Overview

overview

10

Static

static

3

1238663077...be.exe

windows10-2004-x64

10

2176dd1779...68.exe

windows10-2004-x64

10

25c57e6714...48.exe

windows7-x64

10

25c57e6714...48.exe

windows10-2004-x64

10

604faa1b56...ed.exe

windows7-x64

3

604faa1b56...ed.exe

windows10-2004-x64

10

611b640fd7...5e.exe

windows10-2004-x64

10

61ec6f7f31...74.exe

windows10-2004-x64

10

654aa4d5e8...3b.exe

windows10-2004-x64

10

6c15f1899d...ed.exe

windows10-2004-x64

10

7b22e6cc31...ce.exe

windows10-2004-x64

10

8a68d5e2ce...71.exe

windows10-2004-x64

10

9a72ed316b...b3.exe

windows10-2004-x64

10

b2abc74f29...1f.exe

windows10-2004-x64

10

ba5c9d840c...7b.exe

windows10-2004-x64

10

ba769ab008...cb.exe

windows10-2004-x64

10

c29b675475...fe.exe

windows10-2004-x64

10

c39106a352...4e.exe

windows7-x64

10

c39106a352...4e.exe

windows10-2004-x64

10

ecc005f21f...de.exe

windows10-2004-x64

f0fb625894...03.exe

windows10-2004-x64

10

f66a0103e4...71.exe

windows10-2004-x64

10

fd5bd6afc5...4f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    10.0MB

  • Sample

    240509-rz1xzahf94

  • MD5

    399ef92c87ffcc6189f158bb033d88e3

  • SHA1

    f1e5f0ea9f8c547dc6f253748173ebed1f084124

  • SHA256

    2fa961b375e2da330a3b514d2c64bff25f393a2a58adb19f2372609308426060

  • SHA512

    5e9c4eae46027174c7910dbb82202136f8007fe0222c2beebe3e8c958c2bf1c04e2417e062fecc44dcf4ed624714209038c371cbfaed8c4bf0b54e1533667993

  • SSDEEP

    196608:pJAgnJvOKBIVVpjUEAyPFSLGaKKNp5KMpibdfoqg5kGWkuU33KiL4p6YPYtkF4em:hvOKilUOSeKNpRslonoUKFgYPTFFP+

Score
10/10
amadeyhealerredlinesmokeloaderzgrat1366220748kirakrastlamplandenasanewspapikwelosbackdoordiscoverydropperevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

amadey

Version

3.86

C2

http://5.42.92.67

http://77.91.68.61
Attributes
  • install_dir

    ebb444342c

  • install_file

    legola.exe

  • strings_key

    5680b049188ecacbfa57b1b29c2f35a7

  • url_paths

    /norm/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

papik

C2

77.91.124.156:19071

Attributes
  • auth_value

    325a615d8be5db8e2f7a4c2448fdac3a

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

1366220748

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

welos

C2

77.91.124.156:19071

Attributes
  • auth_value

    9605367dc0a1f64eb2f71769fb518fcf

Targets

    • Target

      1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be

    • Size

      923KB

    • MD5

      15a66b0dbcfb940814f615e4ee68aba4

    • SHA1

      176b68418045780c00cfd3d7d80bfbfbfc5d5c06

    • SHA256

      1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be

    • SHA512

      567bb1ceafb234ae79165a19f029455b169fb1fdd09ef2117194e1b7445ded3f790c7dd677e1ec9dda5e87b8ec80e03f948c1a182a88af23667aa937136e5490

    • SSDEEP

      24576:AyTpevOGPbwWB1yeCa0va2vLKpWF8XggzXjeMsP0upbt:H1TGPbceC7mpteM8pb

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368

    • Size

      515KB

    • MD5

      11c22c7a24b8f0576c3470af1561a6e9

    • SHA1

      47ba63be9cdf137c5356465791cca7e8d26048f9

    • SHA256

      2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368

    • SHA512

      acef19e6e351f779b034509e7eeff3eedebae468702c75c6b3a6c844b9024c84dffd25e768a8214df451fb33d094f979ad458bd0ad80d1a25bc312338b4d071e

    • SSDEEP

      12288:AMrpy90pbhdTlggxZzkUrC7pfy4NHWisj53QEEXOsM0:ZyGzlgrUGPWjhQR

    Score
    10/10
    amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48

    • Size

      188KB

    • MD5

      137f89538b18fec4e18561f3c0074666

    • SHA1

      05285ca1589e7eb544b78319c5a6bf2ad8093bf5

    • SHA256

      25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48

    • SHA512

      dac288d4c46586147800406f74a1e6cc3263c86a7ace1c62ed58277fe68b601a20c2a7783ffb2bda19899138b827f33c4005155b8fd32b58f46f3fbc3bc6a0d1

