Overview

overview

10

Static

static

3

0e13a10fd6...cb.exe

windows10-2004-x64

10

0f3fc05fe2...99.exe

windows10-2004-x64

10

1437361c67...55.exe

windows10-2004-x64

10

23bea5b85d...33.exe

windows10-2004-x64

10

27054c4ef8...56.exe

windows10-2004-x64

10

2b700615cb...c1.exe

windows10-2004-x64

10

30fb90dbd1...b4.exe

windows10-2004-x64

10

312c299a84...a6.exe

windows7-x64

3

312c299a84...a6.exe

windows10-2004-x64

10

35d50aca92...42.exe

windows10-2004-x64

10

627c0990f7...d9.exe

windows10-2004-x64

10

65db5d7052...3e.exe

windows10-2004-x64

10

677afbc183...fd.exe

windows7-x64

3

677afbc183...fd.exe

windows10-2004-x64

10

841ea03e18...82.exe

windows10-2004-x64

10

85594a9dff...ab.exe

windows10-2004-x64

10

8c7a2623ea...7d.exe

windows10-2004-x64

10

9a0ecac5f6...8e.exe

windows10-2004-x64

10

adaea581d9...c2.exe

windows10-2004-x64

10

c64d3873d4...2e.exe

windows10-2004-x64

10

ffa14d4c0b...02.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r.zip

  • Size

    11.1MB

  • Sample

    240509-sfwdtafh31

  • MD5

    83547952c0fc36e03dfc8221dceaf270

  • SHA1

    151f998a28685de77c6f33b5385de96b1728b944

  • SHA256

    5917339910bda68a91f92247578c308113ee6fce121896237213a864c446fcd8

  • SHA512

    be3959aca192cabe86d244ac8b1e7c99b2cba76df7c72890516454b0fbaddb17cada092f6a072ee68585feda57b68d019a6f0c3b06e839b104245c0a615509a6

  • SSDEEP

    196608:pYl1CuTXrivcI8mBPyd5ZnEs8bw4m57P2LYSHDNQIqUPbf1yA5x:CTC44cI8m25ZnEK4m5z2ZqUT9Vx

Score
10/10
amadeyhealerredlinesmokeloaderzgrat5637482599kirakrastlamplandenasanewswelosbackdoordiscoverydropperevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67
Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

welos

C2

77.91.124.156:19071

Attributes
  • auth_value

    9605367dc0a1f64eb2f71769fb518fcf

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Extracted

Family

redline

Botnet

5637482599

C2

https://pastebin.com/raw/NgsUAPya

Targets

    • Target

      0e13a10fd67a47892e598c6953856fd7786d3e7b1f70c519cae5cfe6b7ce37cb

    • Size

      515KB

    • MD5

      3e4e8d216a0d15843b0aec01c987bd3c

    • SHA1

      f97fd9bdafbc200bfb0fc0831ba2f467f292e5b5

    • SHA256

      0e13a10fd67a47892e598c6953856fd7786d3e7b1f70c519cae5cfe6b7ce37cb

    • SHA512

      ae797941b8f5e7cf81093a47b49c043c3e22b6df6cfeb4f11d6a484c43aaefb59c913763024b54bd9955e38c84549b75854de1e248080b6a669e95ed56b096ef

    • SSDEEP

      12288:RMrRy90hbABebqT7LJ525DJbwwIHlNkeI9UhJGT:cyEwGqG5Dl8FNWe2

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      0f3fc05fe2db9d3b03c0b7d1c6af9353f3d7c1d340577a71dabad5617658cb99

    • Size

      390KB

    • MD5

      474932b39373f48c7a530441d8e9709e

    • SHA1

      87e49f87d564dea22fad5eaa488d024492e5d4d8

    • SHA256

      0f3fc05fe2db9d3b03c0b7d1c6af9353f3d7c1d340577a71dabad5617658cb99

    • SHA512

      dc046f21596ab8497f7ca3980366a890a70d5db2d3e827cf557c0df52e4c1a201ac5460509958977640a2906f85172feed8d4f4230bb2c7f31179b924ad9b0b6

