General
-
Target
red.zip
-
Size
6.5MB
-
Sample
240509-mx45dsgd72
-
MD5
871b25bd7eda9a4f91bd8adfa98bc7fe
-
SHA1
a5d96cae0d03b393b238e01194c7ac1b23e39edf
-
SHA256
1fdd5f3e8505e6e6d5694fd5bb78388c9f5ca6f38c5a2c066159adca4a10d217
-
SHA512
90dae84dfd7dea569db7a03f36d6b5a9408197edc1be69cbb7cd34cdfbc597f644c2e8789c444f56f197815f9a4428d73cbb611770f42e8f637d1673d74b1ff7
-
SSDEEP
98304:ToYoHs7YzGfFmNErbM/SjNmnvKDSxlCEUVQTmwGGjrSDPcK26282zegkeV:TodH1GfYqbGkNW4evgQiYBO4egB
Malware Config
Extracted
amadey
3.86
http://77.91.68.61
http://5.42.92.67
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
lande
77.91.124.84:19071
-
auth_value
9fa41701c47df37786234f3373f21208
Extracted
redline
lamp
77.91.68.56:19071
-
auth_value
ee1df63bcdbe3de70f52810d94eaff7d
Extracted
amadey
3.85
http://77.91.68.3
-
install_dir
3ec1f323b5
-
install_file
danke.exe
-
strings_key
827021be90f1e85ab27949ea7e9347e8
-
url_paths
/home/love/index.php
Extracted
redline
grom
77.91.68.68:19071
-
auth_value
9ec3129bff410b89097d656d7abc33dc
Extracted
redline
papik
77.91.124.156:19071
-
auth_value
325a615d8be5db8e2f7a4c2448fdac3a
Extracted
redline
masha
77.91.68.48:19071
-
auth_value
55b9b39a0dae383196a4b8d79e5bb805
Extracted
risepro
194.49.94.152
Extracted
redline
nasa
77.91.68.68:19071
-
auth_value
6da71218d8a9738ea3a9a78b5677589b
Targets
-
-
Target
30b55fc29eb4d6ba84b1f82bbfa69faa222f2bc6d243a759a624fbb454475275
-
Size
389KB
-
MD5
836c2e6c543de8734f2293001cdeb892
-
SHA1
8d079b4246c7778350797bb66f290fa4f9e72d7a
-
SHA256
30b55fc29eb4d6ba84b1f82bbfa69faa222f2bc6d243a759a624fbb454475275
-
SHA512
ae73d335a26e2d0e826737c77d01cd38deca1f78fddca93483441da48dbf8c91e6ab64a1216706e6220840dfc75bb078943ab2db6b847b78f43d75f9296faf95
-
SSDEEP
12288:wMrwy90h82X+eb0XDKMSIgBYCzzq+f0D/:QyXeDPzioU
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986
-
Size
921KB
-
MD5
806e422c72778033c5ab84a122ee219d
-
SHA1
2a82b3feba5337f550d857fdd39290c1edbeaaff
-
SHA256
4f6b8faa6814b26627c6c8eac0bc9c5237229efaec31a93ac5634db12970f986
-
SHA512
ac7a914896275cd09d64faee9eb7259f370f58845dd50b5ddfcd139296e57aedf457eec534d6498c0a0b67266a1c9b07c222bba27d65aee1304dba7a16b880eb
-
SSDEEP
24576:lyxIBM9mCnbl4MASk1HCUvk9gY6gmZw76pr:AxASDx7HzHy
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a
-
Size
514KB
-
MD5
805f458c4e4cafdc121c09022e7065a1
-
SHA1
a7876edbb4b0df6770d9de1b3eec3d10b9341f0b
-
SHA256
68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a
-
SHA512
49ae31bcc03ce37884dea632ae0e2f2b46a145d2fbf081f83ab9854aef849a6988a3bc614676f50c9ea2fa209fad269cec271fffaa08fdca610494aea4ecc840
-
SSDEEP
12288:6Mr+y90vfhcrO1YnhEibozGpgA5UcjKy+:8ykfOrcYloyaKKD
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
699bfc597d56fb4ed7153a5a4fe2851361b9e27b9b8c3109277f0c5a54afbe1d
-
Size
517KB
-
MD5
304a5b4567c0d0be82803f9105d5fa39
-
SHA1
a919586040a1f12db5fd80f938a8804940836609
-
SHA256
699bfc597d56fb4ed7153a5a4fe2851361b9e27b9b8c3109277f0c5a54afbe1d
-
SHA512
e446ffa1b8155c72e3764da8341244505ccf3b298e692b9468b0bf4d893aea4bf643ace04dd39d735225ef27d7d2b25c9958a6ac92c81adc1e06df56f1d0a645
-
SSDEEP
12288:UMrTy90Q5hM4tG9jl9zVEL3SeN/MYvpBuV6Mqw9g:3y/heLzmLi5aXMqw9g
