General

  • Target

    5e226d8262fc6a306a8623ff2317e80de04307b5a5893f24200377dfacb41830

  • Size

    5.3MB

  • Sample

    240522-w7kyyacb4s

  • MD5

    1396e9bf5ea34d8e976dcb161addc42c

  • SHA1

    93860d570b718d94f053b32c65945f7176d48380

  • SHA256

    5e226d8262fc6a306a8623ff2317e80de04307b5a5893f24200377dfacb41830

  • SHA512

    9e9cc252947474c5990f494136fd064c498fc240cfeea497d77f185edc6cad661a942a185d66bd7d2c563fd7c68894e2ecb01ce1584f7a538ee39b5baa8dc418

  • SSDEEP

    98304:qlVMU2nmBPcY3/gzLs4f4Nmt1vsvMcOPBkkPskH0LNdTYVaSW2zR:jUrEoozLR4Nmt1EdOPBPsXLNkFR

Malware Config

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

149.202.0.242:31728

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      072894a7206e62128b078f8cf245defd279d28624f577f7859cb03be552fdb70

    • Size

      662KB

    • MD5

      c66902f6e9a67c0b03be8ee68a49e552

    • SHA1

      c7a090905d3218b36a5b88fef0e175cb3f0560fc

    • SHA256

      072894a7206e62128b078f8cf245defd279d28624f577f7859cb03be552fdb70

    • SHA512

      01be3aeb2981f8f97eedb0a919408ba83be2e4a425a47fa222bc4d46b629ee8c85967d655577816888fb58c6b8b748ff2f3692ec49713f3d0d52f7f2d19ae241

    • SSDEEP

      12288:eMrGy90N4+eOGiq9xY9vsJpsBstw6QQrpqUx3N/+Rub/lb0GVLchc:kyFpuKgBI/rp3n/1Jchc

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      075e0048e616f67de702a289e630f2df2651249474b3366d424d5bfefc2071e5

    • Size

      234KB

    • MD5

      7dafcde60491fa34e526c8eaafac0f01

    • SHA1

      d0c0ff3f2e2b66559d99dc660540f0a8dd83cc67

    • SHA256

      075e0048e616f67de702a289e630f2df2651249474b3366d424d5bfefc2071e5

    • SHA512

      75fed00edb3d5811cf0b70b07c789f59be7aad30579779dfa70376b82268b0e52d599792b741c954c97c8d8d10100d5cee7c3835d2250023b9060c329090d14c

    • SSDEEP

      6144:KUy+bnr+5c3pxeXjyqu+Oeu+Oeu+OeuJZp5JZp5JZp5JZp5QgwAQgwAQgwAQSp0J:IMrWc3pxeXjyqu+Oeu+Oeu+OeuJZp5JO

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b

    • Size

      1.1MB

    • MD5

      5647ef3ba33c2200403333d17e434856

    • SHA1

      f695d37246239fd692e7fb044ca2a02ffaa104d9

    • SHA256

      131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b

    • SHA512

      d85b3bf66e482e08901d56f28472bd1f75fbcd4b70b27fa0582c234d71f186518fdb57b7a9bff7ae660c8d52f6eb763a696d96a384c9562a706390c5b6c55bda

    • SSDEEP

      24576:3yIXRcd8lQUqMEcXP8iO7Eff2+uySHr/cZb8/T3TB5:CIhcdSQt0fc+2LUZb43t

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      56b0ed98e3472c3ed4c501f9630c8e00fd98a17a99687541889c257dffc5d254

    • Size

      646KB

    • MD5

      f6b5bede9b07bfce7ac3d693d5494761

    • SHA1

      7433b82c21237a1a65994a7ae0843d5ee891ae92

    • SHA256

      56b0ed98e3472c3ed4c501f9630c8e00fd98a17a99687541889c257dffc5d254

    • SHA512

      485a0e0c14a0fdddf9936fbb65f5202989c20f707194bc2cd0af96a08ccc173f65089805aa1287dcdb9389f968f769b91b760f9c6bee379ea8b7822badb544c2

    • SSDEEP

      12288:7Mruy90A+LXj+ipMEl92UTVK40hxLqrNuB5sZ75Ar+P9L:Vyy6ml92Ug4SGrNuBOZ72r+L

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      807255749f8cbfc2228481c6cd8cbe37517093850c1a0f3d0ed61f607efcae62

    • Size

      377KB

    • MD5

      92c261fc96a068ae2a2835ee27a16f1e

    • SHA1

      75e4e65827acaa4e0faa3f42632a53e011bbbd09

    • SHA256

      807255749f8cbfc2228481c6cd8cbe37517093850c1a0f3d0ed61f607efcae62

    • SHA512

      6a1a360b8719a31d2f83ef4dfee0abae102b55ff67284b65f061fb5afddca17d8e9307d5c240f50127ebc5483d230bfb2d4bd364b2d8fddc5b3c67dd27d5ada9

