General

  • Target

    r1.zip

  • Size

    16.1MB

  • Sample

    240522-xhdc8scf3z

  • MD5

    d23a93b6206ba5a3472258445859b9a2

  • SHA1

    19e3e3374e55609e856a960a941acf41449b9d87

  • SHA256

    fb68898fc1ee1968d2f438649408cbb8854551c7efa6458a5175c462f02fda63

  • SHA512

    320548fff8398a5f5702b196d8329dbdd72eb2306debb4f73fc85bb5cba8362ae6a02a126c1fb9932c8818a28fc0dc93a9493daa16aa1f04ba483c49789513f5

  • SSDEEP

    393216:znlcSsTBFfpqYrFSUpD/Gx1EIi1/siPSbEgDSoIQ7bz:bSSsdFfpf4UJ8O31wxDHtbz

Malware Config

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Extracted

Family

amadey

Version

3.86

Botnet

88c8bb

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

@vidradom1234

C2

94.142.138.4:80

Attributes
  • auth_value

    f6e0be4e7ddc7c0185ef8d636b4e28cc

Targets

    • Target

      00dd845a27cdd6a841129f3f25bc36fd11c64b769481d2a584164a99fbd2c3d6

    • Size

      815KB

    • MD5

      1bbc286e0de70ea93a2d22382215cb6f

    • SHA1

      998f8216681b836c1c9995ffd0d617d0259fe94d

    • SHA256

      00dd845a27cdd6a841129f3f25bc36fd11c64b769481d2a584164a99fbd2c3d6

    • SHA512

      2ea1320c1e37907e97c4247b29c9723005bbf6c32e19aaac53d4f61e4c78ad260f811af031bee40cf519855f256cec7492c27988f902137c9a537df6b8f09175

    • SSDEEP

      12288:GMrgy90z+CjW5ZWOWEUTi85pVWgy4Bu8CixTSidrx1JzKHY5sLdVWcjKapw/CJ:ay6+sW5QpJvLy4Bjx5xbELORaGe

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      0e4f6fa259d45f6b8b8d2e708ff9cac68a58307c15686d384502402302d450f8

    • Size

      762KB

    • MD5

      7552519f9996f9c76b4162aabc6f39dd

    • SHA1

      74e8494962b80dbe582f10c4ac392e91b67c54f1

    • SHA256

      0e4f6fa259d45f6b8b8d2e708ff9cac68a58307c15686d384502402302d450f8

    • SHA512

      290e4daa6c737ba8eaf8e416257263a346054f48758b9324d2ce302fc1860b1d7545d00e4ac93637b92849a64939455953c2795ffaea559df0a09a878f990e66

    • SSDEEP

      12288:JMrPy90ST157TEsGSsGzE0iIRF/qONhX5jtAh7WpBQnzxsVkXkxcCdnIfY7:myVBqS+NWgONhXXOq/OzxsVykKSIg7

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      160cf91bb49336d03ce250710ca49b29f76f5f8f37ef5aafda22ed8e547bed9b

    • Size

      503KB

    • MD5

      1cdcd0418b5ed6de8f5ce0e268c264da

    • SHA1

      5af6604444d6a85e87847fda3197b156aa18b2ab

    • SHA256

      160cf91bb49336d03ce250710ca49b29f76f5f8f37ef5aafda22ed8e547bed9b

    • SHA512

      b43523de650f5ab97079966778997fe6f3b4129684110463d40e2d077038156008ba9071e699d3711bbd503e4c43929945b3d862f9c28aa71ac3b948316f597b

    • SSDEEP

      12288:jMrHy90TxDvhnlYPLgRtFyGjKCufuntSdGIOPd/k2yHsvcIXm:YyApBlYs5y3+tSAIO5jzvI

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      2469003f42fad7f59b70f7ba006c65ee5db3798dfa579f761b047cd449e394fb

    • Size

      600KB

    • MD5

      92caeb092fe661984d6b5938db1e3d2c

    • SHA1

      aab1602e93402605ae2f28b22ff993873730532a

    • SHA256

      2469003f42fad7f59b70f7ba006c65ee5db3798dfa579f761b047cd449e394fb

    • SHA512

      76aeb5a9753b57d6cecc4474965e0a623ab13ab5ca9439c2ce2d43797afded16c738fb0339789edf61bf6ce59c7df884ed120c57c1ed29536643d3df8be638f9

