Overview

overview

10

Static

static

3

006388190d...bb.exe

windows10-2004-x64

10

0254882920...b5.exe

windows10-2004-x64

10

059acceaf9...4e.exe

windows10-2004-x64

10

23e52eabfc...16.exe

windows10-2004-x64

10

346c48a087...17.exe

windows10-2004-x64

10

3a559db9fb...76.exe

windows10-2004-x64

10

3bd30de35b...fb.exe

windows10-2004-x64

10

4563b46d64...3c.exe

windows10-2004-x64

10

45ab0e1069...0f.exe

windows10-2004-x64

10

545f251975...f8.exe

windows10-2004-x64

10

5bd9b291d7...ab.exe

windows10-2004-x64

10

5e70f35516...00.exe

windows10-2004-x64

10

7348ee4e4e...6d.exe

windows10-2004-x64

10

8b460dc8cc...29.exe

windows10-2004-x64

10

928c96df1b...ca.exe

windows10-2004-x64

10

972fcfe587...1d.exe

windows10-2004-x64

10

a025c0e619...2e.exe

windows10-2004-x64

10

bc0667bb8d...75.exe

windows10-2004-x64

10

cf82c35e0a...89.exe

windows10-2004-x64

10

fbe2b19c30...62.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r1.zip

  • Size

    15.1MB

  • Sample

    240522-wy8zeabf9x

  • MD5

    8f6d0deb04a8eed2e892ea921c270037

  • SHA1

    ac818fa28b103bfbad97c22533b7988de0e4d53a

  • SHA256

    21675cef02c5d516a93f59d70c16d083ffa8be9792fa8f40e53212708d321c6d

  • SHA512

    f946c6787ad62e8d56e64d4f6c2e68afaa36ee9cc93fec2f21bb9901d5f380202259f1e3e2d80e23c52e56264f1cbf66bad1f76d074d090d477300c5a3def02e

  • SSDEEP

    393216:LLH2PqvBXbuXOqUMD5RpLA3iV4yEJuv1HTiiugx:LLprwoyEJu8Gx

Score
10/10
amadeyhealermysticprivateloaderredlineriseprosmokeloader04d17059b440fb0fb8gromehordajokeskinzamazdamrakbackdoordropperevasioninfostealerloaderpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

jokes

C2

77.91.124.82:19071

Attributes
  • auth_value

    fb7b36b70ae30fb2b72f789037350cdb

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Targets

    • Target

      006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb

    • Size

      1.0MB

    • MD5

      db869d62f5f8401076718a70f48e586e

    • SHA1

      424352327fdb3f8795505b26e11c856479aa493f

    • SHA256

      006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb

    • SHA512

      ce1e660929575deacaad46b9e52945d26a4a748e25d8bca28932493e43d67a683d5d917b53f171465d31488816b6ab9f7eebac67b723e085fb340644bd8b69c9

    • SSDEEP

      24576:py5vrzFyTGc619B8SQEQasoju6DojiYiZnkClrK:cBPwTGc8nxPhZRZnkq

    Score
    10/10
    amadeyhealerredlinefb0fb8mrakdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      0254882920b8d79aa87aa48e3861241d6f50bc1856fc52906e5a574397e08db5

    • Size

      1.2MB

    • MD5

      8c1625b073a9e827ea8ee7a8a5f6effa

    • SHA1

      45ef2f25a51ef42cc602388621a9709e938dfc2d

    • SHA256

      0254882920b8d79aa87aa48e3861241d6f50bc1856fc52906e5a574397e08db5

    • SHA512

      0e4e38e6340f879d7a2f4c18aad64409dc8c540ab39007a41ca238ce3b8e8f9f861e3cfc761c6c4f7b0c3a7c193bbf17579867c9658df99d2271fb566440920b

    • SSDEEP

      24576:NyVhhmI/5PldEHgo5najDbe0gPbuECo2WAj+uQ408zBEkQXVggh:oVhhmU5PldCyubCDjWo+d4sFgg

