

  • SSDEEP

    786432:nSQbpPU0u1QA7r940lX6eddvAHgpmdzt8bHcuCK+YFpln9bqDX98lJ3ZL51E+81:nSQb7QQA140weddvAHgpmdzt8NCJyp1a

Score
10/10
amadeyhealerlummaredlinesmokeloaderstealcvidarzgrat3c43beec65deb206d81f3c6b8d956f18debrodivanlandelux3mashamufosnasabackdoordiscoverydropperevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

lumma

C2

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

mufos

C2

217.196.96.102:4132

Attributes
  • auth_value

    136f202e6569ad5815c34377858a255c

Extracted

Family

stealc

C2

http://49.13.229.86

rc4.plain

Extracted

Family

vidar

Version

9.5

Botnet

3c43beec65deb206d81f3c6b8d956f18

C2

https://steamcommunity.com/profiles/76561199681720597

https://t.me/talmatin
Attributes
  • profile_id_v2

    3c43beec65deb206d81f3c6b8d956f18

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

lux3

C2

176.123.9.142:14845

Attributes
  • auth_value

    e94dff9a76da90d6b000642c4a52574b

Extracted

Family

redline

Botnet

debro

C2

185.161.248.75:4132

Attributes
  • auth_value

    18c2c191aebfde5d1787ec8d805a01a8

Extracted

Family

redline

Botnet

divan

C2

217.196.96.102:4132

Attributes
  • auth_value

    b414986bebd7f5a3ec9aee0341b8e769

Targets

    • Target

      35bc4e43814d2f85482e647760923539b90060bfc409f9e9258f5dfbf579bd95

    • Size

      368KB

    • MD5

      623b8fa1a9ec0af23e0e48f1419f27c0

    • SHA1

      e9f91a87dbee9567f44d038e7e6d59dac09e4ded

    • SHA256

      35bc4e43814d2f85482e647760923539b90060bfc409f9e9258f5dfbf579bd95

    • SHA512

      f06bc618165c0deeac9ed5cc137ed3b507383bfe79f71e58ee24022f930d19c862f974c4ec4e7fdf2665fb9962a12b13c1fbb8659957e0dacc2f87673dcada9f

    • SSDEEP

      6144:SWNgTJjz5BLb5zFrOBC4FRqjEQnsgo5KbiZBNUg1ptNn5mk7lfHSKspi:SQgF511ztOBC4vF7sbU/UeptNnMsspi

    Score
    10/10
    redlinezgratdiscoveryinfostealerratspywarestealer

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      3b67ac2053cfcb67f4034907cf81e72d93541e06f86ab3ac73130c4036c07651

    • Size

      266KB

    • MD5

      6545f1bc26cb43f4b8f6694ed82ce002

    • SHA1

      f889aa07e40c0c30795948c106c1bf1d0e5cca72

    • SHA256

      3b67ac2053cfcb67f4034907cf81e72d93541e06f86ab3ac73130c4036c07651

    • SHA512

      835a6d370dee13fb9c4ef888ce52d8d527b42f87e46ff23712e987b29ab4a761620d9d97707a388bba593cffd0d5684ed7b3bd531475b3ff190d8471ecc30ba8

    • SSDEEP

      6144:MY3/ZaVI/DhkEV89HhOcA++srKbqJSCnXjzegz54pdLnW9rAjD:MYvZxdk289H3PrKbqJSCnXjzegz54pdH

    Score
    10/10
    redlinelux3infostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    behavioral3behavioral4

    • Target

      3b6c76223119e79b6acba7a08a08422dc0bb17cdae5f311dad3a1c1db39610ff

    • Size

      770KB

    • MD5

      83a0b6e4f1d22cc04a1e71e2a1d91fd8

    • SHA1

      821336b6dc6d6a24ca7e382c11effb72cb2d9941

    • SHA256

      3b6c76223119e79b6acba7a08a08422dc0bb17cdae5f311dad3a1c1db39610ff

    • SHA512

      b57843085032b44bb6c4709fadf2cf92b4b3f5f0c2286be68537398b7598eec27d99cc45be29a6288bffda1ceaf25470d770372e1e69495577c4a1ab80a761e6

