General
-
Target
r1.zip
-
Size
15.1MB
-
Sample
240522-wy8zeabf9x
-
MD5
8f6d0deb04a8eed2e892ea921c270037
-
SHA1
ac818fa28b103bfbad97c22533b7988de0e4d53a
-
SHA256
21675cef02c5d516a93f59d70c16d083ffa8be9792fa8f40e53212708d321c6d
-
SHA512
f946c6787ad62e8d56e64d4f6c2e68afaa36ee9cc93fec2f21bb9901d5f380202259f1e3e2d80e23c52e56264f1cbf66bad1f76d074d090d477300c5a3def02e
-
SSDEEP
393216:LLH2PqvBXbuXOqUMD5RpLA3iV4yEJuv1HTiiugx:LLprwoyEJu8Gx
Malware Config
Extracted
amadey
3.89
fb0fb8
http://77.91.68.52
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
-
url_paths
/mac/index.php
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Extracted
redline
kinza
77.91.124.86:19084
Extracted
redline
mazda
217.196.96.56:4138
-
auth_value
3d2870537d84a4c6d7aeecd002871c51
Extracted
amadey
3.87
59b440
http://77.91.68.18
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
-
url_paths
/nice/index.php
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
04d170
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Extracted
redline
jokes
77.91.124.82:19071
-
auth_value
fb7b36b70ae30fb2b72f789037350cdb
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Targets
-
-
Target
006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb
-
Size
1.0MB
-
MD5
db869d62f5f8401076718a70f48e586e
-
SHA1
424352327fdb3f8795505b26e11c856479aa493f
-
SHA256
006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb
-
SHA512
ce1e660929575deacaad46b9e52945d26a4a748e25d8bca28932493e43d67a683d5d917b53f171465d31488816b6ab9f7eebac67b723e085fb340644bd8b69c9
-
SSDEEP
24576:py5vrzFyTGc619B8SQEQasoju6DojiYiZnkClrK:cBPwTGc8nxPhZRZnkq
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
0254882920b8d79aa87aa48e3861241d6f50bc1856fc52906e5a574397e08db5
-
Size
1.2MB
-
MD5
8c1625b073a9e827ea8ee7a8a5f6effa
-
SHA1
45ef2f25a51ef42cc602388621a9709e938dfc2d
-
SHA256
0254882920b8d79aa87aa48e3861241d6f50bc1856fc52906e5a574397e08db5
-
SHA512
0e4e38e6340f879d7a2f4c18aad64409dc8c540ab39007a41ca238ce3b8e8f9f861e3cfc761c6c4f7b0c3a7c193bbf17579867c9658df99d2271fb566440920b
-
SSDEEP
24576:NyVhhmI/5PldEHgo5najDbe0gPbuECo2WAj+uQ408zBEkQXVggh:oVhhmU5PldCyubCDjWo+d4sFgg
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e
-
Size
1.3MB
-
MD5
7897a8a6ebf8c162b11b148555d5c616
-
SHA1
60992a6f05358dc6150f7c42a8b5bb42266e6e6b
-
SHA256
059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e
-
SHA512
9b37ae7168063fbf820682d3935242bf3254d1eace417b9206da7e7ea3bec26aa003cdb5347d39d2ae446f73ea77ddf5fddb7cb3e09c5bacada9863d9f9d3b34
-
SSDEEP
24576:Oy/HLy2splQy14Pz413AxpZz1MqkaZEouZugKp3:d/ry2oDWPzG3uR1MqkfZ
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616
-
Size
1.1MB
-
MD5
75d611b9fdd12ae96644de5080557ebd
-
SHA1
dada87e4a3a6c66fdf05bf523ec00f78e9aaa389
-
SHA256
23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616
