General

  • Target

    red.zip

  • Size

    10.0MB

  • Sample

    240509-srkrfsbe99

  • MD5

    b9f652a127ab1e086148fed612fb2f50

  • SHA1

    aae740ebc94353a6251be2c2beb71510e989b964

  • SHA256

    2a57fa0e264c30123d79d5a18397ff8ecfce4d9f58a5938c968ad3a9dd12e935

  • SHA512

    d103ebec4e85eb7a5b8f94e41ca6576852c25545ba0b94e4c19915c8e1b977dd6955ed0b25e21127c55ce41bc726ee6dbdbc4ce6a69f2f9345c42eacde07ea77

  • SSDEEP

    196608:N2Tqxo4OYmz6pzVhXFxHNR+z+2hIHi85ZYK28isQ3WqWVhdnMHFsiB5HH5avBxpJ:KqxaYvnhRRqhIRWK2Dkn3eHFr50RJ

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

papik

C2

77.91.124.156:19071

Attributes
  • auth_value

    325a615d8be5db8e2f7a4c2448fdac3a

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

redline

Botnet

crazy

C2

83.97.73.129:19068

Attributes
  • auth_value

    66bc4d9682ea090eef64a299ece12fdd

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes
  • auth_value

    d88ac8ccc04ab9979b04b46313db1648

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

lumma

C2

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Targets

    • Target

      0b77ecaa1b47f7bc168f30b00531ca8aab8e8a58ed0985de288fe126c3d0fdbd

    • Size

      389KB

    • MD5

      77b9fb0f6b8cffbbd74a48c88d728042

    • SHA1

      7e1942225b08e76d77124f885843bdf679d3c4fa

    • SHA256

      0b77ecaa1b47f7bc168f30b00531ca8aab8e8a58ed0985de288fe126c3d0fdbd

    • SHA512

      7b07051e37c0739f73239f7c1ba6e37c1749b1a52c1a8186fa3e3c28b95ff5035fa4d13825453dbe1bb4dca65c1e81318c36e2ad6a7aef6d855c6d19c3fd4ed6

    • SSDEEP

      6144:KXy+bnr+Yp0yN90QEuiMZl8gP007RHr6ppFAwxw9C28zC8FgBZ+t4FDEXo26mWd0:RMroy904HZixtAwxCC3tFgBYCFY01u

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      15a93b61b0f1091ffed5e2a2a442e7fe5060b5674f75443efcb362de169b83e6

    • Size

      515KB

    • MD5

      7df24f49f54b8ac81e3c00b6ef1ce8e7

    • SHA1

      788350bc977f6bbad5170e21e5cd2a0ef1499472

    • SHA256

      15a93b61b0f1091ffed5e2a2a442e7fe5060b5674f75443efcb362de169b83e6

    • SHA512

      48a39cffe8c2466522da44aa8b92116841617c8755f3363aafb00b205393b2e4266834a80743303c6fddb28f796086851d388cc9c5226bb1e317081d25b87b68

    • SSDEEP

      12288:yMrTy90wTnRjHE/K1rdz7rhYXr8RsVWuoXd++974nV7c:RyzzNdvrhY78io4a49c

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793

    • Size

      989KB

    • MD5

      79e53e4e66e3cc1c18c3eef54f3434c5

    • SHA1

      4dacd0c65376af4ad6dd13d746ca048d4eba5b2b

    • SHA256

      209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793

    • SHA512

      009d33e03818679bfb172db7f498d394838c54ee1fcde9da94e20994f2d76c4e1aa30d64e9999fbeb96cd24f519f155cc03d624a903b1183c1d610c64d26c3c9

    • SSDEEP

      12288:1jGKXgeOVTcldbKRr/4APMboMN6WvJaPuotB5xg8LumZjUjrTjpKt6Jiw3/:pGKXFOVTclERr/4APwoaBaJX1UPpKbc

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      371f83e057f13466e2fea9ea5acee438ac49fa63875096d8859e4b0dd31df2f2

