Overview

overview

10

Static

static

10

0c2dd9c9b9...68.exe

windows7-x64

10

0c2dd9c9b9...68.exe

windows10-2004-x64

10

0e4fc438de...91.exe

windows7-x64

3

0e4fc438de...91.exe

windows10-2004-x64

10

10849d5fae...52.dll

windows7-x64

1

10849d5fae...52.dll

windows10-2004-x64

1

170004b7b6...1c.exe

windows7-x64

10

170004b7b6...1c.exe

windows10-2004-x64

10

18db51db10...c1.dll

windows7-x64

10

18db51db10...c1.dll

windows10-2004-x64

10

1b32bfbc64...d8.exe

windows7-x64

7

1b32bfbc64...d8.exe

windows10-2004-x64

7

296281f1f1...d8.exe

windows7-x64

3

296281f1f1...d8.exe

windows10-2004-x64

10

2c2e949171...3c.exe

windows7-x64

3

2c2e949171...3c.exe

windows10-2004-x64

10

311d9f8c68...99.dll

windows7-x64

10

311d9f8c68...99.dll

windows10-2004-x64

10

4bb311ba0e...81.exe

windows7-x64

10

4bb311ba0e...81.exe

windows10-2004-x64

10

7365c4cf37...f6.dll

windows7-x64

10

7365c4cf37...f6.dll

windows10-2004-x64

10

73f00d2746...7e.exe

windows7-x64

3

73f00d2746...7e.exe

windows10-2004-x64

10

832a15b86c...dd.exe

windows7-x64

3

832a15b86c...dd.exe

windows10-2004-x64

10

8ce5a8cb0a...be.exe

windows7-x64

3

8ce5a8cb0a...be.exe

windows10-2004-x64

10

98972d73a8...70.dll

windows7-x64

1

98972d73a8...70.dll

windows10-2004-x64

1

bfd5040c97...c6.exe

windows7-x64

3

bfd5040c97...c6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    samplesArchive.zip

  • Size

    12.8MB

  • Sample

    240717-meersawfrk

  • MD5

    fe562ed8006205c5ed79a8b52cedde92

  • SHA1

    709147759e29a33212966c6ff0f45fa72926f531

  • SHA256

    9c43b8f6793d12e08d84a3380c338675473db6c17838831a76d3b480b493c5c5

  • SHA512

    46cdf461e0a650aa4d4e79db1267b167175ad9c55ab49e81b1f3627cda6760ec8abb1e04c37f2d4ee39e11d8592ade8cd2440f8e1b26d2900b854e71f1c7f643

  • SSDEEP

    196608:cpF3KiayV1RbQOBVIo5EmeOijkWg7mtmQJhi+7+UDhmQlZ6fAgXLzhNUYXhGtqEY:QayVzbrmmeOSDfQGiO+atqfrxNr4xSl

Score
10/10
amadeyasyncratdjvulummaredlinestealcstrela1307newbild6951125327@logscloudyt_botdefaulte76b71hnewleglivetrafficlogsdiller cloud (tg: @logsdillabot)collectiondiscoveryevasioninfostealerpersistenceransomwareratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

1307newbild

C2

185.215.113.67:40960

Extracted

Family

asyncrat

Version

0.5.7B

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • c2_url_file

    http://update-checker-status.cc/OCB-Async.txt

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

strela

C2

45.9.74.32

Attributes
  • url_path

    /out.php

  • user_agent

    Mozilla/4.0 (compatible)

Extracted

Family

stealc

Botnet

default

C2

http://85.28.47.101

Attributes
  • url_path

    /f3ee98d7eec07fb9.php

Extracted

Family

redline

Botnet

6951125327

C2

https://t.me/+7Lir0e4Gw381MDhi*https://steamcommunity.com/profiles/76561199038841443