    • SSDEEP

      12288:xMrZy90QDhktUAdoxHlYHWOsfaGDfb5usCn3cvuBpAFMWYmZHxWySefYlKrcvx0H:4yPDFAzuiGDAsCcu7WMWYkxWRTlKrc0

    Score
    10/10
    redlinedebroinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      434b1a9bd966d204eef1f4cddb7b73a91ebc5aaf4ac9b4ddd999c6444d92eb61

    • Size

      1.0MB

    • MD5

      808c0214e53b576530ee5b4592793bb0

    • SHA1

      3fb03784f5dab1e99d5453664bd3169eff495c97

    • SHA256

      434b1a9bd966d204eef1f4cddb7b73a91ebc5aaf4ac9b4ddd999c6444d92eb61

    • SHA512

      2db3b4cb0233230e7c21cd820bde5de00286fbaedd3fe4dcefb6c66fe6867431f0ee1753fc18dcb89b2a18e888bd15d4d2de29b1d5cd93e425e3fcfe508c79c0

    • SSDEEP

      24576:qE9TiqKlz3RficpDF/JPEMsKntqDYq0TFlts:qERQRficpDFhr/Ds

    Score
    10/10
    stealcdiscoveryspywarestealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral6behavioral7

    • Target

      4869031eb83eeff0929b84ddb6a50211c58c3773e9a4c610f1ffe9db5f968b36

    • Size

      1.7MB

    • MD5

      5d694b9a92d53f3a8949051522cd6282

    • SHA1

      f6075cd95c47b88f2f2feb91c3ff752566bb9c9b

    • SHA256

      4869031eb83eeff0929b84ddb6a50211c58c3773e9a4c610f1ffe9db5f968b36

    • SHA512

      a4cebe331b2e83cfbbe2f193827f8bfaf4dd159500da53b929301f3b974a340fa2816d4434f0889cc43ba58f900523fe6a92d514eaca46617ac858b0b84ed44b

    • SSDEEP

      24576:CyqtbxSjIgfo7ivFawf/hozeT13jjM0vXBRzlHNfaYoXQ74HHLIhYc:pqtbxSjIbivFawpgoBjJ3lxkX2Ish

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      48bc2a90c740695a0bc55f3cb48be41fbe65a1ebfa2d961a2cc9f956d7dda7f6

    • Size

      307KB

    • MD5

      6b92d35295ea5490a7bea438842b1ec5

    • SHA1

      0171bbc95ec622d9a8f0b98ffdfbee09f7bb6980

    • SHA256

      48bc2a90c740695a0bc55f3cb48be41fbe65a1ebfa2d961a2cc9f956d7dda7f6

    • SHA512

      f8eb55d24dde41aa401e66ce314a3968a3ccd66a512018d3c54fd9471b8220e11a31b5551ae71810e5972d510db169d2e01d1e126e57e47dc9538da7217bb599

    • SSDEEP

      6144:KWy+bnr+Ap0yN90QEx5F5OYc1u31g4TByzOzIfl9W0bW1S7:aMrIy901xc1u31TTEKzIfl9TW1S7

    Score
    10/10
    healerredlinedivandropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      4cb31f294446f49a65cd3fd2c837cbd7bb85178d6c87015ac8bb7835de3a193a

    • Size

      521KB

    • MD5

      5bf09899bc5cc12a03b75d86a5bba534

    • SHA1

      41585ae9bba21ac9d348ccd25c57b7aa448f8460

    • SHA256

      4cb31f294446f49a65cd3fd2c837cbd7bb85178d6c87015ac8bb7835de3a193a

    • SHA512

      da4dba8c05117ff93776a91564197fc019d1b21bcb388d1f0990164009411bfce8d86e8cd9ac6ea8513b50e650f800f4e0c545cf766ffa423846475d57375b40