    • SSDEEP

      12288:JMr+y90odZgZUSkyiUAl6cKF/e7oVrKRQEXFp7GDlSAEkObTn94b:fyhrPqAQc2G7oNKeEnGDQMOd4b

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      37d87e8c1add733f6b0f726eb97fd64542de486c7b60c80ffabe798eb6c54a0c

    • Size

      1.1MB

    • MD5

      2c94ca6b9e68f23873d291cc5de452d7

    • SHA1

      427dd5a76b3cc7cf997f49fc699a9c37a2a90298

    • SHA256

      37d87e8c1add733f6b0f726eb97fd64542de486c7b60c80ffabe798eb6c54a0c

    • SHA512

      21c5fc9e942ad544132204ac52853f49f1c895e82f9caef58c85c72bcfd463911e7feea071b6caa8c5c0f691c12c660d3509ccd3de49df25378a818cf122e174

    • SSDEEP

      24576:Vyh2xPiliqDSXAwlKOiht4hZu78PnoF2rRCft2:wUPibSXA2Kpt4hZBPnoF6kft

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7

    • Size

      1.2MB

    • MD5

      dcd9239b4bb709fc94e727b9ee27967c

    • SHA1

      8ef4e373ab58a741760183d789277198dfde7ba9

    • SHA256

      4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7

    • SHA512

      1c9d81725cbf5b0eec0ca4c2cd61b4e9d0da644dc6c8d64877c46f11a732f4d3467f212065eef436c9892872a832b865d7d5489a7eeeda90891330ebce036ae0

    • SSDEEP

      24576:AyUqqXwz+yZ7ocKLgR86dxL5R44FKMeeJ6qQp+iRCLP8rxk8T1fxg+n4GA:HUXwz+yZUcKLgRFdxL5WMeeJo4LEk8TX

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      4de214f1550efd374ec68367fd536997f015281d98450fd9bab8a16d5fce87f2

    • Size

      507KB

    • MD5

      cfafb3b6f16b43df024f7f40e7c6ee1a

    • SHA1

      30f47ba6243552d59893105bc8e90497368b3853

    • SHA256

      4de214f1550efd374ec68367fd536997f015281d98450fd9bab8a16d5fce87f2

    • SHA512

      a7a08355147e240c7030614fe9e220a0f2fd096b298ccc42816980d475ca46d53f17d5b3ed41037902646f4a84e365b24eecf91e9755fcddb119d59918561797

    • SSDEEP

      12288:ZMroy90Gmlxvyy4NY5wERz11xDb5/DgDQkYHQl4X:RyfQ4y4WLz11xDb5/DgD2X

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      4fe5ee134e6a340110e2fe9b3471372154b727e90d980f5660e2c7d24f779f25

    • Size

      1.1MB

    • MD5

      151af4f44e3d6b1ac8116b1679624dee

    • SHA1

      dddcc75275ace2a92c71c3c9d2becfeb86fb4ce1

    • SHA256

      4fe5ee134e6a340110e2fe9b3471372154b727e90d980f5660e2c7d24f779f25

    • SHA512

      ca05d5b82d1cdb202288f338e4eaac950fe26cce01c5ce2bfbc67a27ea8e476893b6fc59393aa942b57b4fd4ee89b1124fc9029c13bc7eb24f7fe725ced77c5c

    • SSDEEP

      24576:Fyz+Ur2zG77uKCEAJM4lNvgEiew8fqAuEPeCuw0XJ/KrdMNszXwqs+1:gMzGPuKCEAJJl8Wfqcz0FqdMObwy

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      5bc4a6b3d5d850441455c1201b411fa16528c9d21a13517fd2f373d1536d57f6

    • Size

      812KB

    • MD5

      659d8ade6c93a41292e60a3cf24aee6d

    • SHA1

      57c08365cbed71bef5b3ff3f38fc45354f8bb7bf

    • SHA256

      5bc4a6b3d5d850441455c1201b411fa16528c9d21a13517fd2f373d1536d57f6

    • SHA512

      e29e7ee9dc4482c300081c2cba82f48332b6e5b425d8e99c24f8f2e1d265353d014bf23d05787a55db862bda8d424aae5bb85058cc376735065f3a7822c0244a

