Overview

overview

10

Static

static

3

1238663077...be.exe

windows10-2004-x64

10

2176dd1779...68.exe

windows10-2004-x64

10

25c57e6714...48.exe

windows7-x64

10

25c57e6714...48.exe

windows10-2004-x64

10

604faa1b56...ed.exe

windows7-x64

3

604faa1b56...ed.exe

windows10-2004-x64

10

611b640fd7...5e.exe

windows10-2004-x64

10

61ec6f7f31...74.exe

windows10-2004-x64

10

654aa4d5e8...3b.exe

windows10-2004-x64

10

6c15f1899d...ed.exe

windows10-2004-x64

10

7b22e6cc31...ce.exe

windows10-2004-x64

10

8a68d5e2ce...71.exe

windows10-2004-x64

10

9a72ed316b...b3.exe

windows10-2004-x64

10

b2abc74f29...1f.exe

windows10-2004-x64

10

ba5c9d840c...7b.exe

windows10-2004-x64

10

ba769ab008...cb.exe

windows10-2004-x64

10

c29b675475...fe.exe

windows10-2004-x64

10

c39106a352...4e.exe

windows7-x64

10

c39106a352...4e.exe

windows10-2004-x64

10

ecc005f21f...de.exe

windows10-2004-x64

f0fb625894...03.exe

windows10-2004-x64

10

f66a0103e4...71.exe

windows10-2004-x64

10

fd5bd6afc5...4f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    10.0MB

  • Sample

    240509-rz1xzahf94

  • MD5

    399ef92c87ffcc6189f158bb033d88e3

  • SHA1

    f1e5f0ea9f8c547dc6f253748173ebed1f084124

  • SHA256

    2fa961b375e2da330a3b514d2c64bff25f393a2a58adb19f2372609308426060

  • SHA512

    5e9c4eae46027174c7910dbb82202136f8007fe0222c2beebe3e8c958c2bf1c04e2417e062fecc44dcf4ed624714209038c371cbfaed8c4bf0b54e1533667993

  • SSDEEP

    196608:pJAgnJvOKBIVVpjUEAyPFSLGaKKNp5KMpibdfoqg5kGWkuU33KiL4p6YPYtkF4em:hvOKilUOSeKNpRslonoUKFgYPTFFP+

Score
10/10
amadeyhealerredlinesmokeloaderzgrat1366220748kirakrastlamplandenasanewspapikwelosbackdoordiscoverydropperevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

amadey

Version

3.86

C2

http://5.42.92.67

http://77.91.68.61
Attributes
  • install_dir

    ebb444342c

  • install_file

    legola.exe

  • strings_key

    5680b049188ecacbfa57b1b29c2f35a7

  • url_paths

    /norm/index.php

rc4.plain
1
a091ec0a6e22276a96a99c1d34ef679c
rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

papik

C2

77.91.124.156:19071

Attributes
  • auth_value

    325a615d8be5db8e2f7a4c2448fdac3a

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

1366220748

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

welos

C2

77.91.124.156:19071

Attributes
  • auth_value

    9605367dc0a1f64eb2f71769fb518fcf

Targets

    • Target

      1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be

    • Size

      923KB

    • MD5

      15a66b0dbcfb940814f615e4ee68aba4

    • SHA1

      176b68418045780c00cfd3d7d80bfbfbfc5d5c06

    • SHA256

      1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be

    • SHA512

      567bb1ceafb234ae79165a19f029455b169fb1fdd09ef2117194e1b7445ded3f790c7dd677e1ec9dda5e87b8ec80e03f948c1a182a88af23667aa937136e5490

    • SSDEEP

      24576:AyTpevOGPbwWB1yeCa0va2vLKpWF8XggzXjeMsP0upbt:H1TGPbceC7mpteM8pb

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368

    • Size

      515KB

    • MD5

      11c22c7a24b8f0576c3470af1561a6e9

    • SHA1

      47ba63be9cdf137c5356465791cca7e8d26048f9

    • SHA256

      2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368

    • SHA512

      acef19e6e351f779b034509e7eeff3eedebae468702c75c6b3a6c844b9024c84dffd25e768a8214df451fb33d094f979ad458bd0ad80d1a25bc312338b4d071e

    • SSDEEP

      12288:AMrpy90pbhdTlggxZzkUrC7pfy4NHWisj53QEEXOsM0:ZyGzlgrUGPWjhQR

    Score
    10/10
    amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48

    • Size

      188KB

    • MD5

      137f89538b18fec4e18561f3c0074666

    • SHA1

      05285ca1589e7eb544b78319c5a6bf2ad8093bf5

    • SHA256

      25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48

    • SHA512

      dac288d4c46586147800406f74a1e6cc3263c86a7ace1c62ed58277fe68b601a20c2a7783ffb2bda19899138b827f33c4005155b8fd32b58f46f3fbc3bc6a0d1