    Score
    10/10
    amadeymysticredlinesmokeloader04d170gromebackdoorevasioninfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e

    • Size

      1.3MB

    • MD5

      7897a8a6ebf8c162b11b148555d5c616

    • SHA1

      60992a6f05358dc6150f7c42a8b5bb42266e6e6b

    • SHA256

      059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e

    • SHA512

      9b37ae7168063fbf820682d3935242bf3254d1eace417b9206da7e7ea3bec26aa003cdb5347d39d2ae446f73ea77ddf5fddb7cb3e09c5bacada9863d9f9d3b34

    • SSDEEP

      24576:Oy/HLy2splQy14Pz413AxpZz1MqkaZEouZugKp3:d/ry2oDWPzG3uR1MqkfZ

    Score
    10/10
    amadeymysticredlinefb0fb8mrakinfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616

    • Size

      1.1MB

    • MD5

      75d611b9fdd12ae96644de5080557ebd

    • SHA1

      dada87e4a3a6c66fdf05bf523ec00f78e9aaa389

    • SHA256

      23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616

    • SHA512

      df51455190cf4b9406cc3181277aff2342cbcfc9946e2ccba145de5adcd908db4af944e1d3182cdfc154f50f6c5bd34d6010359168090d5cbb941ff09f1edb00

    • SSDEEP

      12288:gMrTy90Wp2ABf9NNsOYroRyNVdB31qvOJfAPgLslvr7BCuxxJMU0vLmuxLeMNmrn:jy1pRxsOYUqBQgLOVCYB0inrqjfwq7G

    Score
    10/10
    privateloaderredlineriseprohordainfostealerloaderpersistencestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17

    • Size

      812KB

    • MD5

      269e4463c32ae30693d623724642b34b

    • SHA1

      db7310a4b793e4889d18652788269847a4ca0551

    • SHA256

      346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17

    • SHA512

      c5c2084f0aa7e829307c0e592aa11d5030a92f83f8f7f955b92c478070b2cd1ca25f10f2adcf958b8a9315fa72305787f8bc18dfaad149c410943871fb410100

    • SSDEEP

      12288:7MrIy90Y0bOk0fpuuupA7G7boeBnDjtYIFEIzKYQl3GiXhgnmUK0ct:Py90bgQKKHoefsXXGmnt

    Score
    10/10
    amadeyredline59b440mrakevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      3a559db9fbdf13125c1dec222cde0f982fe63820a3dda722db7b0f646fe80e76

    • Size

      654KB

    • MD5

      6bf1ef97fb912648145ba8485d0034aa

    • SHA1

      ebe81236c38c87b10c18ac8294858b0dd5c723bd

    • SHA256

      3a559db9fbdf13125c1dec222cde0f982fe63820a3dda722db7b0f646fe80e76

    • SHA512

      33fe49918aa24ba2b8f91841d306be23331272e104ff45a02036d2ff23d18ff27eeab62dfdedd80adcfdc0b751d22fe5f24bf6956ef81a7f6e7def89d5ff0c13

    • SSDEEP

      12288:TMrry90TX9G2u/oa4+IenzZPBXUafP5DyCMZ8Xvnr80snL:4yopa9lnsCMkC

    Score
    10/10
    mysticsmokeloaderbackdoorevasionpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      3bd30de35b2caa677c1a1d8eeb9a0878d3c396425a4501d3fc280590146a7efb

    • Size

      1.0MB

    • MD5

      6cc79e163b32f15cef6c4e5254345f67

    • SHA1

      559c8d313f487ec11d210d7a1b9c0baf9ac73ac0

    • SHA256

      3bd30de35b2caa677c1a1d8eeb9a0878d3c396425a4501d3fc280590146a7efb

    • SHA512

      59cb6804045b9c2453f03d7999152ab0c31eef5aede7c8ead7f4ed5534761da95da32de4a79a8f74efd4f1b01fe412072dc4787a7c79093ab1f647a8e49e7104