    • SSDEEP

      12288:Xi0C+NSUvQ92mN6ygGjZXeY4m/QScIFyFctYj0Xp:XxCcvQV/4MQSchMF

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral10behavioral11

    • Target

      5951daaf249b9db6c83832a3b7a244dffb52f45eb746f6edb9a2315fe8e4349a

    • Size

      389KB

    • MD5

      674f568312cd04d72fdbde0d68c141d5

    • SHA1

      feb25de484a1e0340f22dd4dced0b7a2698c5277

    • SHA256

      5951daaf249b9db6c83832a3b7a244dffb52f45eb746f6edb9a2315fe8e4349a

    • SHA512

      55c2a08010efe01db2d9c8bb526b43f554806d33d058c68115f6d1391a31976698f009bce72eaa8d6337634bb4e3bc2433c174cbffbb67c13a1b85747ab042e5

    • SSDEEP

      12288:JMr5y901c1gCNbRA4eredqAigBYC9K4Jj4qxj:IyecxNbRHTRz04JjP9

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      60fc18182efb95a4ce4e1849473f7201f8de0caf9716fc85ddf837496b3ff3b7

    • Size

      435KB

    • MD5

      65574cb9beeaff86146f6f2ec8cea86f

    • SHA1

      9ca2c27c6efb5895dd9583ce451cd8fa65f4d5f6

    • SHA256

      60fc18182efb95a4ce4e1849473f7201f8de0caf9716fc85ddf837496b3ff3b7

    • SHA512

      d5119d3a1d2ed3f3f3002c5745595c3bf86d8476563ffae8cd7933e5acf3860e0083decb18f9bfe7a27b463fa68a6eba9f9e05cff5bdbcd9ae112a15a61f57de

    • SSDEEP

      12288:tcY4vLQ+mSA9L9mmzs5CdJ00vYUcYsTHMpH:gEXSAh9mmzWCD0sDcDcH

    Score
    10/10
    redlinezgratdiscoveryinfostealerratspywarestealer

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      6830bfe3ca819cbc0ba8d132b4e4e3510b11e3b9fc87bc0b0cb839e15ec17686

    • Size

      37.5MB

    • MD5

      6579ce12a6ab4ca3fb68316f7ea655f4

    • SHA1

      3e2c7ba8039ca48afca85809b2e085a2fb8797f1

    • SHA256

      6830bfe3ca819cbc0ba8d132b4e4e3510b11e3b9fc87bc0b0cb839e15ec17686

    • SHA512

      82de1584b3743f8cf13793e8e2dd0416e5ebc1ba1b07ab380afd1fafe5e08d12134b93e1ea2292fc044a521bc53247902107e54fe5c84a07968f3ab03c78fd24

    • SSDEEP

      786432:E/TOg1jJ74jIRT87Afd5pNW3aavvpoIu3bFt0Xr6m2Hq8iEITqZ6BGZkBSnJ3:ErOg1jJ7CDAV5nW7KNptTm2HzITfGZU

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      6bc897b2628233ed80a62fd1df052f4e8d65dd70c9d40aada7a17519d9293e6c

    • Size

      307KB

    • MD5

      5c07ea21ef1f3ef273137ed884ae80c0

    • SHA1

      dd3e6f15c033949fbacd0eb5717fa5b9f1867515

    • SHA256

      6bc897b2628233ed80a62fd1df052f4e8d65dd70c9d40aada7a17519d9293e6c

    • SHA512

      c6f55bf84c7ad4d7c2d930ed452e76c7c3d520e94283811e7c6de3708764c7e5b63d00e96e2bd3f519daae9ab5d2f189b440740ad653be166391e2c7ffa475fa

    • SSDEEP

      6144:K1y+bnr+dp0yN90QEb5F5OYc1u31g4TByZ/w7QK1N4ydVLDT:jMrhy90Txc1u31TTEZw7rFL

    Score
    10/10
    healerredlinemufosdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      6e5f213eb7c9732447aca25e2b88e3df1b35f7370f5a1df9692b1294fdcb04e3