    • SSDEEP

      3072:zF0Z64zJQzbb/Qt0Vf3I/jGRf8pdXyprmw4USCkHdSzw0WQEEhmwfdxTI6Exfx:zyZJzezbkef8pdCdmNUSZHWeEhmwfdxe

    Score
    10/10
    redline1366220748discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral3behavioral4

    • Target

      604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed

    • Size

      1.2MB

    • MD5

      16b7af3083fac493eac54ee538577c48

    • SHA1

      1ef2e6b67099fc395003b84a9a204944190d90fe

    • SHA256

      604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed

    • SHA512

      8169e8b0459ee101fa0cb349b68909ddc13ed9acaf11cc533a2fc2585ced4a8508a956565fa525d6a87f787b4f104035efce40158eed9b8a86138e7c26b8ee46

    • SSDEEP

      24576:Eb65d297HFpZVrMWP3LLaK1iU4ecMC7GaUiaNQlY:EusFpZVrMWlE6CCTN

    Score
    10/10
    redlinezgratdiscoveryinfostealerratspywarestealer

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e

    • Size

      390KB

    • MD5

      1602d64d0a81f84e8fbf24150b9e5cc6

    • SHA1

      ec4e0320a3700cacb7f21891710c7bc83b2f9ae5

    • SHA256

      611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e

    • SHA512

      a9301d045d511c9a63c086feb19d2cd749b64039c409832018648b7c0408b4d81fac1a4770101936a0277b240ee6e7bdc5ab8b9faa0be615a17bf0a256f74abb

    • SSDEEP

      6144:KRy+bnr+Jp0yN90QEda+mxeyHanMZ+gpv9LBQIhcgBZ+t4ED2RcbuvhPcfY1UT:fMrVy90VmAy6nST3LBQIGgBYCEarZsR

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974

    • Size

      680KB

    • MD5

      15c6e3a281fa49b0888ba712bdcf5d2d

    • SHA1

      215c908f8d6cea84000eb0e217088146a89e1be7

    • SHA256

      61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974

    • SHA512

      e42aae85487285410c2df8fc02941556cab4528aec809f2467c13de83ca8e6cbcdd6a24b34214c4fac674dc16a08fefdef64814feebac1b51553c9fbd253fde4

    • SSDEEP

      12288:UMrty900Sjwa4O2Nx174H8O9yWGxVeO+/n24gzqzC0W3PJyW:hyewOmxxyYWGXFI24g2zC0+R

    Score
    10/10
    amadeyhealerredlinesmokeloaderwelosbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      654aa4d5e8d49043a4c5b40ef9c1b2fde8bd371386fd43ed6b7c1d719f41533b

    • Size

      515KB

    • MD5

      105d5754387cc3a3140ccc8660c1e50f

    • SHA1

      8dbb756c10678900b0e33893e81976f82ca0b8b5

    • SHA256

      654aa4d5e8d49043a4c5b40ef9c1b2fde8bd371386fd43ed6b7c1d719f41533b

    • SHA512

      538caa75dbcbd33065587c29e6ce0bcbf51eddc8ce50ce8b6684381e4ee0d9bb8c603669afc0272c7e8efd614c7ae87a0d78fe1b3a284006d193389c98243e62

    • SSDEEP

      12288:bMrzy90w4dJ/YUR/O0OI/gbs/YYsDYHHlhctsY6Zqztn7Q6ip2:gyV4DHR/VO+/YDknlCtf6ZaV7Q6iM

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed

    • Size

      390KB

    • MD5

      11154b27576c4246f2e8eb83278bc984

    • SHA1

      83b173354ca803be9f5fdf756544b600dc3fb825

    • SHA256

      6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed

    • SHA512

      7451cbe817cb1e6482209b82c13db65be7a1933f1cba91d279fb6bc69821b3b7447f28ec179cfcff923abf1266b1808bdf8d2d0012c5de4d5412dfa9258d1786

    • SSDEEP

      6144:KNy+bnr+Sp0yN90QEhBDbF8ftda/5ONdFSA/rtWX3X0ijvDrJMFWDsC8:zMrey90dDhywwMADkH9pMF1C8

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce

    • Size

      390KB

    • MD5

      11baa1b7efc317dced301ee22d864dc8

    • SHA1

      1e1fdb8796ff4ecf41d61973f20484ca2bdd97f2

    • SHA256

      7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce

    • SHA512

      af00cd09654d001b8ffffbdd673bfce35c800ec96acfe849b89dfca7d83b4aaeaf79ac91783684b216c1341ca2e510120fd6042a5329d239dce40e9cf006f49f