    • SSDEEP

      3072:zF0Z64zJQzbb/Qt0Vf3I/jGRf8pdXyprmw4USCkHdSzw0WQEEhmwfdxTI6Exfx:zyZJzezbkef8pdCdmNUSZHWeEhmwfdxe

    Score
    10/10
    redline1366220748discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral3behavioral4

    • Target

      604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed

    • Size

      1.2MB

    • MD5

      16b7af3083fac493eac54ee538577c48

    • SHA1

      1ef2e6b67099fc395003b84a9a204944190d90fe

    • SHA256

      604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed

    • SHA512

      8169e8b0459ee101fa0cb349b68909ddc13ed9acaf11cc533a2fc2585ced4a8508a956565fa525d6a87f787b4f104035efce40158eed9b8a86138e7c26b8ee46

    • SSDEEP

      24576:Eb65d297HFpZVrMWP3LLaK1iU4ecMC7GaUiaNQlY:EusFpZVrMWlE6CCTN

    Score
    10/10
    redlinezgratdiscoveryinfostealerratspywarestealer

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e

    • Size

      390KB

    • MD5

      1602d64d0a81f84e8fbf24150b9e5cc6

    • SHA1

      ec4e0320a3700cacb7f21891710c7bc83b2f9ae5

    • SHA256

      611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e

    • SHA512

      a9301d045d511c9a63c086feb19d2cd749b64039c409832018648b7c0408b4d81fac1a4770101936a0277b240ee6e7bdc5ab8b9faa0be615a17bf0a256f74abb

    • SSDEEP

      6144:KRy+bnr+Jp0yN90QEda+mxeyHanMZ+gpv9LBQIhcgBZ+t4ED2RcbuvhPcfY1UT:fMrVy90VmAy6nST3LBQIGgBYCEarZsR

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974

    • Size

      680KB

    • MD5

      15c6e3a281fa49b0888ba712bdcf5d2d

    • SHA1

      215c908f8d6cea84000eb0e217088146a89e1be7

    • SHA256

      61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974

    • SHA512

      e42aae85487285410c2df8fc02941556cab4528aec809f2467c13de83ca8e6cbcdd6a24b34214c4fac674dc16a08fefdef64814feebac1b51553c9fbd253fde4

    • SSDEEP

      12288:UMrty900Sjwa4O2Nx174H8O9yWGxVeO+/n24gzqzC0W3PJyW:hyewOmxxyYWGXFI24g2zC0+R

    Score
    10/10
    amadeyhealerredlinesmokeloaderwelosbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      654aa4d5e8d49043a4c5b40ef9c1b2fde8bd371386fd43ed6b7c1d719f41533b

    • Size

      515KB

    • MD5

      105d5754387cc3a3140ccc8660c1e50f

    • SHA1

      8dbb756c10678900b0e33893e81976f82ca0b8b5

    • SHA256

      654aa4d5e8d49043a4c5b40ef9c1b2fde8bd371386fd43ed6b7c1d719f41533b

    • SHA512

      538caa75dbcbd33065587c29e6ce0bcbf51eddc8ce50ce8b6684381e4ee0d9bb8c603669afc0272c7e8efd614c7ae87a0d78fe1b3a284006d193389c98243e62

    • SSDEEP

      12288:bMrzy90w4dJ/YUR/O0OI/gbs/YYsDYHHlhctsY6Zqztn7Q6ip2:gyV4DHR/VO+/YDknlCtf6ZaV7Q6iM

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed

    • Size

      390KB

    • MD5

      11154b27576c4246f2e8eb83278bc984

    • SHA1

      83b173354ca803be9f5fdf756544b600dc3fb825

    • SHA256

      6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed

    • SHA512

      7451cbe817cb1e6482209b82c13db65be7a1933f1cba91d279fb6bc69821b3b7447f28ec179cfcff923abf1266b1808bdf8d2d0012c5de4d5412dfa9258d1786

    • SSDEEP

      6144:KNy+bnr+Sp0yN90QEhBDbF8ftda/5ONdFSA/rtWX3X0ijvDrJMFWDsC8:zMrey90dDhywwMADkH9pMF1C8

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce

    • Size

      390KB

    • MD5

      11baa1b7efc317dced301ee22d864dc8

    • SHA1

      1e1fdb8796ff4ecf41d61973f20484ca2bdd97f2

    • SHA256

      7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce

    • SHA512

      af00cd09654d001b8ffffbdd673bfce35c800ec96acfe849b89dfca7d83b4aaeaf79ac91783684b216c1341ca2e510120fd6042a5329d239dce40e9cf006f49f

