General

  • Target

    r.zip

  • Size

    13.6MB

  • Sample

    240522-xe6wdacf54

  • MD5

    1cb3243679c7fcc6547d31e58c0da5c1

  • SHA1

    97a2fbb77a46a63d238cc017c25c41a39c8dedc3

  • SHA256

    692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

  • SHA512

    1915df86a46396b5d93cd42fe5c2af09b3c1cf79282b1b7f7a3d50cf4cf2b55b274d55b2b50512c3317a50a5157afef047b8114ba92fcf205dfa460a883522bc

  • SSDEEP

    393216:/OMQBSD+4uxkFBZ7ahGZ/WHoFZdJlS07+oAVmbcm8bEXReHeq3U0+cS:/OMQBBgVahGQiJlJ8QMXRw

Malware Config

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

kendo

C2

77.91.124.82:19071

Attributes
  • auth_value

    5a22a881561d49941415902859b51f14

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Extracted

Family

redline

Botnet

luate

C2

77.91.124.55:19071

Attributes
  • auth_value

    e45cd419aba6c9d372088ffe5629308b

Targets

    • Target

      0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513

    • Size

      1.5MB

    • MD5

      99fbd30f8f297404375178545e9a5671

    • SHA1

      eb2faa70c32320bdfd5bab75e879a2883bef1f59

    • SHA256

      0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513

    • SHA512

      e30e2053d363b1eedec5a5493e4304b18e1418944ce5cea2dd1336bdaaff621e86b29877189b383baaf64987099cce625f12785b690c63ae284179aacd880801

    • SSDEEP

      24576:dy8BJhfdaB7d47P6cDYqgmrw5dR9rYT1gIZU6G2U/RbQ6LoEWklTHDv+oR9efG9:4ugB767ScD82w/R2Tj7uGZEWk9zHjc

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      11eba512939d3d17bcd0d5543f3a05dac69c96858fbb7120b8802814391c413a

    • Size

      609KB

    • MD5

      703253f6264bc91569813f4a823cd21a

    • SHA1

      6631769e1f66e381737de8b3c2fdd6ab066e9e57

    • SHA256

      11eba512939d3d17bcd0d5543f3a05dac69c96858fbb7120b8802814391c413a

    • SHA512

      b41b64fe7c5ff95253e8b1130b19fbc330a87559dd1dda8df1ee265dcb0c2fe5ec07d2e493db360c09c3ba67b0bd79e412dee1157f25a9ea6187e01364fb6645

    • SSDEEP

      12288:EMruy90TI/OchkT+nMNtFyGjtCVfbyt5YyQc3kpU36vaMfxcwRKQP2:CyAoHh9nwyP+t2Q3QJPJV2

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a

    • Size

      604KB

    • MD5

      4a49f25c21c373471295f4badcee8cd5

    • SHA1

      dc1871d02c5f5af9ae2a0e24ff0c1cce6ef48b58

    • SHA256

      17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a

    • SHA512

      95261235a51c77f85d1751907cea517529a9bc6179af76ab2c494ff2f702cf265f8bee8fb60b74ab7bb8094432fa9572bed065078a133480ff3c93069347d69c

    • SSDEEP

      12288:hMray90lso2v9t6ehpXEtFyGjjCYfHGp1Pu5UJK6PYwqbPa3Vr:vySX2v9t6lyGmm5UE6PYPbSB

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      346c46bc8283ae44fe76d91bebdf5c933515cb6b55b0e4f1dd25ca7a64a0a726

    • Size

      812KB

    • MD5

      79983cb4cd4ed44124acf90324aab153

    • SHA1

      95cbc2ecd9756f962ec62f265dd70b37efc50fe0

    • SHA256

      346c46bc8283ae44fe76d91bebdf5c933515cb6b55b0e4f1dd25ca7a64a0a726

    • SHA512

      a2d737b6436c7550ed5d3f2c8d3cd06f21b019613ea71791f9b9f519eeb54e9c2ac0a0290577c86f2afe56f81161dfb981dc00a8e2483ad152b4e3784fc9ba63

    • SSDEEP

      12288:0MrEy90SXhiDq45nmnagUKW2WjcYOTDXKznBc6RZkReqPNgUnnTwR:QyNq3ma+sLAuBc6RkeqPNgJR