-
SHA512
df51455190cf4b9406cc3181277aff2342cbcfc9946e2ccba145de5adcd908db4af944e1d3182cdfc154f50f6c5bd34d6010359168090d5cbb941ff09f1edb00
-
SSDEEP
12288:gMrTy90Wp2ABf9NNsOYroRyNVdB31qvOJfAPgLslvr7BCuxxJMU0vLmuxLeMNmrn:jy1pRxsOYUqBQgLOVCYB0inrqjfwq7G
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17
-
Size
812KB
-
MD5
269e4463c32ae30693d623724642b34b
-
SHA1
db7310a4b793e4889d18652788269847a4ca0551
-
SHA256
346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17
-
SHA512
c5c2084f0aa7e829307c0e592aa11d5030a92f83f8f7f955b92c478070b2cd1ca25f10f2adcf958b8a9315fa72305787f8bc18dfaad149c410943871fb410100
-
SSDEEP
12288:7MrIy90Y0bOk0fpuuupA7G7boeBnDjtYIFEIzKYQl3GiXhgnmUK0ct:Py90bgQKKHoefsXXGmnt
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
3a559db9fbdf13125c1dec222cde0f982fe63820a3dda722db7b0f646fe80e76
-
Size
654KB
-
MD5
6bf1ef97fb912648145ba8485d0034aa
-
SHA1
ebe81236c38c87b10c18ac8294858b0dd5c723bd
-
SHA256
3a559db9fbdf13125c1dec222cde0f982fe63820a3dda722db7b0f646fe80e76
-
SHA512
33fe49918aa24ba2b8f91841d306be23331272e104ff45a02036d2ff23d18ff27eeab62dfdedd80adcfdc0b751d22fe5f24bf6956ef81a7f6e7def89d5ff0c13
-
SSDEEP
12288:TMrry90TX9G2u/oa4+IenzZPBXUafP5DyCMZ8Xvnr80snL:4yopa9lnsCMkC
Score10/10-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
3bd30de35b2caa677c1a1d8eeb9a0878d3c396425a4501d3fc280590146a7efb
-
Size
1.0MB
-
MD5
6cc79e163b32f15cef6c4e5254345f67
-
SHA1
559c8d313f487ec11d210d7a1b9c0baf9ac73ac0
-
SHA256
3bd30de35b2caa677c1a1d8eeb9a0878d3c396425a4501d3fc280590146a7efb
-
SHA512
59cb6804045b9c2453f03d7999152ab0c31eef5aede7c8ead7f4ed5534761da95da32de4a79a8f74efd4f1b01fe412072dc4787a7c79093ab1f647a8e49e7104
-
SSDEEP
24576:DyxSt7M+4AkPGTHr3VJbC31Weo6ho9zXVe1Grw:WQ9M+4NPuHzV0l+hF
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
4563b46d64120bf9833b2c3a8c333cb31977f9c75d32f836c04620dc0ce6623c
-
Size
1.0MB
-
MD5
8fe82d0e2d2518638a767d3f01fdac83
-
SHA1
42909c9e87631077b5e113a22bf1245310ea602e
-
SHA256
4563b46d64120bf9833b2c3a8c333cb31977f9c75d32f836c04620dc0ce6623c
-
SHA512
333c825d1eec6f9adca67a48a3875526ae357c871c3bb0d9da39f4bd3822f9668d44f32951c501e0aee6cb5ee3b6798f6f0279a90ab726604f7e2856dd371df7
-
SSDEEP
24576:oyhpxgYfKwXna+XvuL3IWmgqG3x/YcVDHG72+opgKICo/:vjxg8XxmHTc6pgKI
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
45ab0e1069984eb278e72231ed9a1e178170792eecd79ef0661dac877d441d0f
-
Size
662KB
-
MD5
dcac23d0bc279a89e89714367315a23b
-
SHA1
4b95e86bc8c126b3d438ad8d7fdb28b6f9baa127
-
SHA256
45ab0e1069984eb278e72231ed9a1e178170792eecd79ef0661dac877d441d0f
-
SHA512
c5adfd13d4cae9e01a35a719bac66e505e7c70352ef9678a3be4ea039b71c9732da3bdcda3aa67f5440443c53da41452e7b1be456cf22a8435f6a2cde38a5265
-
SSDEEP
12288:KMr6y903bBP+0CGbGWeRtUx3QotEXYoQw15uCkOKsX+Km9yAGG2Pg2wYlUKUlF:MyQBPcizqtCeHd1ACktKmk7nA