    • SSDEEP

      6144:Kzy+bnr+ep0yN90QERKGbHP7i7yEfIA+o2hdlQkWglzYEHxeFvm5cLvfK+Kw90Lm:JMr6y90KGD7Oxghh7cEHIVvpWLc6lS5

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      1437361c67b59d113cebaa24a142650e8b8b3172ab6a6714c71515ad86d9fa55

    • Size

      390KB

    • MD5

      461a41b00e56b7edc7c954b28a7ab0f3

    • SHA1

      4b60bd82ddaf0916bda391168caafa6813c8d184

    • SHA256

      1437361c67b59d113cebaa24a142650e8b8b3172ab6a6714c71515ad86d9fa55

    • SHA512

      290ae015d12adb975cd1d5fd757e83be03d1de7e6b5b78ca06f8bab8aef88fb395d6d0b78393d1b5ab1be5b9f48146e247c09c7962d541a341f75c31fc123e46

    • SSDEEP

      6144:KXy+bnr+1p0yN90QE+susNp+TPHNPdk1deU/4KlvZimAKtvqoDbcG4hJQURF0:hMrly908MHuPHzGeUPR5AiTbQHR+

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      23bea5b85d6bafc9a62fa8bb8337d9c39b8f4f7d139c32113e8eaa6099afc933

    • Size

      390KB

    • MD5

      45bdb63c450034716e897d6462e4aca4

    • SHA1

      b9d7b109fb3194c76aae8de0007302ecad459efd

    • SHA256

      23bea5b85d6bafc9a62fa8bb8337d9c39b8f4f7d139c32113e8eaa6099afc933

    • SHA512

      27b32c1ba1add847b3f14a63652640c70fbb49b9dc86e2351138dd7c3fca50fcb48fcc3b5071f1b3a25ab1229959dd65e909bff3509bf3b4888e1e6c38e968d9

    • SSDEEP

      6144:KJy+bnr+hp0yN90QEE1e9lALt0B0MQkxItHdxhbheeNGtCcHnlRHmaGcUkSYfP:DMrNy90P9laWKfks9xvVNVcHnl92Y3

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556

    • Size

      856KB

    • MD5

      42bfe71072750a81fe1d4dcdb2f04dc2

    • SHA1

      29ac9199d705da60cd8cf27229e8dda3e6188be5

    • SHA256

      27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556

    • SHA512

      2e0f763ffc407cfce7646b3d5318d5f507808bd0e0d63d81d39d767c754ae153fbfb3a5fcfe6331a57731cb2ca34a6c586c4ca1fc059dbe7d53a657580d37021

    • SSDEEP

      12288:BMrSy90bmxzzWSvRTkc64XzHqbv0t3CEfEkkOP3QBXD/n3HPdy2U3RMAManmlbCY:PyRSSZ56gzHqbv0ZCEBcn3VlcG+nm1

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      2b700615cbaa89c4d3e0272582a4db8e51bcfe6c3333a5be92e93784b2855ac1

    • Size

      515KB

    • MD5

      468b8fb8fee779e9bb718ae1d50c891d

    • SHA1

      e829e9c23aced9a9b956ae9a3f58ad6c5b014ab3

    • SHA256

      2b700615cbaa89c4d3e0272582a4db8e51bcfe6c3333a5be92e93784b2855ac1

    • SHA512

      0d8438c09c31c11d72fd3f28a4e39fba7ef6133728d2e6309a64b9236e1ef853b57bda48b8130d4ed2153616849869024e00a544dbcf95b6d858d0ec4d1c7cb5

    • SSDEEP

      12288:hMrTy900gkEayaYWCJZ80zpbB5akxvA5TcR2tXPs:aygkUWwZ80zpbB8k6E

    Score
    10/10
    amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      30fb90dbd15d7cf28cd8c2c3ac256de3f63d31799b3d6452d6448ff5fc3a88b4