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f

    • Size

      582KB

    • MD5

      d65b8e601b5fdb8b40ea6d22fd7e47eb

    • SHA1

      e17ef0d987c09976de4825f1a21113b6924a580b

    • SHA256

      4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f

    • SHA512

      7978421c2c01dc1a1a4cea13772b526dbc69f6b46dd5c2b5e4ab4dd6768edde078f0b1a2816097bfa9e4bdbd5f94b2187cc322511001025364fad40cc034590a

    • SSDEEP

      12288:FMrxy90Ydrzg5EyOuXQCRKR0EXVp7lM1aoxCTKx:EyFdvCEyuCRKaE3l7oGo

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a

    • Size

      912KB

    • MD5

      5f4de66cb9b1568753b8a44fad14b23e

    • SHA1

      e2c294ab014a574e4b8ea8d65f2ae46af5f3713e

    • SHA256

      5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a

    • SHA512

      acd31c122a20e8a77ab2f170f783679a2924d1dc958b32f384474590a0ea90c525976ce1c7ccd5be82098d2cee90bbfc9293ebae89a86fe3919ee929cd2265e0

    • SSDEEP

      12288:hMrMy9025kLy2eMdZp7L5QvRc/3aVqtmikIDH3qh5LAYUKEnIqHF+x7SB/h5vs6:FyT5tAf5Qk3CqtwUa/LAHn1HF+1SB1

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1

    • Size

      563KB

    • MD5

      b1cad70cea703c95c6bf90d74c4bfd89

    • SHA1

      1a08e9ad7c417a5011915ccda1a1ec130cd7d3ac

    • SHA256

      64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1

    • SHA512

      4f7c7367da4b3009f5f1691832f88de0a7df9103ba16ff43c92fb3d0eec813005a6f6f31e0b3853b2ce07e2d5c9d0be331f1e60bed9bf8f3b3ebcbcab9a4b2de

    • SSDEEP

      12288:KMrxy90uoiqvTegFhHXzNOI+74h82WRiHJ1CVVVV:nyKEgXHDNn+487Ry4VV

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761

    • Size

      319KB

    • MD5

      6d8e57ec9fb40242960e48d22f43a496

    • SHA1

      bae3e231233d07ab1aa2262999e1934666a1a79a

    • SHA256

      7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761

    • SHA512

      7f411509e2a98d9fbd24805093b3cdecfaa0c2d16b7dc579b1fa1ec5b32786a796c1ccec4cd04078592954680dc9ce6638eccb2b51decf5ce46b6277f87458b6

    • SSDEEP

      6144:KLy+bnr+vp0yN90QEzrKEP3ve7yRfsK6KRFjEXtaBv7FlbeVeR4No5/Z:pMrvy90BKU/e7RK6KRdEXYp7f6VG4N2Z

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      8c970cc94c6aab0b503af6d60e60f5c6c870576c82be9233ab884894899a97d3

    • Size

      476KB

    • MD5

      d102d74d723e6d923e01415cd5ad000c

    • SHA1

      4915d3a0cca73089132731e78c415360fcbbedf0

    • SHA256

      8c970cc94c6aab0b503af6d60e60f5c6c870576c82be9233ab884894899a97d3

    • SHA512

      1f73ec48b7e6a36fab172c4d35345b23bb43ff69231f6c1606b239e6398ab3cedcf7b2a3b12b7ee5b2a05e811daee5d21b12693e4d06139cc6d8194cef9d33fb

    • SSDEEP

      12288:8Mr2y90RhNlSVqPwTdRWKREEXYp7+dwu2bWN:ayOlStHWKaEA+yu1

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24

    • Size

      662KB

    • MD5

      ad556af301bc23d9d68e88347510597a

    • SHA1

      33c98a0a8322aa276c825a76dfbe90eb89adb0ed

    • SHA256

      9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24

    • SHA512

      13b7701cdd1b901df94c7c4dafb68bd37949c822aceb29aa55d04bb5084772c9886f9e8de81e4ed221cfb6c44fa101f395120c02d520fc9fcf03e42e2b80303d

    • SSDEEP

      12288:3Mr2y90oQvlJuZN/gE/AT4aV+nD/xybAP5fI8CR5dXyALD8J0v:RyRQvlcND/AT/V+tpP5fVCjdiALYJ0v

