amadey

Sharing

General

Target

red.zip
Size

55.5MB
Sample

240509-l51lhacc6t
MD5

8be98e646091b17ea86fe9a34ae76314
SHA1

b3ad5e08085d78ba02e378bc073b06a01e43f00f
SHA256

dc3a1c0a9e91f9db2fff71c534b9b0e94067f24c7823bdabecfbdb495e4fe76a
SHA512

af6f501156c885baf84149fbad71f79f5733cf101432f18dab17989788568949b484be2a462563dc92ccd8b162cea48c647d1bd1e9784fc5818530b8cbec10d8
SSDEEP

1572864:iJnhhUa+zzhNQmqQwF+HwARUKMtwLksVSJF1dY:iJhSFzf2YUj3Y

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

crazy

83.97.73.129:19068

Attributes

auth_value
66bc4d9682ea090eef64a299ece12fdd

Extracted

Family

redline

Botnet

muha

83.97.73.129:19068

Attributes

auth_value
3c237e5fecb41481b7af249e79828a46

Extracted

Family

redline

Botnet

masha

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

amadey

Version

3.86

http://77.91.68.61

Attributes

install_dir
925e7e99c5
install_file
pdates.exe
strings_key
ada76b8b0e1f6892ee93c20ab8946117
url_paths
/rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

lande

77.91.124.84:19071

Attributes

auth_value
9fa41701c47df37786234f3373f21208

Extracted

Family

amadey

Version

3.85

http://77.91.68.3

Attributes

install_dir
3ec1f323b5
install_file
danke.exe
strings_key
827021be90f1e85ab27949ea7e9347e8
url_paths
/home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

krast

77.91.68.68:19071

Attributes

auth_value
9059ea331e4599de3746df73ccb24514

Targets

- Target
  
  000643ece079f96ed416c42e9dec2e3a647599f99950c60349c52e36cb724e88
- Size
  
  607KB
- MD5
  
  33ff5c1b7ad2169df36e814a2d691161
- SHA1
  
  e80f0be76be35b9997ecfa24a8efc30748552cbe
- SHA256
  
  000643ece079f96ed416c42e9dec2e3a647599f99950c60349c52e36cb724e88
- SHA512
  
  216ceb4f2a265aae0b413964c91da9f4f4f45baabe4ed952da89dc8089932472aeecb7ae2fb42408dfcfc8ae575d3d0b99cd89f55620946b155a41dee6019bd3
- SSDEEP
  
  12288:+MrRy905hb1FNGixxWjL0VQt0M4sslypYzPIJ4XBNvCfap:Tyihb3EAckqt0HyezQJCBNvCfap
Score

10^/10

healer redline crazy muha dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  0e413fa9690c02a45dc95f1ea020874ed2745670117fed803aea439be9b8683c
- Size
  
  390KB
- MD5
  
  339502ab6e803bb14f41192ad1a5f0d9
- SHA1
  
  a4b66d62757242efc3b730e8a408c6c97682de3e
- SHA256
  
  0e413fa9690c02a45dc95f1ea020874ed2745670117fed803aea439be9b8683c
- SHA512
  
  4415566c40ee2e46b94c96e4034bdb3bf8328fb7bb34e5536e0e53e653124519a19e018479423c215aaf34494c88c0229b28b0eaa2b01f8d5b7e21d27f5f1a4f
- SSDEEP
  
  6144:Kjy+bnr+Ep0yN90QELzQhhPWbRIi6yiCcQ/sRZYE9Df8HrENGiM:tMrYy90GPuGOMTGrEpM
Score

10^/10

amadey healer redline lande dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral2
- Target
  
  4312b77e6031b30312b6c5c30180fca1895d4c065914103fa2e4ca9e8da9a0ce
- Size
  
  389KB
- MD5
  
  33e3fc4709fde1e78a4d43cf4315b6e8
- SHA1
  
  8df55f1252561a441d7069e4b09c8d5e429151e2
- SHA256
  
  4312b77e6031b30312b6c5c30180fca1895d4c065914103fa2e4ca9e8da9a0ce
- SHA512
  
  aa3f749244aef8c64d3e610ccd97fd5eb4d663af450340a627237165006b07a6b3bebe68534b765a0785ff22d5155322d4075671d26bd55b783d9a554f1c1446
- SSDEEP
  
  12288:6Mr7y90Ha9/KXa3xvoQrOhOKgBYCmjWwojO:Jy7XvodhO5z9O
Score

10^/10

amadey healer redline lande dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral3
- Target
  
  5a9212ccca92111e18358da4163f1a5d4c12debc5b1d9ac429198c7ad68de5d1
- Size
  
  514KB
- MD5
  
  32ab0711c74737a7d5948b73ccc1ab6f
- SHA1
  
  3bd68e686a0260a11aa4805a2655867c4e780059
- SHA256
  
  5a9212ccca92111e18358da4163f1a5d4c12debc5b1d9ac429198c7ad68de5d1
- SHA512
  
  2aebec7ee681bd7e5e085571347a9caed38c2dfd5c705ee5fdb23da1258079bfb77b278427dd46811afc7f2f98afa2c818abb44e305cc13d4e43c8d1dec0a7e3
- SSDEEP
  
  12288:8Mrzy906i3DhgK5RE1g0xJF7ceeeeDC37Ztoj8QXII:HysNDSF7we97Zc
Score

10^/10

amadey healer redline smokeloader nasa backdoor dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral4
- Target
  