    • Size

      921KB

    • MD5

      44cbb98318d10e181dbecfc6c7930c92

    • SHA1

      8b8dbb3697aa7d64447e563c66fa3e7ff4b7984f

    • SHA256

      30fb90dbd15d7cf28cd8c2c3ac256de3f63d31799b3d6452d6448ff5fc3a88b4

    • SHA512

      291b45439409caba17d76e554f9b10764a1249799832c1aac668e74edd303830a306a1c47a8875b6e03e840b2cda9784febabfac2cab523898c554d197c45a15

    • SSDEEP

      24576:ny81+rfI0+ZZypDGLOnY6n3yUkcm4ifIPIik:yg+rfI3ypD35niUs4PIi

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      312c299a844cf7520e53edede1e26057b44acb35e70aba017a6e87804cd037a6

    • Size

      274KB

    • MD5

      4635361b363279a7e8949c6116d5e7ca

    • SHA1

      cde89aef4168abc13daae421d2eda6d14c1a8d13

    • SHA256

      312c299a844cf7520e53edede1e26057b44acb35e70aba017a6e87804cd037a6

    • SHA512

      17989df5098801737b2cdb0f4a7ca9ba3656f8cb130e164abc091aefc0b543308a98c81e3539b01848ddc8c5eb79c92c9c6af840b5d5c28001caa69a4ac5b62e

    • SSDEEP

      6144:Z5eaoQWhlmgE5iEmu4asT8TggkNIAJp6wpP:zeaZJiEPNTggkpBpP

    Score
    10/10
    redline5637482599discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral8behavioral9

    • Target

      35d50aca923965e5a644e1735c8cd657d562282a8fddd8a654982c84f9258342

    • Size

      389KB

    • MD5

      3e8e3f99da17defbcc54d0b92d42d370

    • SHA1

      4ae4d190f1c7743e707ade02bc452627b85df598

    • SHA256

      35d50aca923965e5a644e1735c8cd657d562282a8fddd8a654982c84f9258342

    • SHA512

      b395d1d18633eae61c9133b42803cac788fe2e636bf2d930e6d5b19b227b64c9c04bb748d440b7664a011626b03ac9e80b284442f63ba3d4948bf3a4ff4e9165

    • SSDEEP

      12288:iMrEy9080eKh/MtcyzhXhwB2GdnXxxEpyFpp:qyUe5tFtRjUkIFpp

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      627c0990f7c6fa8cc9a276966f3e2b428f8323bdd73c68bdf8034799f948f0d9

    • Size

      921KB

    • MD5

      4266390a3e460f4dbe90ce7d9d091d2b

    • SHA1

      16bf185400157eaae1561b62196add6bca53b84a

    • SHA256

      627c0990f7c6fa8cc9a276966f3e2b428f8323bdd73c68bdf8034799f948f0d9

    • SHA512

      be25bfb86b8ef7a9f13a9e770e35e4273132920989e37a02fc90887d61208461d41b1b5e0dc419e6a1e53491c6243ad5221040d3f7d854c9b9496f3a19fe54fd

    • SSDEEP

      12288:EMrBy90qgmVH2qW5mA+49iYIvuPRQ3ijJbcrmVVhlheKO83eRs850M2ztvv:ty7gmx2qW5mSVPRQAJlzD/GIv

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      65db5d7052987e7e8d814719a1e9c77b7d0f755b7f100a0b3f0b0d1b83d9b43e

    • Size

      515KB

    • MD5

      46a5f69bf60289bf73f38e1d9be85075

    • SHA1

      8639931600b10364a4c823b701c00893c22aea6b

    • SHA256

      65db5d7052987e7e8d814719a1e9c77b7d0f755b7f100a0b3f0b0d1b83d9b43e

    • SHA512

      dbc4506574b8a92d600e60fd642f44942f2a19c3effbf284891da05751b5b6d82dab4122dab6abc758ec40eb366e3e042c3bc46aec3360440e113a550cd7ce29