    • SSDEEP

      24576:DyxSt7M+4AkPGTHr3VJbC31Weo6ho9zXVe1Grw:WQ9M+4NPuHzV0l+hF

    Score
    10/10
    amadeyhealerredlinefb0fb8mrakdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      4563b46d64120bf9833b2c3a8c333cb31977f9c75d32f836c04620dc0ce6623c

    • Size

      1.0MB

    • MD5

      8fe82d0e2d2518638a767d3f01fdac83

    • SHA1

      42909c9e87631077b5e113a22bf1245310ea602e

    • SHA256

      4563b46d64120bf9833b2c3a8c333cb31977f9c75d32f836c04620dc0ce6623c

    • SHA512

      333c825d1eec6f9adca67a48a3875526ae357c871c3bb0d9da39f4bd3822f9668d44f32951c501e0aee6cb5ee3b6798f6f0279a90ab726604f7e2856dd371df7

    • SSDEEP

      24576:oyhpxgYfKwXna+XvuL3IWmgqG3x/YcVDHG72+opgKICo/:vjxg8XxmHTc6pgKI

    Score
    10/10
    amadeymysticredline59b440mrakevasioninfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      45ab0e1069984eb278e72231ed9a1e178170792eecd79ef0661dac877d441d0f

    • Size

      662KB

    • MD5

      dcac23d0bc279a89e89714367315a23b

    • SHA1

      4b95e86bc8c126b3d438ad8d7fdb28b6f9baa127

    • SHA256

      45ab0e1069984eb278e72231ed9a1e178170792eecd79ef0661dac877d441d0f

    • SHA512

      c5adfd13d4cae9e01a35a719bac66e505e7c70352ef9678a3be4ea039b71c9732da3bdcda3aa67f5440443c53da41452e7b1be456cf22a8435f6a2cde38a5265

    • SSDEEP

      12288:KMr6y903bBP+0CGbGWeRtUx3QotEXYoQw15uCkOKsX+Km9yAGG2Pg2wYlUKUlF:MyQBPcizqtCeHd1ACktKmk7nA

    Score
    10/10
    healerredlinemrakdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8

    • Size

      756KB

    • MD5

      60c078db5342b504d0f5d0983824a0b2

    • SHA1

      8151eb0747f8f4902bdf7ddb288f530ed57ab26f

    • SHA256

      545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8

    • SHA512

      faee353e621779166a8e91bca06e8e05f919375fe3cff142e0f7a58f2a9bba738a7f81a7ce7d65adecced952b0645f9661b10a1046924a8587a36aec7881ffe3

    • SSDEEP

      12288:kMr5y90DWI7C6LGHKHrvElVc1q7eTBplfXISkC1ghjKc1AHEjBz:VyOWhyLvoy18eV/fXpOJF

    Score
    10/10
    mysticredlinekinzainfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      5bd9b291d75af7da767ccfd9442e39fc2a36f83c84ba9416a78c62a54164b4ab

    • Size

      1.4MB

    • MD5

      8d90361e8bf7f26eec4a063c82eaa6cd

    • SHA1

      a44abc8788bfaaac8ee0e8a6b70458471a8e5648

    • SHA256

      5bd9b291d75af7da767ccfd9442e39fc2a36f83c84ba9416a78c62a54164b4ab

    • SHA512

      3d9406f3be98992338f264f08c27f396062cfd5376717da4e9d9efbfc1481f6d7c699ac9dbcd4ba792550ce5aad4b4c176520ccc43e485d3dc2b93e58a6a25ff

    • SSDEEP

      24576:tyrFNdHyoabka1N0oVq38WevoGuLiWnbC5z+jUFp9WHk3/fpcBx5Qf:I5Ko30tQsToGuLiASzEwWHrBxO

    Score
    10/10
    healerredlinemazdadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      5e70f35516878f784c795b9bc0d243a75bde82267717162cdb1838a7e102b600