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      ae96a881fddd0471c5a462a0b27848d72c34ba866c6061e0f84ab3a1097a7a69

    • Size

      277KB

    • MD5

      7914d68695cc6f54cb467bbd1ea1b980

    • SHA1

      a44f0dcc322e4cddf86f087ca9b97b7c44fd6091

    • SHA256

      ae96a881fddd0471c5a462a0b27848d72c34ba866c6061e0f84ab3a1097a7a69

    • SHA512

      644f90613eb98fe37d95d215271f468ffce81bf939000b9acf5479ae8a8d2668202da25ebab5df1095349bfa3ab650cbfdd2a723f9e3b5bbd3bb7be8471eb07e

    • SSDEEP

      6144:K6y+bnr+Wp0yN90QENekbA4OPoMeP90Rk7WD6:GMriy90vekbLOQMeP+k7WG

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5

    • Size

      845KB

    • MD5

      48567c75c4c768747990b660f8c98486

    • SHA1

      c5d74fb54ab54eb6097414ab1a4c3f80481dfdbc

    • SHA256

      b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5

    • SHA512

      352575ff5f4c3d71905472f5fa1821bd89c0a74f2f66eec4a8529a05ff8155e24fb095fff87c9b425a855f94bd2e29178faa2a8b1bbf4d45c5dce2601f147cb2

    • SSDEEP

      24576:wyTGPDzqeWDz0usMLfZU1nloJ6e6uVQgEb:3SP/9+z0usCq1nmLFE

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351

    • Size

      600KB

    • MD5

      520164b716b018381b9c742d869b32e4

    • SHA1

      c106a10d377bf9b4bb5a4fe99565e2a3805eca05

    • SHA256

      c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351

    • SHA512

      fa004fa2f7170cd50a2ddca65dc26d9ab732ee6f1db843458215827f5ee26f102730e0bbf616276c42643224eef2205fc4d14238c9838d3cdd5a3c58e9316c9e

    • SSDEEP

      12288:bMrRy90DursHSHejS8J0CUKR/e7tRJKRoEXMp71vTkMFnhCF2ZR:+yppH6J1UqG7tXKqE81IMFnhd/

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435

    • Size

      812KB

    • MD5

      f5f40df358fb020b709a87b5ed4ec4d3

    • SHA1

      7a1412af73b32c7c9a61007863b57f50570645b2

    • SHA256

      c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435

    • SHA512

      f45fd35998f15a6204494bb8e99391571f35e6e4867e56bf78a818062c75942eea2a63cf93df732f7ed0d6eaf79d49e4a165b1b6ad62df994550e57a1125d3ba

    • SSDEEP

      12288:AMrsy90fafIyG5ojpCh/IL7ElM0kHP5/rmMsj+IgMcFLzZp1/9mOh8++OM:cyMojpCh/+7C4xrmMi+I4Fpr/kOh8D3

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      d876400b35d912e211572e1acd02738c757f24f8adf82ea7ac3ce91f74c8e404

    • Size

      812KB

    • MD5

      c32af393533d7be2f96748156338d33c

    • SHA1

      a58be11608b6f27970a62122c7bb6d4e8536a02a

    • SHA256

      d876400b35d912e211572e1acd02738c757f24f8adf82ea7ac3ce91f74c8e404

    • SHA512

      9e1f47b3c20f4fa0b0e97758ef702aad9781756266c7c6c8916e189ca00cc477e641524fb84a61b50604adc0e5f231d7a7ca069576dd27631ce1fd58ce2146d0

    • SSDEEP

      24576:Uy72IKmbWYfa3qnoWU0+AhWPlWLZJoXi3Om:jyHmb5i3qAn/PcLZJoXG

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352

    • Size

      645KB

    • MD5

      5c7efd9ec3e27bb93244365f3ccf6bd7

    • SHA1

      8cff2506763935140038ddfd27738d40ebf05eab

    • SHA256

      eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352

    • SHA512

      ea7f94292cb9c024af86dd3176afb4daa7940d2fc6c3616bbba3d9493251273ab921916a04f6a5fd629a5204199ea9dac8948bd03a5031333773e695bf32ac20

    • SSDEEP

      12288:6cMrEy90nyAH07CUhQWRNJcN7MOApGiBg4D/ovR18txF7y+bR6Vq:64y13eUhiPA8iBDxF7+o

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      eb7c2e9dc2416d5168ea11cdee85ea662e4aa32921edbe521787e1a7dcc79228

