General

  • Target

    f7dfaa9e79da582285f964c17f202631b50c186b56fbe2c417d1cb042b2ba655

  • Size

    12.9MB

  • Sample

    240509-p49pkadd49

  • MD5

    db707751f928031cbd71042ddafe2109

  • SHA1

    4fdafd57a3d3e046564da44a8435e3096c92de1f

  • SHA256

    f7dfaa9e79da582285f964c17f202631b50c186b56fbe2c417d1cb042b2ba655

  • SHA512

    986c63df217c6f606b915ba3635d6adce4d4b30c33e762a907c1f58663d2f041e82977986ddfb65cecf073cb8b3d1818bc8f1a8d681790f9d50d949907cc517f

  • SSDEEP

    393216:4GwqNx4+JzqZlfsgegnT8zpSZ/SFCBeGl4ZRWdFygdjd2r:4yN6+JEkgegSu//NlCERRe

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

@mass1vexdd

C2

45.15.156.167:80

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

genda

C2

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Targets

    • Target

      0237b61e61fe845c052d94e1696f694fd1c69b55134971372a39facd025272e4

    • Size

      306KB

    • MD5

      03ddaf6361edf593f75a7a908de781bf

    • SHA1

      bcd7cde0556d92994871b44f1ea9854d86953ba8

    • SHA256

      0237b61e61fe845c052d94e1696f694fd1c69b55134971372a39facd025272e4

    • SHA512

      1fb8f368f7019e8c31fbc973fae1ec4a670f49ecda78686a4c10adfe106544caa48893af7a371f6e46890e05aa30335e6e4ceb9f2cc01f01d071ff682d011083

    • SSDEEP

      6144:t7ZN9vSWh60RVAtljy11okg/LsJqePx7JS1jlr+rxJyL98J:5ZyWhHek7JqePunsyL98J

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      0cbf9c5b5986e5ea6119fe8fc3da31af9c240982a4a7cfed5ca9fb56c4d768f9

    • Size

      514KB

    • MD5

      03ca22509dd0d27c7870a11d815e9ee8

    • SHA1

      5cc860e59d6a72f2706b072d31c6cbbb098144e1

    • SHA256

      0cbf9c5b5986e5ea6119fe8fc3da31af9c240982a4a7cfed5ca9fb56c4d768f9

    • SHA512

      1004c5f8639e05cbb5c3b49cc075eaf88dc7e66864b1d905da6249e8da824c1e87ebff41ba4232bb80dbe5d8c92f39e873ff8e76ebcc248a27304eb6175d8cf7

    • SSDEEP

      12288:7MrRy90hXdFuD2qtGnRDC2EruoHkM/T6xhFx:+yQZqIn09ruoEM6xDx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      0edb945c8dd154bc423c54a58705917964bbfb8f0391f3350b75f33df5c740dd

    • Size

      755KB

    • MD5

      053c3c8e722fa47bd2838b181c048d4f

    • SHA1

      45a6adcdfc9dd036ca7edae5af73dfb8f51fb4fb

    • SHA256

      0edb945c8dd154bc423c54a58705917964bbfb8f0391f3350b75f33df5c740dd

    • SHA512

      776b7eda980d98638096e170736cdfe4622e8fd2f6c8dda2c661c738ee201fcf4a048156f159b7dd3649713338e7e683a87bb9cf69115c02b630b4c68480835c

    • SSDEEP

      12288:QMrhy90cINZiNM09CQ+yMCpfb5nIyt7s0zv4kma32U6yWy7P3RvcBLMxC++B+dGK:hyxI2uyMgN7sEmaLRx3cJ+dn

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      13ca0bbb3221adeaf830fc435756121e64e03f342fec62e30bcd13f7d5c1083f

    • Size

      359KB

    • MD5

      082931c582b6984be9ecf0b9a10d3a97

    • SHA1

      b54ae43dca0f037b8d859239e1e395bc574d750b

    • SHA256

      13ca0bbb3221adeaf830fc435756121e64e03f342fec62e30bcd13f7d5c1083f

    • SHA512

      1f5ec57654b837da94d5ac211b9560b4adf15c40da8a0b8d8694383af7f9aa9c523e110cd5274873b20fae90b9448567863d0a14a40e90ca1ce4ca860f046c7e

    • SSDEEP

      6144:Kry+bnr+qp0yN90QEJGvSQG82CRZn4ERr7UXYfoi2vT7hQrFvCqfuln45:BMrey903GV2K17UXYAi5rlCqfulM

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2

    • Size

      4.3MB

    • MD5

      071f8bfffa76377293c3846706a9eee9

    • SHA1

      fb8a1393c2c7c9e3adb21930e10633605c028a2d

    • SHA256

      1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2

    • SHA512

      84d21135d1410597037321ce8434a27dee3878e4b3992ca2ae3837c0b1715f021aec3e5a42a00e2ae019b917c631b87bcd08844b672e3669f0c0c55b71789b4f