    • Size

      540KB

    • MD5

      4c6202ca27eb3db897c82c8b078592ca

    • SHA1

      dec25fca3509c65005bfec21a5c058dc16ec6264

    • SHA256

      5e70f35516878f784c795b9bc0d243a75bde82267717162cdb1838a7e102b600

    • SHA512

      f765a0fba8a60c0eafbb5c5a51e56f05cdf71f4e3af472bb05547da9af3bfef3dca1f644b43d39d574b9697d6c2de551e4209ac3d11e90aa79f83436756b01fe

    • SSDEEP

      12288:yMruy90B65+x8NqnoBu5z6NY9DBqwFEjcL4:4yr4xwqnoc31pEjck

    Score
    10/10
    amadeyredline59b440mrakevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      7348ee4e4ed1a5e949c6ba0b2c8eaee7bf5d5f120e8c79c61accf44a24e12c6d

    • Size

      234KB

    • MD5

      f49341a76d3b4070cf58c0081196772f

    • SHA1

      193bb28846d75d8c250304787027969b9b69b622

    • SHA256

      7348ee4e4ed1a5e949c6ba0b2c8eaee7bf5d5f120e8c79c61accf44a24e12c6d

    • SHA512

      7a831be3a1c121d3dbc4f292a9782394bc25c486f38bf0c5000058726e97b3ec6e46112dcff8b87dda33b8c39974c5dee670285dc67883f6d58432e9c21b9235

    • SSDEEP

      3072:Key+bnr+O175GWp1icKAArDZz4N9GhbkrNEk1M7CZBmbxwUPiPdvuQtokpBQyvU6:Key+bnr+Ip0yN90QEtC/cO/TBpwo+

    Score
    10/10
    amadeyhealerfb0fb8dropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29

    • Size

      1.0MB

    • MD5

      6f6fa83bd35311c3f78ff4d29d1e8117

    • SHA1

      1c261d1ed4efb7c407ed76784b008e04f49b3598

    • SHA256

      8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29

    • SHA512

      e4326312e9c0e5b6c36a8715cd55ce6ee87fbc2f28455c4d0f11dd620a999a935fb4ad03872aed880f142fe00757d851f56295bd2c96f0b725d6b42ba4fd6e66

    • SSDEEP

      24576:EyyE63fdNtHwmIFlkWqno9rno4MBdTyaUPR12jpUF:TypFNtQmWqsh2dGdZ13

    Score
    10/10
    amadeymysticredline59b440mrakevasioninfostealerpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca

    • Size

      812KB

    • MD5

      d7e04401772d93d83c33c32c5f33a602

    • SHA1

      3c91a840591313764010ec32ee6a0dc5b5b40447

    • SHA256

      928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca

    • SHA512

      e5f33a36ed748c53165024bec39585b8b8312a6f68a54953f9d854265e009fcb2d34aec610ff98ce150a3e2aefca3e594ddbbb683e95f9edb962f06f39d575bb

    • SSDEEP

      12288:dMr8y9062uW/X3IShA4Q7D2oRWidu+4lJGQmMLRrPv2ReCZdxnQ65gbpmwKK:pyqp3K4+D2rnbXGSiMCDylcK

    Score
    10/10
    amadeyredline59b440mrakevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d

    • Size

      433KB

    • MD5

      cdd196694c11df773e31372b1e3f6578

    • SHA1

      f013a3c818024ea0e771ff51c981e90a00fcbad9

    • SHA256

      972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d

    • SHA512

      34c9a0e50a4e6360535108ddb53e802716dce6b69cf1978274620d744cf91221d039994d6edc80ae05ea06cf1c5cce3c9161a66268c25ceb5ed5c11665587b99

    • SSDEEP

      12288:9Mroy90XNx2BiXTV2NhmyP7U1Jqr1oX0:dyaNwGa57wJYmX0

    Score
    10/10
    amadeyhealerredline59b440mrakdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      a025c0e61987ac5dff969885b12ced5a1064ab0b0ae71e3751eb0331b3e6332e