    • SSDEEP

      12288:KMrIy90ROSK9OUDX81nBWW3U0qgRYYGlcVg:GyCiOEs9brweg

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171

    • Size

      769KB

    • MD5

      1256f708f701022984164fbee3ae9434

    • SHA1

      4c7032f4aea509e7dab6d37602c79e2478611936

    • SHA256

      8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171

    • SHA512

      0b045b632fb716c67ceacf43bed145e119f540ebcf1b427a78f84ea6055377643ee0919f8cbad7ffd034afb2f444a9eda5f6ae127ffce89be0a774e170510917

    • SSDEEP

      12288:8Mrsy90bwIM4l9soPBH8D0eRmQWnFQ3oas8VuA0Nb7+yZQvMou61+T:gyqZKcHM0ZnGYaxUA0Nbi+QkB61+T

    Score
    10/10
    redlinelampinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3

    • Size

      390KB

    • MD5

      148b6fe5b9664b83b4638511e86c6c5d

    • SHA1

      2ed10943376474af81580c75911d18644060d893

    • SHA256

      9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3

    • SHA512

      6025b79dcb7b5219b2981673fce6555cb2bf7575dbe3df2cb1ede8b3d1d7031b3b54bc7b209f758c005915c84b805872ca9e7b2adcb5bffae316426d1f0c8b05

    • SSDEEP

      6144:Kzy+bnr+Jp0yN90QERX4tm0kXjd0hkWWnZNuj++5LxpD3RsN+UBr5hPy11+GHHLo:ZMrJy90jow0e09++9xxBssUdnP+HHs

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      b2abc74f29ed52ec7d83d19dcdda578b75bfabfe3cb6be161acad9d570a9601f

    • Size

      389KB

    • MD5

      12f3bbee6e856924c7409555272d08f6

    • SHA1

      d3d1e4683056f11053fa888359ef50aa7bc3389c

    • SHA256

      b2abc74f29ed52ec7d83d19dcdda578b75bfabfe3cb6be161acad9d570a9601f

    • SHA512

      67d3f742d4b926b1293910fced3a3887ef875d21a77797bf6e6c39e60a649e48c836f00a984447e5708f2c404d272be2cfca07d691991e561ec7a4d9a2e1fe91

    • SSDEEP

      6144:Kty+bnr+Yp0yN90QE/qCUXAU08Nad122iFyAjm6FftxVY2xmT1fNPch1saI:/Mrgy90/mAKgT2jyAjLpC2xs9NPpb

    Score
    10/10
    healerredlinenasadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b

    • Size

      517KB

    • MD5

      16d385b1becdbc8e36f5d1d0fd57615f

    • SHA1

      fd744f498fdb587a65b48947c62f7e6e1cd6e2aa

    • SHA256

      ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b

    • SHA512

      d39ea9b235a5618061ade83805fbf0d14ce8462aa3e3ff47687df7632f357f46526b64681b17703d3fe508f0f8fc6e2a1b55c9dacee7f5dc8661fa2f4d7fb7eb

    • SSDEEP

      12288:uMrHy90dtJ2zSNyj+Tmq3mC9wH5/bCoeANWG:JyPZj+T9x9E5GY

    Score
    10/10
    amadeyhealerredlinepapikdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb

    • Size

      389KB

    • MD5

      1609a44aaea41e6f7d2749f49a60a1af

    • SHA1

      bd745dd9d52800299333f09809c9caeab5ea42ec

    • SHA256

      ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb

    • SHA512

      3e0702c99f8610d92686884ad475e5ccd40781cc549f42b64ea467aa9eadb17938b4e39d0422f60c2c1982458640ac3bad6d35f782cc334587ffbd8dcb175218

    • SSDEEP

      12288:lMrxy90Auu38NGdG+riCgBYC+DTTjl6SZV:oyi9xzwTj0mV

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe

    • Size

      390KB

    • MD5

      163816fafd3946cc9e0b0a56dbb544e0

    • SHA1

      a9306aaebf9e16c1e6d97130dcf711017894c10e

    • SHA256

      c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe

    • SHA512

      5c88643b23d96c41ec903e804077f9ec6e49cb54752a5c2b1a5476f284c43c859803bcd9cea53a9816752cc392a5b2dd16920f21c37ef5101b746f5cc80fea07

    • SSDEEP

      6144:KKy+bnr+kp0yN90QEU3oZDwSSJAvVcQlPRAbR4SHgUTyxrDumDiaobYNZTBCo9V9:2Mrcy90oe8Fk5ARkFrivbYrBCHPtEb