    • SSDEEP

      12288:fMrhy902Q+epdnODTdGxV/OB/n2VOSqzCMWb:uyyp8vdGXmp2VOBzCMK

    Score
    10/10
    amadeyhealerredlinesmokeloaderwelosbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      677afbc18346258efc780d794cf589d9e949ec77c0f68fc663b38c6f663cf7fd

    • Size

      467KB

    • MD5

      3ef1aae1590eb138e6444db02fd3c1c1

    • SHA1

      d8906538be380eecb256132a5a87682d8b14e254

    • SHA256

      677afbc18346258efc780d794cf589d9e949ec77c0f68fc663b38c6f663cf7fd

    • SHA512

      9146ebe581ffa7bae67a8bf74969e8144c4d059c3409d75a20b40771b8d6511f9ec5c49a2a0664646798d6b21094d3b8b5cb8ae4992d3a03e5c6bfa34c27d694

    • SSDEEP

      12288:iZZE67b6ybYwz3EtKooU0EpPSnGkOaPVDOQSFv3uMyL98F:6G6/bYvt10EpPSGkOaPoMRZu

    Score
    10/10
    redlinezgratdiscoveryinfostealerratspywarestealer

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      841ea03e181082fcf7f5533397a6731021c045058047518f2795b78fd69dda82

    • Size

      918KB

    • MD5

      3d56fe60879ef137225e115ea42923cf

    • SHA1

      e13b6d13fe9d23e1e67b2b9136fc8ce25aa8a3ee

    • SHA256

      841ea03e181082fcf7f5533397a6731021c045058047518f2795b78fd69dda82

    • SHA512

      151dd3af640f2b75af8b5c56c79b7faa72c1b92b334157191afef4747ee6d138ae991f937b752535c932fdeabfef0e6d7cc661107c3207f8138cc5f3393662ef

    • SSDEEP

      12288:kMrHy90QFfLsOpAvhgQTDKstwuoHAb8ce092kfJZGwgb3N4R3pQZp86GqWLYWiyk:zyNAZvhPKstwuoHeBXjv16p86GS3

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      85594a9dffbaaedca9ea95760b5683bb9ed199e29a54525ac755697a6e18aaab

    • Size

      864KB

    • MD5

      41223dfc76e28480031586abab191b52

    • SHA1

      1cb6d3be6a20e7820d2b8b8fad788bb25f3ee41c

    • SHA256

      85594a9dffbaaedca9ea95760b5683bb9ed199e29a54525ac755697a6e18aaab

    • SHA512

      753b62816fad92baba3639253b4e6490233a411d716bb2c6dd76dca08e04c4cd6da404c1965b8022839bce27b365608e9a9477dd37fb489daecfdedd905a408e

    • SSDEEP

      24576:Gy0c5/BYPdGsFBaaSiMfLragExjwfQjEv:V0cCtPaaayNY

    Score
    10/10
    healerredlinekiradropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      8c7a2623ea0bfbad72a17add57243068958fa7289cd1319d5cbc3af84eeac07d

    • Size

      925KB

    • MD5

      3e90b5f8e46ec833c865faa7b4d1bc60

    • SHA1

      28f893f8c74afb560f3d58113176a6417d561fbe

    • SHA256

      8c7a2623ea0bfbad72a17add57243068958fa7289cd1319d5cbc3af84eeac07d

    • SHA512

      caeea27ce211e797c65de526a4a1d597f00117f0f6a64755a433142f9425e85672ae86cac7d71fb7f8c2ee9b38af3766b669c513e54ab279508e9f8f212f78ad

    • SSDEEP

      24576:zySEW8KZohbEF0cN+j+EQJBBenV9CSEsVTrPhc:G1WLZohi+jvQJBULCPsZrP

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      9a0ecac5f61531b0c28426e6e97edeaa0c930397169075cb98b077174beb638e

