General

  • Target

    r1.zip

  • Size

    15.1MB

  • Sample

    240522-wy8zeabf9x

  • MD5

    8f6d0deb04a8eed2e892ea921c270037

  • SHA1

    ac818fa28b103bfbad97c22533b7988de0e4d53a

  • SHA256

    21675cef02c5d516a93f59d70c16d083ffa8be9792fa8f40e53212708d321c6d

  • SHA512

    f946c6787ad62e8d56e64d4f6c2e68afaa36ee9cc93fec2f21bb9901d5f380202259f1e3e2d80e23c52e56264f1cbf66bad1f76d074d090d477300c5a3def02e

  • SSDEEP

    393216:LLH2PqvBXbuXOqUMD5RpLA3iV4yEJuv1HTiiugx:LLprwoyEJu8Gx

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

jokes

C2

77.91.124.82:19071

Attributes
  • auth_value

    fb7b36b70ae30fb2b72f789037350cdb

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Targets

    • Target

      006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb

    • Size

      1.0MB

    • MD5

      db869d62f5f8401076718a70f48e586e

    • SHA1

      424352327fdb3f8795505b26e11c856479aa493f

    • SHA256

      006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb

    • SHA512

      ce1e660929575deacaad46b9e52945d26a4a748e25d8bca28932493e43d67a683d5d917b53f171465d31488816b6ab9f7eebac67b723e085fb340644bd8b69c9

    • SSDEEP

      24576:py5vrzFyTGc619B8SQEQasoju6DojiYiZnkClrK:cBPwTGc8nxPhZRZnkq

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      0254882920b8d79aa87aa48e3861241d6f50bc1856fc52906e5a574397e08db5

    • Size

      1.2MB

    • MD5

      8c1625b073a9e827ea8ee7a8a5f6effa

    • SHA1

      45ef2f25a51ef42cc602388621a9709e938dfc2d

    • SHA256

      0254882920b8d79aa87aa48e3861241d6f50bc1856fc52906e5a574397e08db5

    • SHA512

      0e4e38e6340f879d7a2f4c18aad64409dc8c540ab39007a41ca238ce3b8e8f9f861e3cfc761c6c4f7b0c3a7c193bbf17579867c9658df99d2271fb566440920b

    • SSDEEP

      24576:NyVhhmI/5PldEHgo5najDbe0gPbuECo2WAj+uQ408zBEkQXVggh:oVhhmU5PldCyubCDjWo+d4sFgg

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e

    • Size

      1.3MB

    • MD5

      7897a8a6ebf8c162b11b148555d5c616

    • SHA1

      60992a6f05358dc6150f7c42a8b5bb42266e6e6b

    • SHA256

      059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e

    • SHA512

      9b37ae7168063fbf820682d3935242bf3254d1eace417b9206da7e7ea3bec26aa003cdb5347d39d2ae446f73ea77ddf5fddb7cb3e09c5bacada9863d9f9d3b34

    • SSDEEP

      24576:Oy/HLy2splQy14Pz413AxpZz1MqkaZEouZugKp3:d/ry2oDWPzG3uR1MqkfZ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616

    • Size

      1.1MB

    • MD5

      75d611b9fdd12ae96644de5080557ebd

    • SHA1

      dada87e4a3a6c66fdf05bf523ec00f78e9aaa389

    • SHA256

      23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616

    • SHA512

      df51455190cf4b9406cc3181277aff2342cbcfc9946e2ccba145de5adcd908db4af944e1d3182cdfc154f50f6c5bd34d6010359168090d5cbb941ff09f1edb00

    • SSDEEP

      12288:gMrTy90Wp2ABf9NNsOYroRyNVdB31qvOJfAPgLslvr7BCuxxJMU0vLmuxLeMNmrn:jy1pRxsOYUqBQgLOVCYB0inrqjfwq7G

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17

    • Size

      812KB

    • MD5

      269e4463c32ae30693d623724642b34b

    • SHA1

      db7310a4b793e4889d18652788269847a4ca0551

    • SHA256

      346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17

    • SHA512

      c5c2084f0aa7e829307c0e592aa11d5030a92f83f8f7f955b92c478070b2cd1ca25f10f2adcf958b8a9315fa72305787f8bc18dfaad149c410943871fb410100

    • SSDEEP

      12288:7MrIy90Y0bOk0fpuuupA7G7boeBnDjtYIFEIzKYQl3GiXhgnmUK0ct:Py90bgQKKHoefsXXGmnt