  617783538bdab4bd7c8fbacae9e8749b50cd02e596dc328612ea1d600c11dc1f
- Size
  
  514KB
- MD5
  
  33aca759fc7ddd2c0ba87b20d2cf8986
- SHA1
  
  f4e5f0de1188385931c81c61229f03c508e29fc7
- SHA256
  
  617783538bdab4bd7c8fbacae9e8749b50cd02e596dc328612ea1d600c11dc1f
- SHA512
  
  3da9c1afa7ac424395afc2e2f512ca900218a7b4f353ff2708b9760fbceee45a37ff7d34fd1332c63e9570b0ba90131f18235c7ff0f76b5f6ab5a0484a9720af
- SSDEEP
  
  12288:EMrYy90ZQGHay0dMZCvYOiGRD/qYR+J8gDSMuUCyjylEsCmjt:EykHaHdMZmYwIlJ13uUCyjylEhit
Score

10^/10

amadey healer redline smokeloader krast backdoor dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral5
- Target
  
  729187837b6282872fd853df135ab03458edda808d089983498f29a635b978ea
- Size
  
  514KB
- MD5
  
  34224bafba80ee4c2ef4d7cc26e983c5
- SHA1
  
  978f969321bdad8a20b343cbba8d22370589d48f
- SHA256
  
  729187837b6282872fd853df135ab03458edda808d089983498f29a635b978ea
- SHA512
  
  890361ddd6d7cb18c85190609d988b754dac9b82a2806acba148102d952d5f73fd3d05ddebe6de7918aba217b9759e634518f2552efe3d8db453930181d67592
- SSDEEP
  
  12288:1MrLy90fDRO1eZcHs6uy3WvAXdjI4hR0Hp9LV9R/XIqUkLC:Oy2+8cbuy3WvqNhCHXVDIrYC
Score

10^/10

amadey healer redline smokeloader lande backdoor dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral6
- Target
  
  747238b5bd007fbf264cbd66b42a3fa3d6c54ccb6a1d0ce2c79715650a55d097
- Size
  
  389KB
- MD5
  
  34958013ed93e8c8cb4a7fa5c4d303fe
- SHA1
  
  2c55415545f09295480119363473cc7ab41549c2
- SHA256
  
  747238b5bd007fbf264cbd66b42a3fa3d6c54ccb6a1d0ce2c79715650a55d097
- SHA512
  
  fd638a25dc2f97d44a90a551f78487e9d6ecf24b6fd82d737cccb452c9aadd092f8b0d213cfbfac9808305d9bd579b3f89a1cd0385a461e14bd4d46430ca951b
- SSDEEP
  
  6144:K9y+bnr+Bp0yN90QEv8k6y00raaOJ3XJzKw9mRy+elgBZ+t4oDYff+agCM:fMrxy90t8vn0lO/Kw6yJlgBYCokfJgX
Score

10^/10

amadey healer redline lande dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral7
- Target
  
  8e6dae5587d0150e1fa568f6ff42d2f6790750c017c08f86cff2c14b18de7422
- Size
  
  389KB
- MD5
  
  34c92f1b6b922ed423132a72c41e14c0
- SHA1
  
  0d10bccb8a7c64727139a12b32553e3568f00a51
- SHA256
  
  8e6dae5587d0150e1fa568f6ff42d2f6790750c017c08f86cff2c14b18de7422
- SHA512
  
  1720ba3a80b94631413dc8de5a44220d9cfbabf9ef189bd454c2646aa0ecfd9b0f0554a6d9c1936fd3d86b5e5f5dc8d3d23209d07356f54befcd55434c736049
- SSDEEP
  
  6144:KQy+bnr+Pp0yN90QEbAP9s5pCJAKzG2t1+0oExIIJf/SgTP:AMrHy90t69sTC6wHoE3SgT
Score

10^/10

amadey healer redline nasa dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral8
- Target
  
  dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9
- Size
  
  51.0MB
- MD5
  
  334d3992d07061c6b20d08d200811aff
- SHA1
  
  c896f1f24fd0af2d523946217fb556fadfac3304
- SHA256
  
  dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9
- SHA512
  
  6d10bc11d0792c2ef63ae0564df650ec1c7e3a776bf3df3df7097cb5fd3477a173b8dc2bd36628f67a312b766bf684626ec6221be9d259425dad65309f791b4a
- SSDEEP
  
  786432:n14+ls/Zo30hnFnAZZhGJHJaIKYlPLkkAt9lMe/HMrGQgQGmLIqFGkCRFrmT:14++iEVFnAxGJfljDeQgQGLqNCjmT
Score

7^/10

persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral9
- Target
  
  e500bee084b2757ef23283d465255eeb1eed61d9ed67171a24f814de66cf3b71
- Size
  
  1.5MB
- MD5
  
  32d48c8cdbfd96746a7f1c55f20a4947
- SHA1
  
  7c8dc77a635685a78606165716662958487c72a3
- SHA256
  
  e500bee084b2757ef23283d465255eeb1eed61d9ed67171a24f814de66cf3b71
- SHA512
  
  e5ac29b64ac187f5cffc8a4a96fe617b138f847076a3bcd35a4c68eab59f103a0fdba0fca685592270942c08c2e7785521fe416bce4057f748ffcce89159c19d
- SSDEEP
  
  24576:7yPZKhpcvJxHm4U5sa6uyHWkAN+dX0xecCgTOffPGzedaNycCe0XM7fl1h6MlzY:uyGvJxG4Cc7J7gqffP/tcCtXmflnP
Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral10

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

SmokeLoader

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

SmokeLoader

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

SmokeLoader

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings