General
-
Target
r.zip
-
Size
11.7MB
-
Sample
240523-lm928acb9z
-
MD5
10edb3a9a699a05bf22065c503182388
-
SHA1
9bdda0e1d1a80c47627ef96451324f0e275ab2ef
-
SHA256
d66c5907218da0e1082f3a1318226d1c5bab6bd1ebb57b034a817b4c35495ac8
-
SHA512
fc2b3a0da1d6784f68826fc19483c515c00e3a61f106258f7605bd38f665b6e99e6ee965d6105654e29d4e175bc0c1b24d0f65a57cb370d345e546e37ffe7058
-
SSDEEP
196608:YO0bIQ5jVlm5PP6eauQtYeOdFduf9XLKJcRN4qNB9YdKQIeerRuHcSFGXPfyC:70b7DmxP6aQK5dqlLKJcou7Y8hrUHvFS
Malware Config
Extracted
redline
luate
77.91.124.55:19071
-
auth_value
e45cd419aba6c9d372088ffe5629308b
Extracted
amadey
3.87
59b440
http://77.91.68.18
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
-
url_paths
/nice/index.php
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Extracted
amadey
3.89
fb0fb8
http://77.91.68.52
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
-
url_paths
/mac/index.php
Extracted
redline
kinza
77.91.124.86:19084
Targets
-
-
Target
0848e1e7e128d7f1f97806b2608b355879b602ba08e121497f133be212790f63
-
Size
534KB
-
MD5
3c37c9dee739aadac42bb79609804a88
-
SHA1
825fc8f20b26c3a6a0b14656ccaac4e616cac2f3
-
SHA256
0848e1e7e128d7f1f97806b2608b355879b602ba08e121497f133be212790f63
-
SHA512
c65f00987ef863db518fce5e3c73ec821d2a743b83544b96100d3388e00641d8153bfc96e29839844cd94d48fda513cae2966627c8a6881eb84cb6a8ff0022a2
-
SSDEEP
12288:/Mrwy90l5dDCl5EZ+oNfInGuks/c6+fB5KsUPK7TiumGBESu:PyfHEMiInGukgIB8sBOwBEL
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
1106a57fdfdae9114d2bb44bdacc87ca3cae04161d58f6a7da3ec41e1aa098a5
-
Size
1.2MB
-
MD5
3dbb95f86f886cdbafb2d8989c1cc77c
-
SHA1
f0c053c9b02c0cd21a321ce5c57950b0040c7aa7
-
SHA256
1106a57fdfdae9114d2bb44bdacc87ca3cae04161d58f6a7da3ec41e1aa098a5
-
SHA512
a0aa590779c2f4e6c4dc3c360047623c5e919eac9219b252c74d634a7f5e654ac1d265e7b18a9783daa722f7c59fd351b3084f7deccbae09dad6ae493cb38683
-
SSDEEP
24576:syYxMgtVHWO2xYNKZPT1VXEFgb8vjy3s8mHUYIzq3ga/6dPy4a6zri:bYxMgtNW9aNKZPT0Fgb8m3qHUZW9iI4H
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
185a521367840914ea4a144255106961422396c5ca90144e322e12b70a4598e2
-
Size
763KB
-
MD5
c87f8ff64e9000e767665d356dbcb9ef
-
SHA1
6da2c45e0fc331217c7c4e0c0cbe2aef2021b8bb
-
SHA256
185a521367840914ea4a144255106961422396c5ca90144e322e12b70a4598e2
-
SHA512
17fa5456f8eb8f27b3df49b292110ee5d39cf7f35ec35ee6c2e7ac2cfe37aea42239e369bb4d80ed54abdc4f4f7ab0f46ffc4e65392d1b8013697490b1978c4f
-
SSDEEP
12288:bMrqy90RuT/1uY7zF2LN18cH8iysFAlFJMiu68twFZ1Pfir:hynT/1D2LN1UsFKMikcfir
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
1a2ed241f75ba217ad63fa42ab55e56d8f009f93b151dd367b73459e26169081
-
Size
759KB
-
MD5
da65ecd0dd929d1a51b4a306ee005289
-
SHA1
a109353f18e52c495a522d2e26fc5596478222c9
-
SHA256
1a2ed241f75ba217ad63fa42ab55e56d8f009f93b151dd367b73459e26169081
-
SHA512
6b59bc5578e22dec313d8e90199a1892fc2e3455001440a76b70ebb97fd6dcb310f45cf17cf417cdec02750ce1548a49f083dde105ce43f38de0d69be9946a53
-
SSDEEP
12288:NMrBy902NCTgXGeV8LTNVQ9vLrUHopYACumX/Yjva8KbvsZzo4BEpu+LnK+FI6y:wyn0/UQNVMMHAouIgG8KIO4BGu48n
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
3933af1a190b049a02aad532333dad6c4862e46b510cc0ec5184873641cc3166
-
Size
599KB
-
MD5
f1284840a75dea598b56fd2b113b57d7
-
SHA1
63abdc9a19ea7543b44b3180ae7fa3a68d304763
-
SHA256
3933af1a190b049a02aad532333dad6c4862e46b510cc0ec5184873641cc3166
-
SHA512
7a827fa3325db78413e5c719df7b0d8d897be2c965499395f8a0c65d2ff3df1cba7bb07dd2ce5f70f138255453453229bede7fb16276567413a4c52f76c1aea3
-
SSDEEP
12288:MMr8y90aStQnEVRLQxQCwIExpmvo++PKjfRBer1nuoCKC7LX3HI/7p:YybEnLxCwIExpfhKjfRBerZJCKCnXI/t
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5
-
Size
761KB
-
MD5
216c4829a35a74ecacf925e3d47f46cc
-
SHA1
3792b2f30a7237382361cae16251ced767d973fd
-
SHA256
404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5
-
SHA512
c4ac9a5edd6200a7734a5fc2048ab52d974516e3a8607c3113dd38fca253adf6aee950b9adaa06ee9b923eeb694c8f2899790eaa19d8b995102473229c8adf15
-
SSDEEP
12288:LMrdy90rTPMHf9/WOfbJ2lkpZUAHwTHOXSVAsAwCGPjcfMgNLW7Wnbq9KsHfo:GyGPMHfp3DJppmAaHOXcMijcfMg1Wosw
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
48b2c44ad346117214bc572f969741dfa0acfcd1fc6e23b00cdeb324c9f00fcf
-
Size
760KB
-
MD5
01b54142bbcbf358e7bb4cf4adc4d84d
-
SHA1
c29ec93bbe01df3aa05cf740226cf47761f1ed8e
-
SHA256
48b2c44ad346117214bc572f969741dfa0acfcd1fc6e23b00cdeb324c9f00fcf
-
SHA512
8cb07cee09caa55ea55bac3398c075b2a5dc3e03e5431572fffbd4b06b406cc41138db1a2c6a0f701d0d870479adb438860c41e1d81aeb0022eb1f35503618ba
-
SSDEEP
12288:AMrZy90MUAe2aL1UeyNwMewZMdNRoNSZPIaZpP7YlAQJI1C:Jy/UAnaZXj+qLRwlaZe+QJAC
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759
-
Size
496KB
-
MD5
9aef86abcad029040fa01e67befa91f9
-
SHA1
9dcbf47ce36595b3eefe59bb1ea833ae5e9d5065
-
SHA256
6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759
-
SHA512
929d5efbf2ed51ded7b4d9a0a3c98cfb6ae8c6142e2dcb7f890e3d61243172d7efb24a367ad10165800dc96ac810fb204a9f3de239ff395e94f6305152af88b7
-
SSDEEP
12288:wMrty90BxdBF3rKeE9ITD0lIfcVLpOrxf5++O/:Ny4/BFVEzIBrxfg
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165
-
Size
913KB
-
MD5
dca929d746fbc57599fd90882325f030
-
SHA1
c3374249560ea2019d57b288aef67906e1c5285e
-
SHA256
708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165
-
SHA512
617458913f5dfb76ed23c605c772a8da48f6905df2f2b46077dc810310d29ba64a334a455f360b815eab93cbf2130fe84ec8177fe099775f45319f9ba0a0896a