    • Size

      525KB

    • MD5

      5d3cf134c87846baec812f1285493017

    • SHA1

      84e3921ddf6abdf41966f9c7f0795a263d620737

    • SHA256

      6e5f213eb7c9732447aca25e2b88e3df1b35f7370f5a1df9692b1294fdcb04e3

    • SHA512

      91b843db873c59d9d39097fe3b7c9b5d940c3eb22290e0db8b754fd2e602507947886af7c1772fc8c1de3bf1d32c6814df044cd34966b7cb5ca96ed3afd49cd3

    • SSDEEP

      12288:Ax4kdIQ5K11WygPoG9R9w5EMxMPJqG460Xp:Ax4o5KPaDMxO4z

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      74375fb2d74b7174b1444727d6bd1534918dce2deffdf037cfc3050c20679d83

    • Size

      409KB

    • MD5

      5e32f62d26b4476c6862785b9d6b5db3

    • SHA1

      8fc02bcd0def2535b64690e5a5ad4932bc92a398

    • SHA256

      74375fb2d74b7174b1444727d6bd1534918dce2deffdf037cfc3050c20679d83

    • SHA512

      52a24032e70c00461694e271cd4bbacf0353a4a2c6a8fed15def4fe1fe4f9792dea10a3a4cc9f7c72a0e9e4280220d7ae362fce33703885a1d417979d75f395c

    • SSDEEP

      6144:D0EpI60nbM8uPZy3+8KID4LunuX2Csvo0ZtPZ4mr99uXDgXyXHS:4E+60nbnuPL5X2NVrZhrz8HS

    Score
    10/10
    stealcvidar3c43beec65deb206d81f3c6b8d956f18stealer

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      91da85daf6df1f2a381493425471c65c1caf622791472ee7e1e7d551d4d611d8

    • Size

      1.5MB

    • MD5

      68b9d46cb4498e49e084e54ec73e659c

    • SHA1

      51c333490de2a8150ef39ce4a6fd51bcc439146e

    • SHA256

      91da85daf6df1f2a381493425471c65c1caf622791472ee7e1e7d551d4d611d8

    • SHA512

      1a03f93cce2cbff326ee34f85c896c3b022a9784edc1e0d0f9164325d6e881b687fa5295372394a0379e805f3d4a9cf64b3b2ca076e8e91ab0a0645398f4c1b8

    • SSDEEP

      49152:vRJSITORDkr6F1JXxAiTVG9DWwOESEhU:p4lRDk+F1JB1+OEPh

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      ac1a51983828d30d00c76912304628e7ad96b59348ac9377cf93c8f7c058dc39

    • Size

      514KB

    • MD5

      59fb589e90a00ec0ccf1612f0dc2781c

    • SHA1

      017a2f2c15e968b8c5ea36c9a853d5d77919fb82

    • SHA256

      ac1a51983828d30d00c76912304628e7ad96b59348ac9377cf93c8f7c058dc39

    • SHA512

      3ab6ec4e8e968c478404f8a926e20d0ba1f1d223374358e048a8ac9b68148937d775679c3c2bd736409e604556a63620e30b4cf386b0f4eb6fe421602dd38f65

    • SSDEEP

      12288:XMrHy90WBtd2hKp4mL7wQpgp0PkOV3q3RcSWjjXeJoGTvq:QypBtwhK1w308o3KSfPqoGbq

    Score
    10/10
    amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral22

    • Target

      b8d6d40ceb8eb4629f70f1a83e6e09e52da0cfffaf3354a4bdd9dcef75240adc

    • Size

      390KB

    • MD5

      59c9b460225451cbb1e45e47c334d898

    • SHA1

      54a8b11936bac1643aa7f06ef981198841b2456c

    • SHA256

      b8d6d40ceb8eb4629f70f1a83e6e09e52da0cfffaf3354a4bdd9dcef75240adc

    • SHA512

      9160a2a02fe74967684d58d44e7c0aae87f020804200a156340c770a851f04a5f0c3fae1cc1c898696e2985da3afe3bff7a2a2008ae0c743c024add26bfd9532