    • SSDEEP

      12288:yMrSy90bdcddavTH8ZUjqb9FamNPyEkqno7WLzSAYDbDnKoCVrzoD+HK:UyAuGSIeRSqnocgbneVrz+

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      62325240aae3c7c9afa8a69fb248924b6c42b1aa556bfb2b52c84490eef10afc

    • Size

      1.5MB

    • MD5

      769c5f3bb0882e4699008264e30d36a1

    • SHA1

      6f723c5ab29eb3e7300d51f736c5be4f39cb0060

    • SHA256

      62325240aae3c7c9afa8a69fb248924b6c42b1aa556bfb2b52c84490eef10afc

    • SHA512

      33a36445bca5c6afbb1fa03b88ebb932560c61966e3b9dc480e72f52775d49141c292221ecc403471dbaf891417cc10e6a821bc40cb4474075d5406d52141273

    • SSDEEP

      24576:IyIFT2Rph5Zm9B6zpHDDI/hdhEIOTYRqpQy165616OKXwzxYlUdA1LZFPwi+Lmu:PIQp/Zm9B6zZDDU1EhlpQyR6OKAxlAZ4

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053

    • Size

      572KB

    • MD5

      1ac19b91e5253c091061691c660c70fb

    • SHA1

      7b113146e03c198d1cd4a7b1d10c2dad5bb6a909

    • SHA256

      77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053

    • SHA512

      6ed54774d55e8fc33480a56533c43f8eeffa64c225832e9e7aa932566c66bc80a0c1b9cf95db749f2a024316d57779255659151a483d7c5acc9c24e483e6af08

    • SSDEEP

      12288:6Mr9y90/DGsxoXIq17/+FrSBIEBOFgJdHsKPdg54J:HysGwo4cb+dSOA7rPfJ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      78a2f3c49d7778a1b4924bb7355ccbbd6bbeeef4a1876c8a4fd0f6f984769466

    • Size

      234KB

    • MD5

      61fc72539e72e9767140cd73f0f9edb4

    • SHA1

      dd2acea4ec7fa4ecf3fd5e1975422dcbf80e52f2

    • SHA256

      78a2f3c49d7778a1b4924bb7355ccbbd6bbeeef4a1876c8a4fd0f6f984769466

    • SHA512

      fc52f681316c1b1bd80f128e63eadd709ec7465b9f3c9d6205d40c20520c5bc2b896866e9f2f25adb1cd276b53f3bd12a07042c574128ad7c9dadd97704f3d1a

    • SSDEEP

      3072:KEy+bnr+O1n5GWp1icKAArDZz4N9GhbkrNEk1+6D5dMOt7WQqounTUok:KEy+bnr+Qp0yN90QEPzDQqom

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      7c1372b4b0e76a7d202143cbcc40dce411a401341f2168aef3204cfc9f9da9fc

    • Size

      1.5MB

    • MD5

      cac5297462d6e1dfd40d458d6d59823f

    • SHA1

      0d28c9fa7ead0dda4e3e50d50ad2261bafbc541f

    • SHA256

      7c1372b4b0e76a7d202143cbcc40dce411a401341f2168aef3204cfc9f9da9fc

    • SHA512

      b04ee15a4124fc1efa31e8ee73eb36676db44e5d5f4f7c6db807f846efb7ca9e3f5686e3a77f40253f5c84b910ba80219c7d1c5f1d61e7e2ff62e63fe5c4109d

    • SSDEEP

      24576:myzAp59zdpCTo+EZ9GucVMfluA40tD+RS8JW8VhpvQlzLHkx4hfO2P8Cyp:1y7CMlGuIF4rNqS9HkKhfO2P4

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      7cd3eb4cd6f49efea0958d092cf89c4360141c9e96cf89f3bd4042291e628b0e

    • Size

      437KB

    • MD5

      4706f66d2e76da2ba34e3bf258ffba15

    • SHA1

      ab71090e08967118015963985f2f1df2c603f1f3

    • SHA256

      7cd3eb4cd6f49efea0958d092cf89c4360141c9e96cf89f3bd4042291e628b0e

    • SHA512

      9ae987c7af0509c9ff0d3cef44eab0a8499f930b42a71183306a081a66fd5b128c8a3508dcad251281a7bbcf2cc0154a6be44d64bc47e80c46afd972fac58790