    • Size

      514KB

    • MD5

      4487e1cdd58ccb52a46645553b956baf

    • SHA1

      cddeb1a3b04d8998c32b47fcee9e4c13d4e409a5

    • SHA256

      9a0ecac5f61531b0c28426e6e97edeaa0c930397169075cb98b077174beb638e

    • SHA512

      012887d77f077ae49a77ef250c4b3292d8207690be2ca30d8803a7949698941f2fb9c0f34ac6c4d2b99a9eaf49f0208903661ff97566cef19ac1cdeac00b93eb

    • SSDEEP

      12288:kMrdy90Me2oz7msLFkKLvUdJ+g5xbPJDMA9u2puSgF5cQrwmmU0:xy7m7mmVvU1xbPJMt2pxC0

    Score
    10/10
    amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      adaea581d959a8c0e4a570708711cc0a4112daa9ef8d47d1f5dafe486a1b32c2

    • Size

      1.7MB

    • MD5

      4734e393c969f8b3ff8e2920d219d019

    • SHA1

      d4c55709c6245046d98f9e2f97590bf5489b7f62

    • SHA256

      adaea581d959a8c0e4a570708711cc0a4112daa9ef8d47d1f5dafe486a1b32c2

    • SHA512

      471c73574428b51e582caca5a00d502e02ea07cbf03f5d155c340270563c88abf9f9ac8112d45a28a3def92a9df391cff9b196dea83c844736f792e38411f2fb

    • SSDEEP

      24576:4yAA0NUSRSM2qaCRG18MiJ+XXHvSaKzjuPbetqkTtKl6OsBsGqcLjgAJs4K5/:/nM2qFUiJOXhKzjuPs5u6OsK4oBN

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      c64d3873d4dbf74d0c6e28f27a09adb2a8c897e218d1a4a4f5822391bf80c92e

    • Size

      390KB

    • MD5

      3e0e0e6d1b148a974f44ed81e76b4daa

    • SHA1

      6e500bf32412d5f02b5994e016a1c3ee577a1f9b

    • SHA256

      c64d3873d4dbf74d0c6e28f27a09adb2a8c897e218d1a4a4f5822391bf80c92e

    • SHA512

      2cd132b1d0adabf219069588447a1ba17492b0b362b47e6668fd09543f71a9d18a974497dcc077af549d243984ace87b4cafa74c9feb55cae31a8dac7964533d

    • SSDEEP

      6144:KNy+bnr+Yp0yN90QEtdzHtFJ+5AnfcYNRAdFnD8AVDQ1NWXy//Sm7kk5nrKA/t:zMrAy90ZHLmGEFI3+y//sk5nrKAl

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      ffa14d4c0be8bc789970a81ab0d1c4ceb689e261224f173a8dbd9609a9b45102

    • Size

      359KB

    • MD5

      3e6c4929a82b142d398d5b1a60a93857

    • SHA1

      478ba0a29fcab3a9674f20c5b28f66a0fcc53795

    • SHA256

      ffa14d4c0be8bc789970a81ab0d1c4ceb689e261224f173a8dbd9609a9b45102

    • SHA512

      3e292fdc2d2f52d9942fc732e66c4dbc50656a22b758c7e67377077d8461d0c18170cb50634d07d199957bb5cb5e728c7fa5ed9c5c71018b17945e184e5714e4

    • SSDEEP

      6144:K1y+bnr+op0yN90QEdx1i6EoKZ8J+gY4OUsKOK/Apfn6l+ZMFIPXewY:XMrIy90nMUzOUsKOK4p9PpY

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

redlinekirainfostealerpersistence
Score
10/10

behavioral6

amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

Score
3/10

behavioral9

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral10

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

amadeyhealerredlinesmokeloaderwelosbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

Score
3/10

behavioral14

redlinezgratdiscoveryinfostealerratspywarestealer
Score
10/10

behavioral15

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral19

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral20

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10