    • SSDEEP

      12288:UMrky902VVmcIyVW9JeVis3VQCrrnEpM:AytVlVGJeVisypM

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral23

    • Target

      ca6e8bd0b3e308fede01283733b894fadb804ddfcbb1c8f7f451d85956826b3b

    • Size

      516KB

    • MD5

      6194bd065e3cf4df316f5c7caf2c6ec8

    • SHA1

      d3b313316c505f6b3a40a6e1f1a0fee80b3bc1cf

    • SHA256

      ca6e8bd0b3e308fede01283733b894fadb804ddfcbb1c8f7f451d85956826b3b

    • SHA512

      9a6eb4ead99134a1c8e1c66b899f2ed4c202e71c7c3ac4332e603603c2ffc2e631cd0f1f83dca4ed4cfad6afa1afab5ed7cb6d9d58a6e18788a793ed03e86305

    • SSDEEP

      12288:ZAKU2NgpaVNxqyg2DGDPPoYW9Fv9LHoJmVeuf0C2v+Mf0Xp:ZAKipauDHi9LHsmAaN2Gj

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral24behavioral25

    • Target

      fa3e1431975485964a90b92bb444c1ca0520a5e2b03b1d0b14d263f8802620a1

    • Size

      390KB

    • MD5

      5ed7643e177a74fc803f8b2ca8febbba

    • SHA1

      2b8d2f5e2d3d1e302e941b0d3e47d9c91be060a0

    • SHA256

      fa3e1431975485964a90b92bb444c1ca0520a5e2b03b1d0b14d263f8802620a1

    • SHA512

      d23d0d7ecda5f7f592802e8c3ab86c62b4dafd8f137a1c31ed7f55c196773a3030daf6de44d239287f6d405e8173baa139d15122903a411223c6cd1fa8a8eefd

    • SSDEEP

      6144:KGy+bnr+4p0yN90QEMlBZAAZFvL4ja8Ofm2qSPyyR1aBm3QpsEK08KAN40:CMr4y90qXZ/4jOe2qSPFR1aux08KAC0

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral26

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

5
T1053

Persistence

Boot or Logon Autostart Execution

10
T1547

Registry Run Keys / Startup Folder

10
T1547.001

Create or Modify System Process

8
T1543

Windows Service

8
T1543.003

Scheduled Task/Job

5
T1053

Privilege Escalation

Boot or Logon Autostart Execution

10
T1547

Registry Run Keys / Startup Folder

10
T1547.001

Create or Modify System Process

8
T1543

Windows Service

8
T1543.003

Scheduled Task/Job

5
T1053

Defense Evasion

Modify Registry

26
T1112

Impair Defenses

16
T1562

Disable or Modify Tools

16
T1562.001

Credential Access

Unsecured Credentials

7
T1552

Credentials In Files

7
T1552.001

Discovery

Query Registry

11
T1012

System Information Discovery

13
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

7
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

Score
3/10

behavioral2

redlinezgratdiscoveryinfostealerratspywarestealer
Score
10/10

behavioral3

redlinelux3infostealer
Score
10/10

behavioral4

redlinelux3infostealer
Score
10/10

behavioral5

redlinedebroinfostealerpersistence
Score
10/10

behavioral6

Score
3/10

behavioral7

stealcdiscoveryspywarestealer
Score
10/10

behavioral8

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral9

healerredlinedivandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

Score
3/10

behavioral11

lummastealer
Score
10/10

behavioral12

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

Score
3/10

behavioral14

redlinezgratdiscoveryinfostealerratspywarestealer
Score
10/10

behavioral15

persistence
Score
7/10

behavioral16

healerredlinemufosdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

Score
3/10

behavioral18

lummastealer
Score
10/10

behavioral19

Score
3/10

behavioral20

stealcvidar3c43beec65deb206d81f3c6b8d956f18stealer
Score
10/10

behavioral21

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral23

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral24

Score
3/10

behavioral25

lummastealer
Score
10/10

behavioral26

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10