    • SSDEEP

      6144:rB8vGHJfjmufItYYFrIPU88CcRAO6O82BldTjqPQo0y:rB8v8jmufI+YMgJZBlda0y

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Suspicious use of SetThreadContext

    • Target

      8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed

    • Size

      319KB

    • MD5

      9ffe17af29c1d6b4a7c753348624c0a7

    • SHA1

      e252ed955d1edfbc89afc53a0453b9af16b6fd4a

    • SHA256

      8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed

    • SHA512

      9dc8415111c176ba626eef704c4e3a4f3e2acceb46f529b359d811a6f0da154d1dd650493f0da812c38758ee5cb954ad3a88441e1bec0a5c987a5d3ebd9095ea

    • SSDEEP

      6144:K8y+bnr+yp0yN90QEFrKEP3ve7yRfsK6KRFjEXtaBv7yZez3x81WO6:UMrGy90LKU/e7RK6KRdEXYp7YezB8kl

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a

    • Size

      254KB

    • MD5

      6c76dfb25714e5941d70f7a275e75e5d

    • SHA1

      5ed48c3c57d1abeece0b35d7bb85a6bf71ab385b

    • SHA256

      8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a

    • SHA512

      2aff7b21be560dcfeeafc9f7ed1ab0a1e10ebc2a0363a656e880d05e0c7f20030a8d44926ad72f395632ecd8bf441fe71538c81e7520d73bacf85017ab0f0d97

    • SSDEEP

      3072:gHvq+7xq+eNvu2U1GA0B+t+ieyOR/VCY0rJ25o3BcJTcVVeosbVFlb9eAg0FujDL:gTD2Lr/V90d2WxjV/hAOIKVg/oPGCV

    • Target

      d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34

    • Size

      805KB

    • MD5

      7aeb09bb57206fc4c34cdceccc7ab340

    • SHA1

      270c694409562e116dcdd44c5ce63b2a4f8bdccb

    • SHA256

      d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34

    • SHA512

      bd548655a57783f2c34ba4c11bc595112840266de1d68f939e888b399a3329cce74d604de6bc0f9efd47c292d5804d76307c520aede442378893c4828ee3d619

    • SSDEEP

      12288:qMrsy903vnIAAzzFM8VzjAJNRK47lnoj8eI4BOx4aBFrx9OX2EkDWWSMEidlk:SyyPIdzzW8psxLxno49N9CGpitb

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365

    • Size

      1.6MB

    • MD5

      8730beb5e0481f045236541cbf84b0a6

    • SHA1

      8e44b7bd8462feb51c116ab72cf6bb460f2c5ee4

    • SHA256

      e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365

    • SHA512

      2da9d6a2bec2b33332ae4c0a5739cc5fd19a4c2f011bb28f3c69eed8ca654336c570526ffc7b2530637577dce49e98a54f3512069212acd0dd16a323242c8b40

    • SSDEEP

      24576:GyWdCALxR5STmSCSGz9FUkJ4RNGAWei3u7A2Lj2zPYTf8tAjbg:VWdCAfISSq7TAQIA2Lj2jKIA

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

4
T1053

Persistence

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Boot or Logon Autostart Execution

7
T1547

Registry Run Keys / Startup Folder

7
T1547.001

Scheduled Task/Job

4
T1053

Privilege Escalation

Create or Modify System Process

5
T1543

Windows Service

5
T1543.003

Boot or Logon Autostart Execution

7
T1547

Registry Run Keys / Startup Folder

7
T1547.001

Scheduled Task/Job

4
T1053

Defense Evasion

Modify Registry

14
T1112

Impair Defenses

7
T1562

Disable or Modify Tools

7
T1562.001

Discovery

Query Registry

9
T1012

System Information Discovery

12
T1082

Peripheral Device Discovery

3
T1120

Tasks

static1

Score
3/10

behavioral1

healerredlinemrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerfb0fb8dropperevasionpersistencetrojan
Score
10/10

behavioral3

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral4

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral5

redlinelogsdiller cloud (tg: @logsdillabot)infostealer
Score
10/10

behavioral6

redlinelogsdiller cloud (tg: @logsdillabot)infostealer
Score
10/10

behavioral7

amadeymystic59b440persistencestealertrojan
Score
10/10

behavioral8

smokeloaderbackdoortrojan
Score
10/10

behavioral9

smokeloaderbackdoortrojan
Score
10/10

behavioral10

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

amadeymysticredlinesmokeloader04d170gromebackdoorevasioninfostealerpersistencestealertrojan
Score
10/10