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
844b5b76938e178a82f8c18d5600f389ee4da147c66b379dbc5cb8587d11e5ab
-
Size
1.5MB
-
MD5
81ea008f898bb51262018817b54fa84a
-
SHA1
df835f5a494bbd56fabb7130b8a9a82d7841f442
-
SHA256
844b5b76938e178a82f8c18d5600f389ee4da147c66b379dbc5cb8587d11e5ab
-
SHA512
4b2f570869aa81eaf5fd7ba232fc080de0797d3c7f99e6f83a9e5da93fe6c5fa317078cd6f72d7e00e3009dc67981638147679f6479fe8183070fef6d0518265
-
SSDEEP
24576:Tyr5T2KzBFhNW2AYXX5BMzudjFcDnuJnRP9pJ7lyel+C4hIa8XCGKysC8F:mxVvhYY/BFcnuJh9jZyxCKOSFyr8
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62
-
Size
1005KB
-
MD5
80766f346a1033b1abfeeabc7180a880
-
SHA1
2568f835441d53bc785a4ddf8537814826e3d064
-
SHA256
86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62
-
SHA512
029d53c19dd434b410eb61158e8a653c3d3725b50de9e5bb7dd766baed93a37574b3171509ee7e968d18158d89082029e74881630fb852c37b305053ec5c87aa
-
SSDEEP
12288:VMrry90H6OndYa8eQHWFiUDhbkYuuDu6rtRHvb6sCIoxV+pY62N7198r3GJnWIi:KypOnDiU9Pyyhj6sUx+07cSkN
Score10/10-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
9cf3d2bf3c4df3cc22948e45de303aec0f5ffce78a74c453774be0f6f060f6cb
-
Size
642KB
-
MD5
7f4aaa12c0588bd587db0ab81c6938b9
-
SHA1
b29352033def4680163645af59e8b9902c338a90
-
SHA256
9cf3d2bf3c4df3cc22948e45de303aec0f5ffce78a74c453774be0f6f060f6cb
-
SHA512
d579904c9f49b8627fcc67e51ead68c10de30136ba78d136ce6925abd8ba0cc5e76d7ec3bdf6d817f7a2911874f0c90e87c933641e0c085bf7d9a449adebac50
-
SSDEEP
12288:xMryy90iumJvk82wBnhmuiUCch3p2PDP1qwWJKHHTnOPGAALMN:vyemJvN2wyfipoD1qaHTOSgN
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4
-
Size
771KB
-
MD5
7ffad6f51f9598958204eca8679690b0
-
SHA1
aac9ca0423c177d041dcb22832f581d8c39bc184
-
SHA256
ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4
-
SHA512
6a0feb1278e1bc5742a4b8909a6818743841e0d16b935d659fe6a60cd9837563ea5ea7ef9973afa1cc64c41681e140d5e7c85300346c875d1b17571aaff41430
-
SSDEEP
12288:uMrLy90EtWzfh9lViybaDJcyMYLk4hC+D+SjbIyWAcDSGb1cqSU0Rzyqj:xyfWFARJcyjJhBNmdcqL0wqj
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
d0ab8687e34a8f0343980bddd26689960bc998ce3537a995751d70b47f6b24e2
-
Size
390KB
-
MD5
7f2c00bbadc73ad53e903c94a20db4e5
-
SHA1
9270d43f9bebdd6380fac9c6d6340fee4b28aaa6
-
SHA256
d0ab8687e34a8f0343980bddd26689960bc998ce3537a995751d70b47f6b24e2
-
SHA512
71d813c1dc82e4fbd9a62e8eb425b3094daa39cf4787a7df7223c2b4e767706a362144682753bf5e00ea3d9aa50ecd1c3e079ae7f9baf7d90477e557b3c098e3
-
SSDEEP
6144:K/y+bnr+ep0yN90QEOcfek0pdG7xF25AE3ABmsEQX0mHhWjdbrfm5:FMrOy909eYxFKAEwBDjBWjJrfm5
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
fb468a211d9a74c5355215200cc2031ec364c8d8a99456c4a189cfea35cb72c3
-
Size
390KB
-
MD5
7f7259536faba88247841cf1adf8332b
-
SHA1
d5dead80e018787370e99753e2af59c8ed7fa887
-
SHA256
fb468a211d9a74c5355215200cc2031ec364c8d8a99456c4a189cfea35cb72c3
-
SHA512
072a4a03f0d623445fe20d401adc93cdd27425d508e6f8922efa48d5b05f82b645fb8031a04795c31bb5e1d49e672418a3bcf6a392deefe550501593134b1cac
-
SSDEEP
12288:nMrUy90VMtGfE/7XH8MxeCVcEEKzVy6a3mB:DyTtGszXHLbmEEqVy6r
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1