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      3a559db9fbdf13125c1dec222cde0f982fe63820a3dda722db7b0f646fe80e76

    • Size

      654KB

    • MD5

      6bf1ef97fb912648145ba8485d0034aa

    • SHA1

      ebe81236c38c87b10c18ac8294858b0dd5c723bd

    • SHA256

      3a559db9fbdf13125c1dec222cde0f982fe63820a3dda722db7b0f646fe80e76

    • SHA512

      33fe49918aa24ba2b8f91841d306be23331272e104ff45a02036d2ff23d18ff27eeab62dfdedd80adcfdc0b751d22fe5f24bf6956ef81a7f6e7def89d5ff0c13

    • SSDEEP

      12288:TMrry90TX9G2u/oa4+IenzZPBXUafP5DyCMZ8Xvnr80snL:4yopa9lnsCMkC

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      3bd30de35b2caa677c1a1d8eeb9a0878d3c396425a4501d3fc280590146a7efb

    • Size

      1.0MB

    • MD5

      6cc79e163b32f15cef6c4e5254345f67

    • SHA1

      559c8d313f487ec11d210d7a1b9c0baf9ac73ac0

    • SHA256

      3bd30de35b2caa677c1a1d8eeb9a0878d3c396425a4501d3fc280590146a7efb

    • SHA512

      59cb6804045b9c2453f03d7999152ab0c31eef5aede7c8ead7f4ed5534761da95da32de4a79a8f74efd4f1b01fe412072dc4787a7c79093ab1f647a8e49e7104

    • SSDEEP

      24576:DyxSt7M+4AkPGTHr3VJbC31Weo6ho9zXVe1Grw:WQ9M+4NPuHzV0l+hF

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      4563b46d64120bf9833b2c3a8c333cb31977f9c75d32f836c04620dc0ce6623c

    • Size

      1.0MB

    • MD5

      8fe82d0e2d2518638a767d3f01fdac83

    • SHA1

      42909c9e87631077b5e113a22bf1245310ea602e

    • SHA256

      4563b46d64120bf9833b2c3a8c333cb31977f9c75d32f836c04620dc0ce6623c

    • SHA512

      333c825d1eec6f9adca67a48a3875526ae357c871c3bb0d9da39f4bd3822f9668d44f32951c501e0aee6cb5ee3b6798f6f0279a90ab726604f7e2856dd371df7

    • SSDEEP

      24576:oyhpxgYfKwXna+XvuL3IWmgqG3x/YcVDHG72+opgKICo/:vjxg8XxmHTc6pgKI

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      45ab0e1069984eb278e72231ed9a1e178170792eecd79ef0661dac877d441d0f

    • Size

      662KB

    • MD5

      dcac23d0bc279a89e89714367315a23b

    • SHA1

      4b95e86bc8c126b3d438ad8d7fdb28b6f9baa127

    • SHA256

      45ab0e1069984eb278e72231ed9a1e178170792eecd79ef0661dac877d441d0f

    • SHA512

      c5adfd13d4cae9e01a35a719bac66e505e7c70352ef9678a3be4ea039b71c9732da3bdcda3aa67f5440443c53da41452e7b1be456cf22a8435f6a2cde38a5265

    • SSDEEP

      12288:KMr6y903bBP+0CGbGWeRtUx3QotEXYoQw15uCkOKsX+Km9yAGG2Pg2wYlUKUlF:MyQBPcizqtCeHd1ACktKmk7nA

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8

    • Size

      756KB

    • MD5

      60c078db5342b504d0f5d0983824a0b2

    • SHA1

      8151eb0747f8f4902bdf7ddb288f530ed57ab26f

    • SHA256

      545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8

    • SHA512

      faee353e621779166a8e91bca06e8e05f919375fe3cff142e0f7a58f2a9bba738a7f81a7ce7d65adecced952b0645f9661b10a1046924a8587a36aec7881ffe3

    • SSDEEP

      12288:kMr5y90DWI7C6LGHKHrvElVc1q7eTBplfXISkC1ghjKc1AHEjBz:VyOWhyLvoy18eV/fXpOJF

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      5bd9b291d75af7da767ccfd9442e39fc2a36f83c84ba9416a78c62a54164b4ab

    • Size

      1.4MB

    • MD5

      8d90361e8bf7f26eec4a063c82eaa6cd

    • SHA1

      a44abc8788bfaaac8ee0e8a6b70458471a8e5648

    • SHA256

      5bd9b291d75af7da767ccfd9442e39fc2a36f83c84ba9416a78c62a54164b4ab

    • SHA512

      3d9406f3be98992338f264f08c27f396062cfd5376717da4e9d9efbfc1481f6d7c699ac9dbcd4ba792550ce5aad4b4c176520ccc43e485d3dc2b93e58a6a25ff

    • SSDEEP

      24576:tyrFNdHyoabka1N0oVq38WevoGuLiWnbC5z+jUFp9WHk3/fpcBx5Qf:I5Ko30tQsToGuLiASzEwWHrBxO

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      5e70f35516878f784c795b9bc0d243a75bde82267717162cdb1838a7e102b600

    • Size

      540KB

    • MD5

      4c6202ca27eb3db897c82c8b078592ca

    • SHA1

      dec25fca3509c65005bfec21a5c058dc16ec6264

    • SHA256

      5e70f35516878f784c795b9bc0d243a75bde82267717162cdb1838a7e102b600

    • SHA512

      f765a0fba8a60c0eafbb5c5a51e56f05cdf71f4e3af472bb05547da9af3bfef3dca1f644b43d39d574b9697d6c2de551e4209ac3d11e90aa79f83436756b01fe

    • SSDEEP

      12288:yMruy90B65+x8NqnoBu5z6NY9DBqwFEjcL4:4yr4xwqnoc31pEjck

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      7348ee4e4ed1a5e949c6ba0b2c8eaee7bf5d5f120e8c79c61accf44a24e12c6d

    • Size

      234KB

    • MD5

      f49341a76d3b4070cf58c0081196772f

    • SHA1

      193bb28846d75d8c250304787027969b9b69b622

    • SHA256

      7348ee4e4ed1a5e949c6ba0b2c8eaee7bf5d5f120e8c79c61accf44a24e12c6d

    • SHA512

      7a831be3a1c121d3dbc4f292a9782394bc25c486f38bf0c5000058726e97b3ec6e46112dcff8b87dda33b8c39974c5dee670285dc67883f6d58432e9c21b9235

    • SSDEEP

      3072:Key+bnr+O175GWp1icKAArDZz4N9GhbkrNEk1M7CZBmbxwUPiPdvuQtokpBQyvU6:Key+bnr+Ip0yN90QEtC/cO/TBpwo+

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29

    • Size

      1.0MB

    • MD5

      6f6fa83bd35311c3f78ff4d29d1e8117

    • SHA1

      1c261d1ed4efb7c407ed76784b008e04f49b3598

    • SHA256

      8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29

    • SHA512

      e4326312e9c0e5b6c36a8715cd55ce6ee87fbc2f28455c4d0f11dd620a999a935fb4ad03872aed880f142fe00757d851f56295bd2c96f0b725d6b42ba4fd6e66

    • SSDEEP

      24576:EyyE63fdNtHwmIFlkWqno9rno4MBdTyaUPR12jpUF:TypFNtQmWqsh2dGdZ13

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca

    • Size

      812KB

    • MD5

      d7e04401772d93d83c33c32c5f33a602

    • SHA1

      3c91a840591313764010ec32ee6a0dc5b5b40447

    • SHA256

      928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca

    • SHA512

      e5f33a36ed748c53165024bec39585b8b8312a6f68a54953f9d854265e009fcb2d34aec610ff98ce150a3e2aefca3e594ddbbb683e95f9edb962f06f39d575bb

    • SSDEEP

      12288:dMr8y9062uW/X3IShA4Q7D2oRWidu+4lJGQmMLRrPv2ReCZdxnQ65gbpmwKK:pyqp3K4+D2rnbXGSiMCDylcK

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d

    • Size

      433KB

    • MD5

      cdd196694c11df773e31372b1e3f6578

    • SHA1

      f013a3c818024ea0e771ff51c981e90a00fcbad9

    • SHA256

      972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d

    • SHA512

      34c9a0e50a4e6360535108ddb53e802716dce6b69cf1978274620d744cf91221d039994d6edc80ae05ea06cf1c5cce3c9161a66268c25ceb5ed5c11665587b99

    • SSDEEP

      12288:9Mroy90XNx2BiXTV2NhmyP7U1Jqr1oX0:dyaNwGa57wJYmX0

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      a025c0e61987ac5dff969885b12ced5a1064ab0b0ae71e3751eb0331b3e6332e

    • Size

      539KB

    • MD5

      a45778de16313f7bdf760c890122347f

    • SHA1

      5c1544de791cd35041106e4bdf7b5f3c5a0c9c65

    • SHA256

      a025c0e61987ac5dff969885b12ced5a1064ab0b0ae71e3751eb0331b3e6332e

    • SHA512

      1efee5745ad4741b77309bde7c0063ba3d8a4b8eba44489acea81a8df89b89ccd657256c6305e47064840078d747670ef29dff093e2d107b60e002104c1a2af3

    • SSDEEP

      12288:1MrPy906oA/07qnoBKRBSCaNRi5iNeTwwmZsFwF8vu:uyavqnogMQnZwF8G

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75

    • Size

      662KB

    • MD5

      c693bd5e0c62bb8c0044d52c931c31c8

    • SHA1

      1693df1c3dff75041377f4480a6a54ead046f278

    • SHA256

      bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75

    • SHA512

      097c0fc5b6b02889a4f67601a653fd8d4a2b1d574b6b6cbf2004b934eb02ab571236dea6322a4fcedaa5a5281abc08a17d62403bd4f56ed0b199d28b189c9d55

    • SSDEEP

      12288:ZMr+y90FaweLM0qcVycy0YlxW0U20+ba9lK1NDlawUX3vPDr:vyW4M1cVZ0W4eiNDlawYPH

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      cf82c35e0a5a0683a1f51d3806ea0eb39a59d81fd4fc110c9762ff99d4e3f389

    • Size

      320KB

    • MD5

      eaf5487e09db15c107eafb82a3c3e30d

    • SHA1

      c3f95ac8ee1b6e53dc1bed7dc4dcf11462f6555a

    • SHA256

      cf82c35e0a5a0683a1f51d3806ea0eb39a59d81fd4fc110c9762ff99d4e3f389

    • SHA512

      0dee5f7a105b6cdd2114a7fe54270cc7c21f45d837671953ff6306ece85a51574902ef482f79636ebd7ef1e35d6b5fdf9616e2a2d5e3a0b408e1ada8a8ac135c

    • SSDEEP

      6144:KWy+bnr+Fp0yN90QE6rKEP3ve7yRfsK6KRFjEXtaBv7hf5c2ww4/:SMrly90UKU/e7RK6KRdEXYp79q2wx/

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62

    • Size

      500KB

    • MD5

      72042dcc9c9f444364c9d752a2a6578a

    • SHA1

      4943efa69c1ec14a4a771999fc74bea4a1a2e175

    • SHA256

      fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62

    • SHA512

      2a22b2f0ccfee7d97ae3e9b277bca18c3382fba44feb1ff10c5c94818edaa46ec6771021dfdb6f0f3375f52392fb35809032d3c3e0cee31c5533ba5cf7a1acfe

    • SSDEEP

      12288:RMrhy90Iu76ZwmypXWLB21ZsWIJ4GtOcH/3jCWffGu5exQH7:YyO63y1Wg+J4xsPjJlexQH7

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

14
T1053

Persistence

Create or Modify System Process

15
T1543

Windows Service

15
T1543.003

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Scheduled Task/Job

14
T1053

Privilege Escalation

Create or Modify System Process

15
T1543

Windows Service

15
T1543.003

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Scheduled Task/Job

14
T1053

Defense Evasion

Modify Registry

45
T1112

Impair Defenses

25
T1562

Disable or Modify Tools

25
T1562.001

Discovery

Query Registry

16
T1012

System Information Discovery

30
T1082

Peripheral Device Discovery

2
T1120

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinefb0fb8mrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeymysticredlinesmokeloader04d170gromebackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral3

amadeymysticredlinefb0fb8mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral4

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral5

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral7

amadeyhealerredlinefb0fb8mrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeymysticredline59b440mrakevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral9

healerredlinemrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral11

healerredlinemazdadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

amadeyhealerfb0fb8dropperevasionpersistencetrojan
Score
10/10

behavioral14

amadeymysticredline59b440mrakevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral15

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

amadeyhealerredline59b440mrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

amadeyhealerredline59b440mrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral19

amadeymystic59b440persistencestealertrojan
Score
10/10

behavioral20

mysticredlinejokesinfostealerpersistencestealer
Score
10/10