    • SSDEEP

      12288:KMrIy90ROSK9OUDX81nBWW3U0qgRYYGlcVg:GyCiOEs9brweg

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171

    • Size

      769KB

    • MD5

      1256f708f701022984164fbee3ae9434

    • SHA1

      4c7032f4aea509e7dab6d37602c79e2478611936

    • SHA256

      8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171

    • SHA512

      0b045b632fb716c67ceacf43bed145e119f540ebcf1b427a78f84ea6055377643ee0919f8cbad7ffd034afb2f444a9eda5f6ae127ffce89be0a774e170510917

    • SSDEEP

      12288:8Mrsy90bwIM4l9soPBH8D0eRmQWnFQ3oas8VuA0Nb7+yZQvMou61+T:gyqZKcHM0ZnGYaxUA0Nbi+QkB61+T

    Score
    10/10
    redlinelampinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3

    • Size

      390KB

    • MD5

      148b6fe5b9664b83b4638511e86c6c5d

    • SHA1

      2ed10943376474af81580c75911d18644060d893

    • SHA256

      9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3

    • SHA512

      6025b79dcb7b5219b2981673fce6555cb2bf7575dbe3df2cb1ede8b3d1d7031b3b54bc7b209f758c005915c84b805872ca9e7b2adcb5bffae316426d1f0c8b05

    • SSDEEP

      6144:Kzy+bnr+Jp0yN90QERX4tm0kXjd0hkWWnZNuj++5LxpD3RsN+UBr5hPy11+GHHLo:ZMrJy90jow0e09++9xxBssUdnP+HHs

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      b2abc74f29ed52ec7d83d19dcdda578b75bfabfe3cb6be161acad9d570a9601f

    • Size

      389KB

    • MD5

      12f3bbee6e856924c7409555272d08f6

    • SHA1

      d3d1e4683056f11053fa888359ef50aa7bc3389c

    • SHA256

      b2abc74f29ed52ec7d83d19dcdda578b75bfabfe3cb6be161acad9d570a9601f

    • SHA512

      67d3f742d4b926b1293910fced3a3887ef875d21a77797bf6e6c39e60a649e48c836f00a984447e5708f2c404d272be2cfca07d691991e561ec7a4d9a2e1fe91

    • SSDEEP

      6144:Kty+bnr+Yp0yN90QE/qCUXAU08Nad122iFyAjm6FftxVY2xmT1fNPch1saI:/Mrgy90/mAKgT2jyAjLpC2xs9NPpb

    Score
    10/10
    healerredlinenasadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b

    • Size

      517KB

    • MD5

      16d385b1becdbc8e36f5d1d0fd57615f

    • SHA1

      fd744f498fdb587a65b48947c62f7e6e1cd6e2aa

    • SHA256

      ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b

    • SHA512

      d39ea9b235a5618061ade83805fbf0d14ce8462aa3e3ff47687df7632f357f46526b64681b17703d3fe508f0f8fc6e2a1b55c9dacee7f5dc8661fa2f4d7fb7eb

    • SSDEEP

      12288:uMrHy90dtJ2zSNyj+Tmq3mC9wH5/bCoeANWG:JyPZj+T9x9E5GY

    Score
    10/10
    amadeyhealerredlinepapikdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb

    • Size

      389KB

    • MD5

      1609a44aaea41e6f7d2749f49a60a1af

    • SHA1

      bd745dd9d52800299333f09809c9caeab5ea42ec

    • SHA256

      ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb

    • SHA512

      3e0702c99f8610d92686884ad475e5ccd40781cc549f42b64ea467aa9eadb17938b4e39d0422f60c2c1982458640ac3bad6d35f782cc334587ffbd8dcb175218

    • SSDEEP

      12288:lMrxy90Auu38NGdG+riCgBYC+DTTjl6SZV:oyi9xzwTj0mV

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe

    • Size

      390KB

    • MD5

      163816fafd3946cc9e0b0a56dbb544e0

    • SHA1

      a9306aaebf9e16c1e6d97130dcf711017894c10e

    • SHA256

      c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe

    • SHA512

      5c88643b23d96c41ec903e804077f9ec6e49cb54752a5c2b1a5476f284c43c859803bcd9cea53a9816752cc392a5b2dd16920f21c37ef5101b746f5cc80fea07

    • SSDEEP

      6144:KKy+bnr+kp0yN90QEU3oZDwSSJAvVcQlPRAbR4SHgUTyxrDumDiaobYNZTBCo9V9:2Mrcy90oe8Fk5ARkFrivbYrBCHPtEb