-
SSDEEP
24576:YyS5nbWGFJT6uokW0rDd4Q1LG//kXs60r31PeC7:fS5rJ91rDqv/vhrlPeC
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
73dc042440fa05b66d753f67af4b8f08d529e3c6a45d57710b9b74505441e13f
-
Size
1.1MB
-
MD5
7f58d8caedf6979bee301182a64a19bd
-
SHA1
b772e45e5ca373a2ee2e081b8f8645b25699d610
-
SHA256
73dc042440fa05b66d753f67af4b8f08d529e3c6a45d57710b9b74505441e13f
-
SHA512
fdcb426e044be7279c2958b89b6423b5e5d6cf9ab2cc58213ac885b5a8a7a8d2a30a63dbfa924c201068ad07612ab50244726e407be616896b3d2491a1a70455
-
SSDEEP
24576:CywoOMiEqHorKYErxslRGgHTqqEwg28UJZTiR:pw8iE4qKYErCgIgDUe
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755
-
Size
234KB
-
MD5
45e93a000b07f25fe943fdf1f7b65357
-
SHA1
87725546f53447d680f47e63a0cc581dcd4503fa
-
SHA256
9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755
-
SHA512
83cb89078894b96f0bf1f7a8ef6b2983d7e21f60bd575004772267424c4603b75e18f9f805535634a9678aa58494f25eb83fdfc36553f25b3c80bdd4691b2c6d
-
SSDEEP
6144:KBy+bnr+2p0yN90QEHBKyBErKK+iBI/cl:/Mryy90ZxBEz+iBIEl
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009
-
Size
476KB
-
MD5
eb39a2b3c68d99216a38cb0593f82005
-
SHA1
c50ccd4606ad7793cd469ceb9609974f942778f9
-
SHA256
9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009
-
SHA512
87c900f447fc115cb79ff8597fa01705ffe8bba0bfe7a8b42a51ff69a949f9d67c13ff9240946aa9d300c90ef397488762563ebb0e1120463602708d996e03db
-
SSDEEP
12288:VMrAy90EDRCEym1LQ9KRwEXYp7G9TnJQ3Ckltu3:JytRtZQ9KqEABg3
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
9ab135934b017c0850bc323f91ac4cecbc3640903406ed3576ec0747ded9e6fe
-
Size
373KB
-
MD5
288cac03ce7b5c3aa5272c2f90620147
-
SHA1
610d6ea082a6dcac1812a8fcf7654fde3e807ec7
-
SHA256
9ab135934b017c0850bc323f91ac4cecbc3640903406ed3576ec0747ded9e6fe
-
SHA512
e48b31059b16d3bb4792be2c17d0d814bd5a1ce9b7669408f2df17675a113e6a7adb7f64a20740ed13077f75efc7c6a4f2f82534d6b61294775c9bff078ac047
-
SSDEEP
6144:Kyy+bnr+Vp0yN90QE9WhSSFCpPTbTenECVcZ6rV1YC1wjZXwcuXLfbaHVT:SMr1y90/uZ0rbAV1xwZwcubgJ
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
ab010a807d239acb2941ec42032df7751afe90303b101088fee9d258794e4a38
-
Size
507KB
-
MD5
2e5330889062fcf0d84486969121769f
-
SHA1
6a5d56c39f33daf782507d31fc4b4e47df9981c3
-
SHA256
ab010a807d239acb2941ec42032df7751afe90303b101088fee9d258794e4a38
-
SHA512
3f96cc3f0c01e83dfefee7717a32d6c3077c79176ba68cd9ba0f783503db7d7ea5b91fd242d915b88becd4d4ebeb1c147af706798373f21d7cc0b590213f85c1
-
SSDEEP
12288:CMrBy90xjSnk0tswyfz4eLx/6TLYrFT5A0FiTZVq:Dy2uinf3Q0rYh3q
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
b85fd724a0f0185fdd32093b1f07f4f209b862b9406e12882311cd820c17cac4
-
Size
829KB
-
MD5