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8
-
Size
756KB
-
MD5
60c078db5342b504d0f5d0983824a0b2
-
SHA1
8151eb0747f8f4902bdf7ddb288f530ed57ab26f
-
SHA256
545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8
-
SHA512
faee353e621779166a8e91bca06e8e05f919375fe3cff142e0f7a58f2a9bba738a7f81a7ce7d65adecced952b0645f9661b10a1046924a8587a36aec7881ffe3
-
SSDEEP
12288:kMr5y90DWI7C6LGHKHrvElVc1q7eTBplfXISkC1ghjKc1AHEjBz:VyOWhyLvoy18eV/fXpOJF
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
5bd9b291d75af7da767ccfd9442e39fc2a36f83c84ba9416a78c62a54164b4ab
-
Size
1.4MB
-
MD5
8d90361e8bf7f26eec4a063c82eaa6cd
-
SHA1
a44abc8788bfaaac8ee0e8a6b70458471a8e5648
-
SHA256
5bd9b291d75af7da767ccfd9442e39fc2a36f83c84ba9416a78c62a54164b4ab
-
SHA512
3d9406f3be98992338f264f08c27f396062cfd5376717da4e9d9efbfc1481f6d7c699ac9dbcd4ba792550ce5aad4b4c176520ccc43e485d3dc2b93e58a6a25ff
-
SSDEEP
24576:tyrFNdHyoabka1N0oVq38WevoGuLiWnbC5z+jUFp9WHk3/fpcBx5Qf:I5Ko30tQsToGuLiASzEwWHrBxO
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
5e70f35516878f784c795b9bc0d243a75bde82267717162cdb1838a7e102b600
-
Size
540KB
-
MD5
4c6202ca27eb3db897c82c8b078592ca
-
SHA1
dec25fca3509c65005bfec21a5c058dc16ec6264
-
SHA256
5e70f35516878f784c795b9bc0d243a75bde82267717162cdb1838a7e102b600
-
SHA512
f765a0fba8a60c0eafbb5c5a51e56f05cdf71f4e3af472bb05547da9af3bfef3dca1f644b43d39d574b9697d6c2de551e4209ac3d11e90aa79f83436756b01fe
-
SSDEEP
12288:yMruy90B65+x8NqnoBu5z6NY9DBqwFEjcL4:4yr4xwqnoc31pEjck
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
7348ee4e4ed1a5e949c6ba0b2c8eaee7bf5d5f120e8c79c61accf44a24e12c6d
-
Size
234KB
-
MD5
f49341a76d3b4070cf58c0081196772f
-
SHA1
193bb28846d75d8c250304787027969b9b69b622
-
SHA256
7348ee4e4ed1a5e949c6ba0b2c8eaee7bf5d5f120e8c79c61accf44a24e12c6d
-
SHA512
7a831be3a1c121d3dbc4f292a9782394bc25c486f38bf0c5000058726e97b3ec6e46112dcff8b87dda33b8c39974c5dee670285dc67883f6d58432e9c21b9235
-
SSDEEP
3072:Key+bnr+O175GWp1icKAArDZz4N9GhbkrNEk1M7CZBmbxwUPiPdvuQtokpBQyvU6:Key+bnr+Ip0yN90QEtC/cO/TBpwo+
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29
-
Size
1.0MB
-
MD5
6f6fa83bd35311c3f78ff4d29d1e8117
-
SHA1
1c261d1ed4efb7c407ed76784b008e04f49b3598
-
SHA256
8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29
-
SHA512
e4326312e9c0e5b6c36a8715cd55ce6ee87fbc2f28455c4d0f11dd620a999a935fb4ad03872aed880f142fe00757d851f56295bd2c96f0b725d6b42ba4fd6e66
-
SSDEEP
24576:EyyE63fdNtHwmIFlkWqno9rno4MBdTyaUPR12jpUF:TypFNtQmWqsh2dGdZ13
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca
-
Size
812KB
-
MD5
d7e04401772d93d83c33c32c5f33a602
-
SHA1
3c91a840591313764010ec32ee6a0dc5b5b40447
-
SHA256
928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca
-
SHA512
e5f33a36ed748c53165024bec39585b8b8312a6f68a54953f9d854265e009fcb2d34aec610ff98ce150a3e2aefca3e594ddbbb683e95f9edb962f06f39d575bb