    • Size

      539KB

    • MD5

      a45778de16313f7bdf760c890122347f

    • SHA1

      5c1544de791cd35041106e4bdf7b5f3c5a0c9c65

    • SHA256

      a025c0e61987ac5dff969885b12ced5a1064ab0b0ae71e3751eb0331b3e6332e

    • SHA512

      1efee5745ad4741b77309bde7c0063ba3d8a4b8eba44489acea81a8df89b89ccd657256c6305e47064840078d747670ef29dff093e2d107b60e002104c1a2af3

    • SSDEEP

      12288:1MrPy906oA/07qnoBKRBSCaNRi5iNeTwwmZsFwF8vu:uyavqnogMQnZwF8G

    Score
    10/10
    amadeyredline59b440mrakevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75

    • Size

      662KB

    • MD5

      c693bd5e0c62bb8c0044d52c931c31c8

    • SHA1

      1693df1c3dff75041377f4480a6a54ead046f278

    • SHA256

      bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75

    • SHA512

      097c0fc5b6b02889a4f67601a653fd8d4a2b1d574b6b6cbf2004b934eb02ab571236dea6322a4fcedaa5a5281abc08a17d62403bd4f56ed0b199d28b189c9d55

    • SSDEEP

      12288:ZMr+y90FaweLM0qcVycy0YlxW0U20+ba9lK1NDlawUX3vPDr:vyW4M1cVZ0W4eiNDlawYPH

    Score
    10/10
    amadeyhealerredline59b440mrakdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      cf82c35e0a5a0683a1f51d3806ea0eb39a59d81fd4fc110c9762ff99d4e3f389

    • Size

      320KB

    • MD5

      eaf5487e09db15c107eafb82a3c3e30d

    • SHA1

      c3f95ac8ee1b6e53dc1bed7dc4dcf11462f6555a

    • SHA256

      cf82c35e0a5a0683a1f51d3806ea0eb39a59d81fd4fc110c9762ff99d4e3f389

    • SHA512

      0dee5f7a105b6cdd2114a7fe54270cc7c21f45d837671953ff6306ece85a51574902ef482f79636ebd7ef1e35d6b5fdf9616e2a2d5e3a0b408e1ada8a8ac135c

    • SSDEEP

      6144:KWy+bnr+Fp0yN90QE6rKEP3ve7yRfsK6KRFjEXtaBv7hf5c2ww4/:SMrly90UKU/e7RK6KRdEXYp79q2wx/

    Score
    10/10
    amadeymystic59b440persistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62

    • Size

      500KB

    • MD5

      72042dcc9c9f444364c9d752a2a6578a

    • SHA1

      4943efa69c1ec14a4a771999fc74bea4a1a2e175

    • SHA256

      fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62

    • SHA512

      2a22b2f0ccfee7d97ae3e9b277bca18c3382fba44feb1ff10c5c94818edaa46ec6771021dfdb6f0f3375f52392fb35809032d3c3e0cee31c5533ba5cf7a1acfe

    • SSDEEP

      12288:RMrhy90Iu76ZwmypXWLB21ZsWIJ4GtOcH/3jCWffGu5exQH7:YyO63y1Wg+J4xsPjJlexQH7

    Score
    10/10
    mysticredlinejokesinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral20

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinefb0fb8mrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeymysticredlinesmokeloader04d170gromebackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral3

amadeymysticredlinefb0fb8mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral4

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral5

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral7

amadeyhealerredlinefb0fb8mrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeymysticredline59b440mrakevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral9

healerredlinemrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral11

healerredlinemazdadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

amadeyhealerfb0fb8dropperevasionpersistencetrojan
Score
10/10

behavioral14

amadeymysticredline59b440mrakevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral15

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

amadeyhealerredline59b440mrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

amadeyhealerredline59b440mrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral19

amadeymystic59b440persistencestealertrojan
Score
10/10

behavioral20

mysticredlinejokesinfostealerpersistencestealer
Score
10/10