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e

    • Size

      294KB

    • MD5

      175e3db636d9fd541cc11991815ea662

    • SHA1

      c5e30c78f298c1aa26768bc036795e19ed7e60d7

    • SHA256

      c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e

    • SHA512

      06b1bc8a9746e8dfd1a4d72e98b8b76a1f543ae0c72c9e0233dce81451d7521f586da373e69459170a8d9442da4883f8247cfb9714227744c765c892583ac5c9

    • SSDEEP

      6144:CF/pvusFFxSzg1ksK43NvCoC9W8Fa/T9Hb5T2C8c:CF/pv5r1tK43NiW4ah

    Score
    10/10
    healerdropperevasiontrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Windows security modification

      evasiontrojan
    behavioral18behavioral19

    • Target

      ecc005f21f15aefcf4a4280bfeddf37e7a9066e1fede069eb10a19bfaf62dade

    • Size

      1.2MB

    • MD5

      108da43ca546ecda525fb9192e48bbab

    • SHA1

      89e854990351e39312d835f972d5dd26c83e90cf

    • SHA256

      ecc005f21f15aefcf4a4280bfeddf37e7a9066e1fede069eb10a19bfaf62dade

    • SHA512

      47927611bcecf322864a8e6c62e43c284d7cfffe67b07096db04d3933ebd08484b4b8e25586721ed5313f24f0bfe3ff872cf7a76b6a7c98efd3db0f240a14dcf

    • SSDEEP

      24576:6ysB4DrCYYGq1BnTNaz6/usrdYu2GGriw+qx2u+ZXp9eS8Nts3TM:Bs4CjBnTNazeu8dT2nRx1+n8Nts3Y

    Score
    1/10
    behavioral20

    • Target

      f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203

    • Size

      389KB

    • MD5

      10d90091ef4d583803f960e642111708

    • SHA1

      9a36e16049aca4f664c3802003afa15637326ccc

    • SHA256

      f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203

    • SHA512

      01891a9da02ab953a654f96bc927df089e11c28dff9983277621cffe463da5ff3a888992daea3f1f82d68fa1ec21ea6502c6ea4ceeb0495b3a13d813b438bd2c

    • SSDEEP

      6144:K/y+bnr+5p0yN90QEwBYGFRxbEZcRaEHIpj1XH8bbvymQmiaKq9REG8dq2:pMrpy90LUIZ1EHEBisG8dF

    Score
    10/10
    healerredlinenasadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71

    • Size

      857KB

    • MD5

      10d9e523ef3fa325767733e9b06a5183

    • SHA1

      ce932310c4e2ff5db5c2c78b90f69ad2270c08b2

    • SHA256

      f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71

    • SHA512

      9c319dacf140286345b160ca481dfe68466db1f028fa3f823d5ad8c7aacce5ed2d1218bbb226a103870004bfe7c845d7396fe851e4142f2cdc877e47fed2cf8e

    • SSDEEP

      12288:uMr5y90hl0vLfgTNcWAs5+X7YQaeB42ilLYj18fbo+efG40s+6OuUFLV3sBempko:Hy+0zqxA3LvmSj6jo+A0GUFh3Rm6aj

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral22

    • Target

      fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f

    • Size

      923KB

    • MD5

      14826c2b7764c3ae77eb12b79dd1aaf8

    • SHA1

      c46b126efed7e3f415170c28c72fe5728f9d3736

    • SHA256

      fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f

    • SHA512

      e6c8c0033d6dfe041cccc39706b792848dc616a558c4335a684b90b4699b741878e5bd6154091fcdc5edea5aa6182461cf77d8502570d757e8139dd923e34817

    • SSDEEP

      12288:FMrty90DTg0LJebSzCkCFAsbuJE0AR6N+nNuSXFdjlocBpRDPUYz+tEAF15+pqE7:QyshkYdCFduoNjrl5XBPUW+78qE/j

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral23

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

redline1366220748discoveryinfostealerspywarestealer
Score
10/10

behavioral4

redline1366220748discoveryinfostealerspywarestealer
Score
10/10

behavioral5

Score
3/10

behavioral6

redlinezgratdiscoveryinfostealerratspywarestealer
Score
10/10

behavioral7

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinesmokeloaderwelosbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

redlinelampinfostealerpersistence
Score
10/10

behavioral13

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

amadeyhealerredlinepapikdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

healerdropperevasiontrojan
Score
10/10

behavioral19

healerdropperevasiontrojan
Score
10/10

behavioral20

Score
1/10

behavioral21

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

redlinekirainfostealerpersistence
Score
10/10

behavioral23

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.