    • Size

      771KB

    • MD5

      593fd33436446b18f88bd2d596dc126f

    • SHA1

      1ab1f4b4a6057cf0d51780194be0a4358502fa30

    • SHA256

      eb7c2e9dc2416d5168ea11cdee85ea662e4aa32921edbe521787e1a7dcc79228

    • SHA512

      92c5f75ae577806092ba01d709b498aa122df86d7bcc6b7b15aee4ff1fc84137309a66fd5a6a66ba9f05c44113edffe4aa6fd81e218f8d4121b2dc0ef4680604

    • SSDEEP

      12288:TMrJy90MI57GM5n2MwKciVlDz22oIjdLibc69f44FJ2RHDBUwXpZfSr:Sy3q7GMHfRVlH2IjdO5fHOuwXpZfA

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      ed2eb0d5dcf8c04d4b8381812154164abb842db1d4f3059e6d7d12293004ffbf

    • Size

      943KB

    • MD5

      6df35c0bf802827179491a87b3fcaef6

    • SHA1

      6c11c82d7422d46b4d1e143f25e3ae467c81eb01

    • SHA256

      ed2eb0d5dcf8c04d4b8381812154164abb842db1d4f3059e6d7d12293004ffbf

    • SHA512

      184e32ed3c876db2b436ed847e6e485fe836ff40ea52bea0d79fa255ebc55e20427ff55dfeb5c197591f29e83565acd533745a0fcd0f59b04e7a153279dc7e69

    • SSDEEP

      24576:+y3lCj5PuU09H6ASUTFegI5QEpHUVDus7CY7:NI5a9HHxbUHGRCY

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      fc2a3968133c3c96ae55dfdd56ca5b4dd51ed30658a98d55193b96e1533f4013

    • Size

      814KB

    • MD5

      4527bf2f344a13d6185f1a6da0302c2e

    • SHA1

      bd22d40e1536515deab632cec917ae895dd3587e

    • SHA256

      fc2a3968133c3c96ae55dfdd56ca5b4dd51ed30658a98d55193b96e1533f4013

    • SHA512

      1373be04134192b800c106ba9214941e12cfd6366b97023a07724ab7a86468996509604a20e6284cb5d549d4a4bd5a193e511487a054ee059c226f849f548c1b

    • SSDEEP

      12288:kMrAy90Wv+ehdmYET2qlvV1x0nt6o58Q82qcaLRjWwL0Gj4iycQLrZNNqXGl6u:EyLvPhXYzJjTo982v5a0duQLXlp

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890

    • Size

      1.3MB

    • MD5

      5bbe0d4d9a0315328670257d051d24ec

    • SHA1

      703f9e52cfa0752b6fe32ce544542d41c26f3414

    • SHA256

      fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890

    • SHA512

      346a4a5629c810d01660ca7b5fe27ca96b89df01e8fe8966858538ed64e06b35fc3aa6d4f39b7f2edfcad380e33a0e634d48c7eba4da1e928f6d0fee0644c35c

    • SSDEEP

      24576:6ybUKxddkeq9KQxslEr58eZS7EWzWvm9bb+0je8be0QDeBc1:BbZniKQxslE98eZS7LT9b7bCeB

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral2

mysticredlinemrakinfostealerpersistencestealer
Score
10/10

behavioral3

mysticredlinemrakinfostealerpersistencestealer
Score
10/10

behavioral4

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

amadeymysticredline59b440mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral6

mysticredlineluateinfostealerpersistencestealer
Score
10/10

behavioral7

mysticredlinekendoinfostealerpersistencestealer
Score
10/10

behavioral8

amadeymystic59b440persistencestealertrojan
Score
10/10

behavioral9

amadeymysticredline59b440mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral10

healerredlinemrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

amadeyhealer59b440dropperevasionpersistencetrojan
Score
10/10

behavioral12

amadeyhealerredlinefb0fb8mrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

amadeymysticredline59b440mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral14

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral17

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral18

mysticredlinekendoinfostealerpersistencestealer
Score
10/10

behavioral19

amadeyhealermysticredlinefb0fb8gruhadropperevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral20

amadeymysticredline59b440mrakinfostealerpersistencestealertrojan
Score
10/10