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e

    • Size

      294KB

    • MD5

      175e3db636d9fd541cc11991815ea662

    • SHA1

      c5e30c78f298c1aa26768bc036795e19ed7e60d7

    • SHA256

      c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e

    • SHA512

      06b1bc8a9746e8dfd1a4d72e98b8b76a1f543ae0c72c9e0233dce81451d7521f586da373e69459170a8d9442da4883f8247cfb9714227744c765c892583ac5c9

    • SSDEEP

      6144:CF/pvusFFxSzg1ksK43NvCoC9W8Fa/T9Hb5T2C8c:CF/pv5r1tK43NiW4ah

    Score
    10/10
    healerdropperevasiontrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Windows security modification

      evasiontrojan
    behavioral18behavioral19

    • Target

      ecc005f21f15aefcf4a4280bfeddf37e7a9066e1fede069eb10a19bfaf62dade

    • Size

      1.2MB

    • MD5

      108da43ca546ecda525fb9192e48bbab

    • SHA1

      89e854990351e39312d835f972d5dd26c83e90cf

    • SHA256

      ecc005f21f15aefcf4a4280bfeddf37e7a9066e1fede069eb10a19bfaf62dade

    • SHA512

      47927611bcecf322864a8e6c62e43c284d7cfffe67b07096db04d3933ebd08484b4b8e25586721ed5313f24f0bfe3ff872cf7a76b6a7c98efd3db0f240a14dcf

    • SSDEEP

      24576:6ysB4DrCYYGq1BnTNaz6/usrdYu2GGriw+qx2u+ZXp9eS8Nts3TM:Bs4CjBnTNazeu8dT2nRx1+n8Nts3Y

    Score
    1/10
    behavioral20

    • Target

      f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203

    • Size

      389KB

    • MD5

      10d90091ef4d583803f960e642111708

    • SHA1

      9a36e16049aca4f664c3802003afa15637326ccc

    • SHA256

      f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203

    • SHA512

      01891a9da02ab953a654f96bc927df089e11c28dff9983277621cffe463da5ff3a888992daea3f1f82d68fa1ec21ea6502c6ea4ceeb0495b3a13d813b438bd2c

    • SSDEEP

      6144:K/y+bnr+5p0yN90QEwBYGFRxbEZcRaEHIpj1XH8bbvymQmiaKq9REG8dq2:pMrpy90LUIZ1EHEBisG8dF

    Score
    10/10
    healerredlinenasadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71

    • Size

      857KB

    • MD5

      10d9e523ef3fa325767733e9b06a5183

    • SHA1

      ce932310c4e2ff5db5c2c78b90f69ad2270c08b2

    • SHA256

      f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71

    • SHA512

      9c319dacf140286345b160ca481dfe68466db1f028fa3f823d5ad8c7aacce5ed2d1218bbb226a103870004bfe7c845d7396fe851e4142f2cdc877e47fed2cf8e

    • SSDEEP

      12288:uMr5y90hl0vLfgTNcWAs5+X7YQaeB42ilLYj18fbo+efG40s+6OuUFLV3sBempko:Hy+0zqxA3LvmSj6jo+A0GUFh3Rm6aj

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral22

    • Target

      fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f

    • Size

      923KB

    • MD5

      14826c2b7764c3ae77eb12b79dd1aaf8

    • SHA1

      c46b126efed7e3f415170c28c72fe5728f9d3736

    • SHA256

      fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f

    • SHA512

      e6c8c0033d6dfe041cccc39706b792848dc616a558c4335a684b90b4699b741878e5bd6154091fcdc5edea5aa6182461cf77d8502570d757e8139dd923e34817

    • SSDEEP

      12288:FMrty90DTg0LJebSzCkCFAsbuJE0AR6N+nNuSXFdjlocBpRDPUYz+tEAF15+pqE7:QyshkYdCFduoNjrl5XBPUW+78qE/j

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral23

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

redline1366220748discoveryinfostealerspywarestealer
Score
10/10

behavioral4

redline1366220748discoveryinfostealerspywarestealer
Score
10/10

behavioral5

Score
3/10

behavioral6

redlinezgratdiscoveryinfostealerratspywarestealer
Score
10/10

behavioral7

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinesmokeloaderwelosbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

redlinelampinfostealerpersistence
Score
10/10

behavioral13

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

amadeyhealerredlinepapikdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

healerdropperevasiontrojan
Score
10/10

behavioral19

healerdropperevasiontrojan
Score
10/10

behavioral20

Score
1/10

behavioral21

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

redlinekirainfostealerpersistence
Score
10/10

behavioral23

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10