    • SSDEEP

      98304:tIOMcwQObrql/9CpTxJJphqC3vKfOlk36VncyH7kuK2OFVa:tIUfObrQ/kX8euKk36VnH62

    • Modifies Windows Defender Real-time Protection settings

    • Drops startup file

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      1b0729839d14f565e8de6c35f683e4cf6c401cc652ea06fe9d0da0c95e9abadd

    • Size

      863KB

    • MD5

      06277a03cdeaf29ddaf5419eb7b05b20

    • SHA1

      96d63bf0038d66d8077141669a1518d99182f7a4

    • SHA256

      1b0729839d14f565e8de6c35f683e4cf6c401cc652ea06fe9d0da0c95e9abadd

    • SHA512

      794cd215922cf660883cafcb834c4962aca747bdb3f7240118c2924c6185b682946e037e200a92b1cac307ae2dca34919c8ce367b77c0a24ced47a21b4ba50ff

    • SSDEEP

      12288:iMr/y90ORo/UpVjIROE5bDbVA0A/9OcuITijA8yeQbcHO+lLG9L8qwcnmJaqi:lyZOoqkWb/61OcVmS45dGALK

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f

    • Size

      514KB

    • MD5

      05b1bd5fc4cfbb5ac811b1085e421a0e

    • SHA1

      cc9da7c9ffe07eac65e1c6b57d62f820a9b75e99

    • SHA256

      27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f

    • SHA512

      8b84c660b2a8819f5bf546405f63c359e9836fba5d4145878afbe02c98a1d30d6380df9e70a9f819494a89f6c3a5f3fd1b86ea2e1218ab5834490ef790d41c65

    • SSDEEP

      12288:bMrFy90nQ3cYBUovwEOAjj3pvqur9J1VpR8/G98aYE03ZoRU:iyBsOUovwsjjMupbR2GSVlJoe

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      34b8fdeeafe15c31ab10314949d8d534bca5cfd6995d47dbab8b3506a2847a27

    • Size

      390KB

    • MD5

      05c38101649835c2baad888deab4c66e

    • SHA1

      912349f3fecc2be742f9f83ed646e6828d32608a

    • SHA256

      34b8fdeeafe15c31ab10314949d8d534bca5cfd6995d47dbab8b3506a2847a27

    • SHA512

      21c5e69665c9bb2e358c4ef09391c77e9e9ad32f0df1307d6970c97ad655fda2f7280e79948853aeee31b8e55c12783ce6a783eea1a7138681e5dab641be8caa

    • SSDEEP

      6144:K8y+bnr+ip0yN90QE7h7stzBYwv/aYxUsjmLXsiaZ+CcHnlRHu5lpuObxYinjsU:YMr6y90Jhy60Xjm0lcHnl9KrbylU

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      488c7cb3b3ae680032b59617bf38fb807c934eab7717cda13ee71996311ea718

    • Size

      390KB

    • MD5

      078e639bdbe157831788e26267526968

    • SHA1

      0b642da53c3113b7494a76d768dd718f2dacd118

    • SHA256

      488c7cb3b3ae680032b59617bf38fb807c934eab7717cda13ee71996311ea718

    • SHA512

      0cdbb92f05f7439d891c870bfb31acfac9684f351cebb7816a4320e136008b1f243ec3a37e06be4661f5d57c67b845e83a207fa43dead8c525fb64f1cbf158d8

    • SSDEEP

      12288:cMr6y90GnTK6c3hvStGHQcHnl9DPLxUe:GyHe6c3tStSvH3LxD

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      4bc64c0375f3ffea0f45741a1f4ed6af4f66e8f13084960da4aeb003e9f45675

    • Size

      389KB

    • MD5

      073f84f40946716ae47ea59af7fc3979

    • SHA1

      f39ce1dd5b30a263986c6831bc7bf4b662b3ce5c

    • SHA256

      4bc64c0375f3ffea0f45741a1f4ed6af4f66e8f13084960da4aeb003e9f45675

    • SHA512

      7a9758b20b794cac8a5a9e8dae5fb55f6cfb5b69e8ab5ab804088e67975436826746e5fe18473f56e4544bf148c35dc1a1029768bf3262e58372afbc7d9ca93a

    • SSDEEP

      6144:KGy+bnr+xp0yN90QESFxnVkONlvhYZbG7qMh+hn0E3+YIu5ly4RChw/:yMrFy90wSONcbG75w3+YNly2Chw/

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      4f85c3e4ec4db9780db30f402a82cf4f34e6d0a934cf7eb35d8bdb58e46d06fe