Extracted

Family

djvu

C2

http://cajgtus.com/test1/get.php

Attributes
  • extension

    .watz

  • offline_id

    Lc3VTezPWbMhuVAQFzJUdeA68PwI7UDpc5aKHYt1

  • payload_url

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0874PsawqS

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

77.105.135.107:3445

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

C2

http://77.91.77.81

Attributes
  • install_dir

    8254624243

  • install_file

    axplong.exe

  • strings_key

    90049e51fabf09df0d6748e0b271922e

  • url_paths

    /Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

C2

185.172.128.33:8970

Extracted

Family

stealc

Botnet

hnew

C2

http://85.28.47.70

Attributes
  • url_path

    /570d5d5e8678366c.php

Extracted

Family

stealc

Botnet

Leg

C2

http://40.86.87.10

Attributes
  • url_path

    /108e010e8f91c38c.php

Extracted

Family

redline

Botnet

LiveTraffic

C2

20.52.165.210:39030

Extracted

Family

lumma

C2

https://stationacutwo.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

https://freezetdopzx.shop/api

https://applyzxcksdia.shop/api

Targets

    • Target

      0c2dd9c9b940868e85bc46857d049a057af32b8abdb93ebc6732774575013168.exe

    • Size

      1.8MB

    • MD5

      2e12b69ae7aa5d931a6aa3bf554071df

    • SHA1

      7fa9b1642771d38916f45da8f5f00a9eacc94a28

    • SHA256

      0c2dd9c9b940868e85bc46857d049a057af32b8abdb93ebc6732774575013168

    • SHA512

      e299d2fa9890b2a178ca2aa06e44e76a057a936c0987d0c59d08e9428959f75f20080cfdba5d3d86402182e9ec18818726f46bd91ebaa6c0dbe0672727ccc47d

    • SSDEEP

      49152:ery0WqVTJeKaCr4r6z+oCvkXMuMeYghagVrmp:ernRVBasM6z+zS19T

    Score
    10/10
    asyncratpersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Modifies WinLogon for persistence

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe

    • Size

      389KB

    • MD5

      35a50d146a389289bf8cf8ae60c9e785

    • SHA1

      eb94502d25789eb86dc160c2bc9be4b4a64131bd

    • SHA256

      0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791

    • SHA512

      9bfe09f5165fd43579d87f229ba4a17cc8af8d7fc50ed629de3ec93e1b8d94d9c6aac17f7a429b401f332623cef2178f0d0f1930b674cf1061d24225e5427ada

    • SSDEEP

      6144:blwLkykiFkeLnCUcx/IcoN6OpMW6rTBwEBKI7MUYbuYg785zg2di8DEO:bRiFHnC5m2TB+I70678dXi8DEO

    Score
    10/10
    stealcdefaultdiscoveryspywarestealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      10849d5fae1394fde8cdf2f3b239f96347ff5f94d164d2046ff4253697f09252.dll

    • Size

      796KB

    • MD5

      b5b1ddd92a3cd3afe3b94f4ad27d8b02

    • SHA1

      9a8ca8a46f63c348c8c083aa0160800064e0ab9f

    • SHA256

      10849d5fae1394fde8cdf2f3b239f96347ff5f94d164d2046ff4253697f09252

    • SHA512

      0c9098b3938170122ec0262e4bed3cda6f4fe3aba67c9b1d11aa7c8f6f3d571063f0d6264bcef5b71d7e3135605cd933a3f80e5a016cfbc8f8f5de5fb44ea602

    • SSDEEP

      12288:59MroxF5Nxu1Y1mS4oXmxEwS+KkuS9jE3806LSC13IBY5tMJVc2UxwV:59Mrz1oXmxEwZVEsHvpI2rMJExM

    Score
    1/10
    behavioral5behavioral6

    • Target

      170004b7b6bab6c3c860a6402f9d3d8988e4f3de7682e28738c3c27ac33b0e1c.exe

    • Size

      1.8MB

    • MD5

      b85fa0d79d936b8b006c535d006c7f29

    • SHA1

      210085d4f3cf1cf08c34baa5bfba0b0fc5a6c639

    • SHA256

      170004b7b6bab6c3c860a6402f9d3d8988e4f3de7682e28738c3c27ac33b0e1c

    • SHA512

      263b04b455dd7af8455eca46ff9cf833d53a8a3d3c3a4bdf3cfc2edfcf6993c19f2ecc6f2a61ad4c35b57264e3e08f545358c994eb8078aeb1d0403b218da9a9

    • SSDEEP

      49152:K23fbpRhR0OiwF7BESrgRSzLBEF7YcMs6:3zhR9FdVOFSz

    Score
    10/10
    amadeye76b71evasiontrojanlummaredlinestealc1307newbild@logscloudyt_bothnewleglivetrafficdiscoveryinfostealerspywarestealer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      18db51db105a5afa46582870ca416a9284bdeda0f06c4848bbd9eef0db6aeac1.exe