    • SSDEEP

      12288:9Mrfy90uxpbCC8SLD5x/rKR6EXYp71uwXC:Ky372C8SLD5x/rKgEA1uwy

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      7dee432d6dab18e0292eb8319fa33010db26568b716e784875a7bd4e9ea455a7

    • Size

      373KB

    • MD5

      15f157c29571d8a426e4390328ff5f53

    • SHA1

      ca91bab592cd28579d4ecb2aaaf6bb2c9c607e38

    • SHA256

      7dee432d6dab18e0292eb8319fa33010db26568b716e784875a7bd4e9ea455a7

    • SHA512

      d29be9762844647d70ded8bc115b5c83958d3f087155b2e027e2d94e85c3e0d3f473fa90b1659b706211a6495889fc4dca6861ff33dc8e58c65918425ee4a3ef

    • SSDEEP

      6144:Kly+bnr+fp0yN90QEjVss6d52jPjeK3GwVxAIoqTP/LMAWREa2NXy:PMrTy901+1d527xOqnM1RF2Ni

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      a277894fe9048cd5fca86a41cd15d3ca798f15ec412ab35d84f136d39597b97d

    • Size

      831KB

    • MD5

      85e4a0f5a6136ee4873a53af1f693ed0

    • SHA1

      c8295b1ef666acdb88a5e320b5a1d70eeb17d96b

    • SHA256

      a277894fe9048cd5fca86a41cd15d3ca798f15ec412ab35d84f136d39597b97d

    • SHA512

      cccfff50a1c9736573e80e7d66991930ffd0a607441e2bba89a61a7e5860d31494475387068895ed0f42d05251ece93f599f78ef325c62db1c04170099243c7c

    • SSDEEP

      12288:wMrNy90oQfovlCb2GmvXKcOr1+JTWZx2LufAKuBG/Nw8SjKgpJlGRqMul0CX/Qmd:tyPQfoIO6cxWZxuBHvb+qMuJPSzk7

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      cd0d56c5cef765fb6cc44988f16cfea540a6eacff2349df1adde54d8bdf0ac15

    • Size

      1.1MB

    • MD5

      27af7a4c719af0f00736750684474c33

    • SHA1

      03e8e393f661280826fbc7e7576e584d0f3a9113

    • SHA256

      cd0d56c5cef765fb6cc44988f16cfea540a6eacff2349df1adde54d8bdf0ac15

    • SHA512

      17daa6adef43ef520e97df98ce819c87bdc5a0c093233a6bfab264a16d7ba6fe6ba9fa5a9e00506de4b1fb0aa937efe388943bfdfe67c47c06cbaf31fabc53a6

    • SSDEEP

      24576:ry5DLDF4WsVdsl323tNupeEC4MI7WkuOUgyYKT57AZ5FG:eJLZObx3fIe6fykuN37APF

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      d304eb3331ed5f7542898adf235b0119e5ae9bf4622b4c36147856e87a8ec8e2

    • Size

      433KB

    • MD5

      50b9db4007c61b38b491d12f1077842e

    • SHA1

      681f65edc9f027e30d2e2a852bae01699270039a

    • SHA256

      d304eb3331ed5f7542898adf235b0119e5ae9bf4622b4c36147856e87a8ec8e2

    • SHA512

      77f3bc841d1e8f135e9cc3b443da58ce96bb567bf108dc4ef40ce9289c5fc92b7101bc77128158204f8eec03c6fd390bc65c19b3d1e877aaf817d2afae62e1b0

    • SSDEEP

      12288:FMrKy90UBVIk3ZX7/PWuhM8O8zhs2SzgdYk:LyFBzi8Bf2k

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      d3dd28146bf63b331c212ebde477e7662e2106b598849cd8a25001adc825728b

    • Size

      809KB

    • MD5

      0916237eabab44bdebdaaa534e5b0044

    • SHA1

      0f91723a69badda61451fdad109d59c3ca65fd67

    • SHA256

      d3dd28146bf63b331c212ebde477e7662e2106b598849cd8a25001adc825728b

    • SHA512

      8d1aeb276067c925e6963d73f57f2b14d805bc94cdd1dcc36a4bd00412b4b6c83c3a63fc18ba0a715005a2e7e7016de3e9261e062e9ac31c7692226211b3f0e9