-
SSDEEP
12288:dMr8y9062uW/X3IShA4Q7D2oRWidu+4lJGQmMLRrPv2ReCZdxnQ65gbpmwKK:pyqp3K4+D2rnbXGSiMCDylcK
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d
-
Size
433KB
-
MD5
cdd196694c11df773e31372b1e3f6578
-
SHA1
f013a3c818024ea0e771ff51c981e90a00fcbad9
-
SHA256
972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d
-
SHA512
34c9a0e50a4e6360535108ddb53e802716dce6b69cf1978274620d744cf91221d039994d6edc80ae05ea06cf1c5cce3c9161a66268c25ceb5ed5c11665587b99
-
SSDEEP
12288:9Mroy90XNx2BiXTV2NhmyP7U1Jqr1oX0:dyaNwGa57wJYmX0
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
a025c0e61987ac5dff969885b12ced5a1064ab0b0ae71e3751eb0331b3e6332e
-
Size
539KB
-
MD5
a45778de16313f7bdf760c890122347f
-
SHA1
5c1544de791cd35041106e4bdf7b5f3c5a0c9c65
-
SHA256
a025c0e61987ac5dff969885b12ced5a1064ab0b0ae71e3751eb0331b3e6332e
-
SHA512
1efee5745ad4741b77309bde7c0063ba3d8a4b8eba44489acea81a8df89b89ccd657256c6305e47064840078d747670ef29dff093e2d107b60e002104c1a2af3
-
SSDEEP
12288:1MrPy906oA/07qnoBKRBSCaNRi5iNeTwwmZsFwF8vu:uyavqnogMQnZwF8G
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75
-
Size
662KB
-
MD5
c693bd5e0c62bb8c0044d52c931c31c8
-
SHA1
1693df1c3dff75041377f4480a6a54ead046f278
-
SHA256
bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75
-
SHA512
097c0fc5b6b02889a4f67601a653fd8d4a2b1d574b6b6cbf2004b934eb02ab571236dea6322a4fcedaa5a5281abc08a17d62403bd4f56ed0b199d28b189c9d55
-
SSDEEP
12288:ZMr+y90FaweLM0qcVycy0YlxW0U20+ba9lK1NDlawUX3vPDr:vyW4M1cVZ0W4eiNDlawYPH
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
cf82c35e0a5a0683a1f51d3806ea0eb39a59d81fd4fc110c9762ff99d4e3f389
-
Size
320KB
-
MD5
eaf5487e09db15c107eafb82a3c3e30d
-
SHA1
c3f95ac8ee1b6e53dc1bed7dc4dcf11462f6555a
-
SHA256
cf82c35e0a5a0683a1f51d3806ea0eb39a59d81fd4fc110c9762ff99d4e3f389
-
SHA512
0dee5f7a105b6cdd2114a7fe54270cc7c21f45d837671953ff6306ece85a51574902ef482f79636ebd7ef1e35d6b5fdf9616e2a2d5e3a0b408e1ada8a8ac135c
-
SSDEEP
6144:KWy+bnr+Fp0yN90QE6rKEP3ve7yRfsK6KRFjEXtaBv7hf5c2ww4/:SMrly90UKU/e7RK6KRdEXYp79q2wx/
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62
-
Size
500KB
-
MD5
72042dcc9c9f444364c9d752a2a6578a
-
SHA1
4943efa69c1ec14a4a771999fc74bea4a1a2e175
-
SHA256
fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62
-
SHA512
2a22b2f0ccfee7d97ae3e9b277bca18c3382fba44feb1ff10c5c94818edaa46ec6771021dfdb6f0f3375f52392fb35809032d3c3e0cee31c5533ba5cf7a1acfe
-
SSDEEP
12288:RMrhy90Iu76ZwmypXWLB21ZsWIJ4GtOcH/3jCWffGu5exQH7:YyO63y1Wg+J4xsPjJlexQH7
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
15Windows Service
15Boot or Logon Autostart Execution
20Registry Run Keys / Startup Folder
20Scheduled Task/Job
14Privilege Escalation
Create or Modify System Process
15Windows Service
15Boot or Logon Autostart Execution
20Registry Run Keys / Startup Folder
20Scheduled Task/Job
14