    • Size

      124KB

    • MD5

      c0b406eae6d312f98ebc3b852f9a123e

    • SHA1

      4aa89ca1064254eb5b6a4e693ae8954c64db3088

    • SHA256

      18db51db105a5afa46582870ca416a9284bdeda0f06c4848bbd9eef0db6aeac1

    • SHA512

      d46748c2cfd79de5c811f72f3691e65efc17724a699848c3800fd18244eb94a81cefbb6b24076aa70b67141e2513f54a212935d2ba7f46faa9c2931b1420074a

    • SSDEEP

      3072:VwtyyAU9YbAD67WWD1yGgQL8HUGpFYkuRM6WuFk1kbdYhpYtt:VwtyyA0Y0D67WatgMynd6Hkebdc+t

    Score
    10/10
    strelastealer

    • Detects Strela Stealer payload

    • Strela stealer

      An info stealer targeting mail credentials first seen in late 2022.

      stealerstrela
    behavioral10behavioral9

    • Target

      1b32bfbc6412d6abaa2df4f530b3a7587c4f73a6cb6db93b421ecaca33e508d8.exe

    • Size

      830KB

    • MD5

      6498c822022751dbe8abb655e6ac9db0

    • SHA1

      0b2d21b6a282deba1b49c3a8d74d66169f4af360

    • SHA256

      1b32bfbc6412d6abaa2df4f530b3a7587c4f73a6cb6db93b421ecaca33e508d8

    • SHA512

      bd4ddcf7fd6a9212a6b9da7faa764c6546a0ee5d36f596cabd9f852407a3dc79304d265dea710ee2b4217ea026e6d87100644a2b9bd5b581b7b390a413f44721

    • SSDEEP

      12288:F0d1IpkiOKnXjdVNhjGJRc4wHyeptmygUUArFbXGR5PXLMcoPiNAqgSoNzQ4iWTP:F0d1CdVuJm26wygUUArZGRxyj88

    Score
    7/10
    collectionspywarestealer

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection
    behavioral11behavioral12

    • Target

      296281f1f12acb1b777d311323541065639683e2da9f883d56c35721c222e0d8.exe

    • Size

      389KB

    • MD5

      9118cf2062624b30c1bcfc306fc134d8

    • SHA1

      950c3ec72a426e666aaa5c1a4e29fef1f8eab51c

    • SHA256

      296281f1f12acb1b777d311323541065639683e2da9f883d56c35721c222e0d8

    • SHA512

      2d4684a6be4d77f170ff52ccfff7f7e94e87fbcb70388ff0a56759f7fa95047749a7ef4833b02d53eb039de9111901f23bedcd5d33e81a90dc863cd23b0f79af

    • SSDEEP

      6144:7lgLgy0iFkeLnCUcx/IcoN6O2MW61lV43JY5RaIOhZNWT+8VhIgBcbjWuzD2di8A:7ViFHnC5d80CR5OhZQfhIJba1i84EO

    Score
    10/10
    stealcdefaultdiscoveryspywarestealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe

    • Size

      338KB

    • MD5

      6f1e400bcf79c773832b3ca2aab94d3d

    • SHA1

      8a1724e7f0df1b8bb22413751908b76f72498121

    • SHA256

      2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c

    • SHA512

      2459d2e2b39987ebcf635a2867b67d8b5ae7c865157fe1ad32513fb0dcae0d226532d2416d4fc23c347add8a9d741ba3d15e662c3e2a01cf316046b1fab1254a

    • SSDEEP

      6144:mY1jumalKcYdvkMEdRE29UHYOhQWr6vSuwgeBNsCri5rg/73LM+L2di8bEO:maEKc+kMcIOauwgeBPi5rgz3L4i8bEO

    Score
    10/10
    redline6951125327discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      311d9f8c68e5661348e97b7e483e7ea1b3fc08863bb3f5f585581ef081058399.exe

    • Size

      124KB

    • MD5

      47122f97b06a1c7233787d6497fe844f

    • SHA1

      40401861ace6fb3a1a151a9a823d840d410b8d50

    • SHA256

      311d9f8c68e5661348e97b7e483e7ea1b3fc08863bb3f5f585581ef081058399

    • SHA512

      d4aa5c7d5409de350d7ebb0899f7abf82c843e05b6f469809bedfe19930bba621dcfd6847c3f18d550a0d98be526e41394cdf9e2983e98ca04f380a417a93ab6