    • SSDEEP

      12288:YMrWy90qF5sd2S/bMJHsA+43dFUwnHAjGqnos9rW3m47uO4H73IK1fC2rca2hzG:uyEoJMAD6vyqno5WZZ7YEC6R

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      ece19c5d5cfa838169dfe734221c3efc216214049218bf9ed62549dcc068a854

    • Size

      1.5MB

    • MD5

      ec417563dcc0b40dd4df530fab086b34

    • SHA1

      0fbbdc8e4d8d4f002bccaaeeaf45a4568a951e5d

    • SHA256

      ece19c5d5cfa838169dfe734221c3efc216214049218bf9ed62549dcc068a854

    • SHA512

      384cd2c4f9e2d4e320522be0e2acf107706f601fb253ca88c2945b68d3acfe31fcb9311d64bda686b6bf397877825cef5a30dd3dcf7db4433470ed3e49cd0fbd

    • SSDEEP

      24576:RyE/0Wzk0wwhw5K+y9iSn5PJvsH4UDlKl3YxFhSmCBwRe0MrQUlzpn/U5:Ec0WLwsd0XH4UQoxF0mkwqrLlFn

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      f9789caac1d5ebec982c1e56156eeaba9635c705104c77a48602d2aa3f43635f

    • Size

      1.1MB

    • MD5

      1e6fc45ebea637f8e630dda82edcb3fa

    • SHA1

      384d3a1238ac6f97f3d1ac42715e8f16f59ac18a

    • SHA256

      f9789caac1d5ebec982c1e56156eeaba9635c705104c77a48602d2aa3f43635f

    • SHA512

      cf11c0b07025936316bc17d3b227e6d28630f47cbb5cff1ae032b0b2e0d2ddeda0f54d27ba2b2e030645c3f90a0199e44072d4a63cf25cda2428b2e34d0956ec

    • SSDEEP

      24576:yJCp+zNkHOvnDUDuMJth9SHIP1DuGpDYpk:yJKHOvnDUDdWU1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

11
T1053

Scripting

1
T1064

Persistence

Create or Modify System Process

8
T1543

Windows Service

8
T1543.003

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Scheduled Task/Job

11
T1053

Privilege Escalation

Create or Modify System Process

8
T1543

Windows Service

8
T1543.003

Boot or Logon Autostart Execution

20
T1547

Registry Run Keys / Startup Folder

20
T1547.001

Scheduled Task/Job

11
T1053

Defense Evasion

Modify Registry

33
T1112

Impair Defenses

13
T1562

Disable or Modify Tools

13
T1562.001

Scripting

1
T1064

Discovery

Query Registry

13
T1012

System Information Discovery

24
T1082

Peripheral Device Discovery

2
T1120

Tasks

static1

Score
3/10

behavioral1

amadeyhealermysticredlinefb0fb8gruhadropperevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral2

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral3

mysticredlinemrakinfostealerpersistencestealer
Score
10/10

behavioral4

amadeymysticredline59b440mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral5

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral6

amadeymysticredline59b440mrakinfostealerpersistencestealertrojan
Score
10/10

behavioral7

mysticredlinemrakinfostealerpersistencestealer
Score
10/10

behavioral8

redlinemrakinfostealerpersistence
Score
10/10

behavioral9

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral11

amadeyhealerredlinefb0fb8mrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

amadeyhealer88c8bbdropperevasionpersistencetrojan
Score
10/10

behavioral13

mysticredlinekinzainfostealerpersistencestealer
Score
10/10

behavioral14

amadeyredline59b440mrakinfostealerpersistencetrojan
Score
10/10

behavioral15

mysticredlinemrakinfostealerpersistencestealer
Score
10/10

behavioral16

mysticsmokeloaderbackdoorevasionpersistencestealertrojan
Score
10/10

behavioral17

privateloaderredlineriseprohordainfostealerloaderpersistencestealer
Score
10/10

behavioral18

amadeyhealerredline59b440mrakdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral19

amadeyredline59b440mrakevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

amadeymysticredlinesmokeloader04d170gromebackdoorevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral21

redline@vidradom1234infostealer
Score
10/10

behavioral22

redline@vidradom1234infostealer
Score
10/10