1b57155273f2fd6a1393db1c43bbca12
-
SHA1
2a83532f4c0eb909b7dd5e17ba6d96000a951c32
-
SHA256
b85fd724a0f0185fdd32093b1f07f4f209b862b9406e12882311cd820c17cac4
-
SHA512
73ae095fc68b9b9dc8154d5875c4ab7e284eed5dc6b55404ed47aaccf111f3ff5c2710d91093d89ee541c16a97daa2b9d74a4635c05453584a40a5f60cf726fc
-
SSDEEP
12288:qMriy90KjSj6O8hnnZgzVIQINDwaeAcJSJ3q91uTuhXWqlQmsWxGd6zluo:AyjjtGzxKDDJ3q91VhXHbVlP
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
d940f9b9c60fd13aa5272fd2a69f035a8a08c097f0ed72b29431278d2fc4a849
-
Size
761KB
-
MD5
4a01abacf29d457359df733251113c91
-
SHA1
b4ad19178b21c759bf8bf5676a435aa4b00b5e5e
-
SHA256
d940f9b9c60fd13aa5272fd2a69f035a8a08c097f0ed72b29431278d2fc4a849
-
SHA512
99da8748c8593756f22ada15415c9bb7e79f03796b28bf8b56479cfd7c4a715eb239ec9e0d83f044cbdaadadad8c71f4886ed01bd439ac444dc8219032dd277d
-
SSDEEP
12288:SMrWy90UWJTYhBFqL/iQlnlo07S7g/0dMJ6krt4Mr1W40PbyXTvhZHJ:EydPQDVlo07qQ0642tr1SbyXT5Zp
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
dc87cba915fb6101c577a0531cedb5d304be24abd22d9faa34b7a606ccc5f8e1
-
Size
643KB
-
MD5
ff1d1ab6fe52c810fe4abf9552b69e9a
-
SHA1
3472a8f8d5d1d93765c85d242ebf1c043966739a
-
SHA256
dc87cba915fb6101c577a0531cedb5d304be24abd22d9faa34b7a606ccc5f8e1
-
SHA512
4d8cf50d9c5dfc6a669a8914b2a6ada01c90f21a7bb113cfcd256bf796267de14d139d060876ebf1dd87cf8bf81378389f5b2ac74e11143b28881978a804629d
-
SSDEEP
12288:sMrpy90UGsoYRiX8Oo/GehZL0Kk5xAkak1HSmapBPBWztYhCvQ5w+1:9y3FW8ntUJ5xAkFp5ajBWza35
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
e7bd826b7a1c65ad222cefa93d7967f2a11f90fd400aa046a5a96ec60cff1a05
-
Size
396KB
-
MD5
dc84eacc27933a0db96d90c12de60717
-
SHA1
3a646269f3e30b522598ccb2aa18bf4c115cf89b
-
SHA256
e7bd826b7a1c65ad222cefa93d7967f2a11f90fd400aa046a5a96ec60cff1a05
-
SHA512
2b51577ffc104848fdcfce1c3ee63c4c708d3d79f9e21f2696e7360ded105c0be9d3ccff515f6944c6df17bdaef6ebeac2847e70eb451efc784060ccf9643f6c
-
SSDEEP
12288:oMrly90p3B0Wf5Gr0azGyQIh8Ak/61zcOjV/5oBN:dyI0WS0Fycuae15oBN
Score10/10-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
ffbf9f9530a3dc84123d1e676feb925ea3c13cf2876d58672bb23f55afe1ba19
-
Size
599KB
-
MD5
99fd0b2ec905c3e08b6ab6c8adaf3a4e
-
SHA1
147be259f83e1f4c2e739d390d4a8a72e8373ee4
-
SHA256
ffbf9f9530a3dc84123d1e676feb925ea3c13cf2876d58672bb23f55afe1ba19
-
SHA512
56a943334d09307861f8f74ef7e858ede2eed15e06dcb2d271938a1eed1039c3ea34811c20965c455ef62b39ca9a2f899e4c559ca420041df28cd022f636705c
-
SSDEEP
12288:GMriy90WiusxhjG8E57oii214aklgzzfcvrjSnKlkcw63IwJwd:AyTEGv57oiiS4abIvr0KJ3Iww
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
19Registry Run Keys / Startup Folder
19Scheduled Task/Job
7Create or Modify System Process
5Windows Service
5