    • SSDEEP

      3072:9DalfRl+WzoxAa+oLdBXnd4p2D5Sl+6NJFtZ9AkzeYzA3WC:lkfRBzo+YXnH5SwaFtZnzG

    Score
    10/10
    strelastealer

    • Detects Strela Stealer payload

    • Strela stealer

      An info stealer targeting mail credentials first seen in late 2022.

      stealerstrela
    behavioral17behavioral18

    • Target

      4bb311ba0e479264b1d3c7deab5bfb44b0c1fb100d82aa7d605369b0ac938981.exe

    • Size

      837KB

    • MD5

      b3757b09ed2150ce857f446c0c61363c

    • SHA1

      04536100a4a8fc27dde91e006f4e2ea6b398b65e

    • SHA256

      4bb311ba0e479264b1d3c7deab5bfb44b0c1fb100d82aa7d605369b0ac938981

    • SHA512

      c7fb0efb95a96177bcbc50a60f2d900f4f7328a0a98a64ead6fc6e00f52502c904815e1e0a8b309a764c77db1fa65a8e5da5104593e0d987fb6bf3f794a82119

    • SSDEEP

      24576:c3eL/rX2Ev8KDHwSPxDwauHfz/eicEeb+8TYLL:NLz7x7PP+H7e0YfT4

    Score
    10/10
    djvudiscoverypersistenceransomware

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      7365c4cf371b0f66c7c948e14ae33c9a00a81929cf254bd064ec32b371756ff6.exe

    • Size

      125KB

    • MD5

      1935b1c58aff8c5314188e62b4fe4ce3

    • SHA1

      ecb5a1a162d55bcbc305380fd84110b2e7d44995

    • SHA256

      7365c4cf371b0f66c7c948e14ae33c9a00a81929cf254bd064ec32b371756ff6

    • SHA512

      846918cba60803c798fdc0bd5f0b5cb9ac365eabcc4244702b65fc134f4e83df1e2f324a91fd2f53e58ec897b4fe18e9cea9df1fbb50d25a5eba18ad5fddbdcc

    • SSDEEP

      3072:gAd7jhSbxHJqNOqnPZ5s9jQbBMMSYhfYiZp:g+wbxHJqAqPQUBbb9H

    Score
    10/10
    strelastealer

    • Detects Strela Stealer payload

    • Strela stealer

      An info stealer targeting mail credentials first seen in late 2022.

      stealerstrela
    behavioral21behavioral22

    • Target

      73f00d2746a71e412b9c6d43c7f5e0ed5faf3e03730bfd6e24b8955e42c2267e.exe

    • Size

      527KB

    • MD5

      9579c9ca9e85cfd4436f4acb8e11642b

    • SHA1

      43012c4c839b1888c6d9c2108cf8526966e8f348

    • SHA256

      73f00d2746a71e412b9c6d43c7f5e0ed5faf3e03730bfd6e24b8955e42c2267e

    • SHA512

      92a3e0beeded6e4c8d3040a7066eb02335ac91050fef98e1185e57ce6dd19001b8d5b0b6b8070a195c06c3fefb90c0ef780c7929fc476ee177b866ed8a5a18a5

    • SSDEEP

      12288:4+l28XEFFLFcsUOKJ7ZIPcf8oXKPFWrEi8FEO:bXXw53XuIvOKPF5RFt

    Score
    10/10
    redlinelogsdiller cloud (tg: @logsdillabot)discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      832a15b86c6ab8cc88944a3c53df4f81825c799e3cc7eac48d9e3d487d007add.exe

    • Size

      389KB

    • MD5

      06712b4426ac6be0ab38c2e28f46092c

    • SHA1

      df810c703dc7f5f656b478a122fbd05e665754a5

    • SHA256

      832a15b86c6ab8cc88944a3c53df4f81825c799e3cc7eac48d9e3d487d007add

    • SHA512

      58980624975e3e4d29c6709cf0e1d4b1ee4e6936ae28b046a158ddca32d24dceaf8d2fd3a5d4f9e11f8ed7aa8cfbd1921ace35b5cb0aa37d0964c2d558d9df68

    • SSDEEP

      6144:LlgL+y0iFkeLnCUcx/IcoN6O2MW66mRBz1MkNdTMrjnWNOXMGRMLHdDPl2di84EO:LDiFHnC5dc3VdMrjnWAcGMUi84EO

    Score
    10/10
    stealcdefaultdiscoveryspywarestealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      8ce5a8cb0a900826dad8a42ce81540e58e9ea3ac7b4c6235db82074589c4a3be.exe