    • Size

      389KB

    • MD5

      076b99caf9477fedca25bffeae2cb79e

    • SHA1

      e225fe1511055fe06e101e5c83642334f338ef10

    • SHA256

      4f85c3e4ec4db9780db30f402a82cf4f34e6d0a934cf7eb35d8bdb58e46d06fe

    • SHA512

      b3ac41eb1a99d4c93ffb548fad34d4b696a08696913940b38738bbfee5c5bae5f7cf467447223e5fefd49bcb9666df3ffda45d20413cf31d8de4f3b173565c97

    • SSDEEP

      6144:KZy+bnr+Wp0yN90QEPf8b53ozQVRVtlSrZV3FB8+gBZ+t49DyLvbW3JC:fMryy90iF4ePtua+gBYC92zS30

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      55b18033bb16a6ebd933d4b24c7828c19ea0ec0937cbb06be066053c204d9753

    • Size

      469KB

    • MD5

      051f65734fe5b3908b4e8c8810866caa

    • SHA1

      c94cfcbd18c595495d8851679c3a7eb6e6af1ec3

    • SHA256

      55b18033bb16a6ebd933d4b24c7828c19ea0ec0937cbb06be066053c204d9753

    • SHA512

      8a4770ca61f2a3f42631f61b55f256e362bb8c6766566ee6a1c18714d6e5f3f5590a1bf01f6d4ac0be80077c5a306acf6ed95338e0bb0731c35a352386f35b8a

    • SSDEEP

      12288:ulBmU+zoOXc065zzMWv9yT2EyBkXoGzud3Kiz7xhGupT:M6zoOCzzMWVpEyedyd3/xhlT

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Suspicious use of SetThreadContext

    • Target

      60e7e1ac00410438a148bcba6a92dbac02c94531491c577d988a49e9c281cf07

    • Size

      390KB

    • MD5

      0476a1ce759c7ebb3a07670a93af7c97

    • SHA1

      8d7604fd59d976b0a700dc5b824c19a4953e25a6

    • SHA256

      60e7e1ac00410438a148bcba6a92dbac02c94531491c577d988a49e9c281cf07

    • SHA512

      dbd7b560a4c3f87ebd3f435d4b4407cfb58e43c1e3dd757605b183b8a44d49123c1046473e707b11d69559ac96f05aa352a3cce443123531f32957ca9121338e

    • SSDEEP

      12288:RMrfy90WeNjuicYFuPmhdMc5MiQp8j7e:mybeNVcYQOLMDce

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      979a97cb16762728856ff5dd929cb625d1673048544e092731742005342da799

    • Size

      390KB

    • MD5

      07c4932eac4c00d7bf3e7c2431f28d16

    • SHA1

      f6770982591d3c388f83c128da9cda9b7ca36162

    • SHA256

      979a97cb16762728856ff5dd929cb625d1673048544e092731742005342da799

    • SHA512

      9511874193241dd36176832cff61141b051a9d3df152271c10939df0dd8819f8804e3c82c757fec4dd61641140646f3e2abf262d9604ee6b4cefcc688256c65b

    • SSDEEP

      6144:Kry+bnr+Op0yN90QEfkmMM1ki99QVS9AdKrs3zzmx+hpnKS9:hMrCy90NEM1kGIdxo+79

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      b3eb736a5d62ca99c3bb61ab1572ce044dd3f3d33a0f83509bfc2cb1204b0b9f

    • Size

      390KB

    • MD5

      08756b1e9e8c05b88b872a614abb9456

    • SHA1

      3261f8485d41b39bb51c405736cde6cc83511e71

    • SHA256

      b3eb736a5d62ca99c3bb61ab1572ce044dd3f3d33a0f83509bfc2cb1204b0b9f

    • SHA512

      d92fb17a8c74f00005c360f5c826ca85ec60ea7cbaca5f8ffd267a65edffb8e7dacf1f036a4f5f540b82ef652e5fe5409697029012349d14959ff7f690605542

    • SSDEEP

      6144:KBy+bnr+Dp0yN90QECqKcLI9GyF4t29E7JrovGA0jgBZ+t4WDu/J6AiKXztd:fMr7y90o63AY6vGXgBYCWXKXX

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      d57352b17144065c6fd05a0807532115ba9622e99b096ac4432dd312359b06d0

    • Size

      390KB

    • MD5

      03e5bda34bf1f1416df08c8f22f86c44

    • SHA1

      4da55b7cb2b7746156333ca9bcfb6b3884c95316

    • SHA256

      d57352b17144065c6fd05a0807532115ba9622e99b096ac4432dd312359b06d0

    • SHA512

      79aeb3c1fe6cce6505290ecf9f028d52fa101110737c79752aa852752cdeea568e22170640b9ad3f1156ee9768943ac6201bb11a873e85d7847054ec0357af7d