    • Size

      338KB

    • MD5

      9d2d8cc143e8ae3b05a78fb3b93fda65

    • SHA1

      ec06189c3b1db47604616880366f17c287b4e30a

    • SHA256

      8ce5a8cb0a900826dad8a42ce81540e58e9ea3ac7b4c6235db82074589c4a3be

    • SHA512

      22ba15c3d3f293b8ae173ae83020f3192adfbeb8370c4e48761168671921540a9b1068275d187da313b9b143fd33868c026e1fd9284fab566572bfb68acc4fd5

    • SSDEEP

      6144:wY1jDmalKcYdvkMEdRE29UHYOhQWrWNSErEENT9s76FF6Gq3cH2di8bEO:wjEKc+kMcIwSgNFF6fcii8bEO

    Score
    10/10
    redline6951125327discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      98972d73a823165a52ed8ce9d295250be083884d142c92c3268936c5269fac70.dll

    • Size

      127KB

    • MD5

      8cfd7419f24c7904d2a71b5ae6ea5daa

    • SHA1

      2368eef5485a2a252d0c13485cb92e6b5b443f6f

    • SHA256

      98972d73a823165a52ed8ce9d295250be083884d142c92c3268936c5269fac70

    • SHA512

      7c399953c44de5092eaa463610bee00787fe0945961bf10f08b55d6122307ebc0a7b388b79f359c13c236d5d94d185bb464a4cb4808bd1676aaa083ab9fde1be

    • SSDEEP

      3072:IDrG/eLj+t+YpqUjWouVPkrH3/U9aQw62xm4+5j:CaeL6g2jfuVPqtA5j

    Score
    1/10
    behavioral29behavioral30

    • Target

      bfd5040c9750dc045214de1282ae9c211eca9d9e452c2310dbf40dfa7bb426c6.exe

    • Size

      338KB

    • MD5

      46471ec772917914b1c14f62eeb454b5

    • SHA1

      200897cf16c3c32396f36dc7da0340660d646fb2

    • SHA256

      bfd5040c9750dc045214de1282ae9c211eca9d9e452c2310dbf40dfa7bb426c6

    • SHA512

      8736de234356b8798805f82c11c30304381128af801e30b49274c465e810ede5f4ad9eb70248548c3e461f750e2faf552fa4846234f68a16953fe35c0dec0b69

    • SSDEEP

      6144:VwTSv/BpP+AegMMtRvu3LqBOkQWrJ9vDa6C87pxKTgt2di8MEO:VTpP6gMEh/vDa0p8MEi8MEO

    Score
    10/10
    redline6951125327discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

File and Directory Permissions Modification

1
T1222

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

7
T1012

System Information Discovery

5
T1082

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

1307newbildredline
Score
10/10

behavioral1

asyncratpersistencerat
Score
10/10

behavioral2

asyncratpersistencerat
Score
10/10

behavioral3

Score
3/10

behavioral4

stealcdefaultdiscoveryspywarestealer
Score
10/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

amadeye76b71evasiontrojan
Score
10/10

behavioral8

amadeylummaredlinestealc1307newbild@logscloudyt_bote76b71hnewleglivetrafficdiscoveryevasioninfostealerspywarestealertrojan
Score
10/10

behavioral9

strelastealer
Score
10/10

behavioral10

strelastealer
Score
10/10

behavioral11

collectionspywarestealer
Score
7/10

behavioral12

collectionspywarestealer
Score
7/10

behavioral13

Score
3/10

behavioral14

stealcdefaultdiscoveryspywarestealer
Score
10/10

behavioral15

Score
3/10

behavioral16

redline6951125327discoveryinfostealer
Score
10/10

behavioral17

strelastealer
Score
10/10

behavioral18

strelastealer
Score
10/10

behavioral19

djvudiscoverypersistenceransomware
Score
10/10

behavioral20

djvudiscoverypersistenceransomware
Score
10/10

behavioral21

strelastealer
Score
10/10

behavioral22

strelastealer
Score
10/10

behavioral23

Score
3/10

behavioral24

redlinelogsdiller cloud (tg: @logsdillabot)discoveryinfostealerspywarestealer
Score
10/10

behavioral25

Score
3/10

behavioral26

stealcdefaultdiscoveryspywarestealer
Score
10/10

behavioral27

Score
3/10

behavioral28

redline6951125327discoveryinfostealer
Score
10/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
3/10

behavioral32

redline6951125327discoveryinfostealer
Score
10/10