    • SSDEEP

      6144:K5y+bnr+Wp0yN90QEl2m2A34vRS5KRP5sp1BkXYijeIA3c5rtLIRva6:DMruy90734c6P2nMjeIA3cliRvf

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      d62f03a5584e3ca2265a79bdd4e0fb0add3d0412b01568178f46f8dcecf881b6

    • Size

      1.2MB

    • MD5

      08f975e11dc1ad55229d41a5b9a68467

    • SHA1

      d28d15bf11c8ebe5b8a7fea62e6ff7cb7f246a48

    • SHA256

      d62f03a5584e3ca2265a79bdd4e0fb0add3d0412b01568178f46f8dcecf881b6

    • SHA512

      f45f2e7f276c18f7ba27863877c1628e0e2ffe6622697839df98e8f8dd08f7e4f48e24faa4111c7ede812ef9c0b31e17404849735259d18f4a873e656186d916

    • SSDEEP

      24576:Uyf7nDQrfR/VhGMSS0wAxPDL5aN6Gq9LBgLuKGwzkHzWn1eLCGEp:j3Qrf5GMShpnfGkLBgLuKNzln1eGGE

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      e72a6e51dbac1e6313459eab1ffc1832d973b0fd23fe10aba5acdee9ba028f6d

    • Size

      853KB

    • MD5

      03c70427b7f46efb268904efce07e208

    • SHA1

      6201e0eb7f063348a80543fce2e4f92f064624b6

    • SHA256

      e72a6e51dbac1e6313459eab1ffc1832d973b0fd23fe10aba5acdee9ba028f6d

    • SHA512

      28112660c5df88ef4affbf1cf27105f54bb25f532d6d820d9ff8d72bf02a29dc2b3b3fe211c7383db7cb49ec6caec7d238ceac70cce8f29bd650aaa9958f78d4

    • SSDEEP

      24576:gydW77VD+If1MjC21MKDHlSX6YdG16mys76:ndY7N+7RKeH0XXA6mn7

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b

    • Size

      389KB

    • MD5

      047a5e67b8325b5f7f14d6300d2525fa

    • SHA1

      e765cf5f8a5e1e80bad8f737cd658ffaea69ed78

    • SHA256

      f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b

    • SHA512

      da5583b2adff91294d280d78d4b3b598aab8b169e79bbc638f1042fcf44ab00b357c20b5b9dc7319482dba7632bd238653da8c0458af3b25a95a684ae46f57cd

    • SSDEEP

      6144:KAy+bnr+Np0yN90QEQmynqq5AvfcQr4UliD4EYjxgt2jfsmdrHq/LDxMMJOkeb:UMrhy90WP64Ul84jSt2jfHrKjDxMMbM

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      fdb9b250992b8c5988cfe05d255d96db5dd1d7a3ac4959de26b8546038f10c78

    • Size

      390KB

    • MD5

      08306af598af45b8f7436ad80e8568c9

    • SHA1

      2c79aca7b3cf41f1a4b225abc5b07051d28ef610

    • SHA256

      fdb9b250992b8c5988cfe05d255d96db5dd1d7a3ac4959de26b8546038f10c78

    • SHA512

      c6b477384f3053cf71d264f9680acf8f45a4aaedd53f44bf059413f2aacdb94d0c233cdfd2647dc557bea1df962bb451d272b129e37f0bcf5993b268e999117c

    • SSDEEP

      12288:sMriy90lWOVYM/uatHtNpErYtyxmVwWo:eyuVYEHt1EEtyowF

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

13
T1053

Persistence

Create or Modify System Process

17
T1543

Windows Service

17
T1543.003

Boot or Logon Autostart Execution

18
T1547

Registry Run Keys / Startup Folder

18
T1547.001

Scheduled Task/Job

13
T1053

Privilege Escalation

Create or Modify System Process

17
T1543

Windows Service

17
T1543.003

Boot or Logon Autostart Execution

18
T1547

Registry Run Keys / Startup Folder

18
T1547.001

Scheduled Task/Job

13
T1053

Defense Evasion

Modify Registry

53
T1112

Impair Defenses

34
T1562

Disable or Modify Tools

34
T1562.001

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

17
T1012

System Information Discovery

30
T1082

Peripheral Device Discovery

3
T1120

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks

static1

Score
3/10

behavioral1

Score
3/10

behavioral2

redline5195552529discoveryinfostealerspywarestealer
Score
10/10

behavioral3

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

amadeyhealermysticredlinegendadropperevasioninfostealerpersistencestealertrojan
Score
10/10

behavioral5

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral6

evasionpersistencetrojan
Score
10/10

behavioral7

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

Score
3/10

behavioral14

redline@mass1vexddinfostealer
Score
10/10

behavioral15

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral19

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

redlinekirainfostealerpersistence
Score
10/10

behavioral21

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10