    • Size

      390KB

    • MD5

      7d114e866f3aebbf65ea5e0322ffa6a4

    • SHA1

      831e43f1dd3bd60dc0b8175b4b614942300d81d7

    • SHA256

      371f83e057f13466e2fea9ea5acee438ac49fa63875096d8859e4b0dd31df2f2

    • SHA512

      ad53343bf098d146b652fc01592f234890f6041b71525a3750acb8e4063c5032ffb422f35a79a1501a4bc0a253f70a90856774654c436f2bb17d55b81bc7f0ac

    • SSDEEP

      12288:0Mroy90rmKI+t0AnCwrcSor7h7XZvMvL46a:0yX+thC8cSShFUvL46a

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      4f86d48b3d0bdaa6f4d6e224cb3d78d45d0e5ff02992de35aad4053a747106df

    • Size

      390KB

    • MD5

      7b950b64ac08857b3deccaaa87a316a0

    • SHA1

      9235f96b6b4b5c37b581556dadfa30dbce857034

    • SHA256

      4f86d48b3d0bdaa6f4d6e224cb3d78d45d0e5ff02992de35aad4053a747106df

    • SHA512

      41ffa8e9e51b67eff9f36c16cca9df10f7b2b71f6cee51fff1efed0e81b5a07c334c2616957258fa150192333cce87dd23459764e86e302d61325619c420766b

    • SSDEEP

      6144:KMy+bnr+lp0yN90QEQ7y6KGyF4tgKY4Jrovv90vgBZ+t4UD9AT8sJeQ:0Mr9y90AyeVY46vv0gBYCU3sJZ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6

    • Size

      1.2MB

    • MD5

      78cdac30810324709d9ded08c4501f8d

    • SHA1

      083f16342f0ef90d57321b873ad972a16b168f86

    • SHA256

      613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6

    • SHA512

      8b5e989df009891bf8178718e4fe9bf38e4f421c6295d1ebcc30eaa7762958a9009f7cfeadd18d508f7483e6fe043dad9a7181b6dc3b511fc205d35ae1e31890

    • SSDEEP

      24576:VnBoveElInZKRPgiGilvvTd1YYWTsywSs6E:VBeInZKRPgiGiNYdTVm

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Suspicious use of SetThreadContext

    • Target

      6bd55afbdee9bee40494e1ad8d221009af60fed046a9028662aea7d0d54f2d65

    • Size

      1.2MB

    • MD5

      7dc01fe162857c837ec42c043f06a250

    • SHA1

      c3f7888a5be49c458cdf5edca546ff6fd0b4da6b

    • SHA256

      6bd55afbdee9bee40494e1ad8d221009af60fed046a9028662aea7d0d54f2d65

    • SHA512

      9f828f990954d98bd65bf640d3aec245addc052add46fb8896223ec04953dce8a6fe2817bae53aa7fcee86d68248c4d6b0a5112b1a685082c5557c762cab48af

    • SSDEEP

      24576:MyVY5S9UGMFXStmUpJeZyTxB7Sc2mGafGCLun8tczXSZ2Lk:7VS3GMFXYmUpME+DzaS8tcjSy

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38

    • Size

      641KB

    • MD5

      788d92f47b212e2049463dd423a5dee1

    • SHA1

      ec638a326f621c2ac72199ddb8e02affffe0dee6

    • SHA256

      74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38

    • SHA512

      2ff493ef1f3f2e9905e2930669eefb995041eeb8045ec1a4bfc935b655454aea9c591dfe179ec3c711fb22ff25374a64a01e7a56b204b37fd417e1b3278ab2a0

    • SSDEEP

      12288:/Mrey90DQanCnYpz9L+2CBiMx5A5nF9npy7OsW6f/g9EcqOEluM:FyKPC8zBBE7jcF9py7OsW6ng9Ecq5uM

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af

    • Size

      769KB

    • MD5

      7b850001f5713cbeaa0078d2b4a1f406

    • SHA1

      e68fde0f08bd2353d118de3cefcbf2e6aca2ce7b

    • SHA256

      75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af

    • SHA512

      e1f35bd08f29bb6452ef58f318f7e911826b6f57e4418069a07e26d46599837acb2ed238da7179b253fbe57626d3f4886cf819cdf85b76de1bb5e42fa0ae6e9e

    • SSDEEP

      12288:9Mroy90eCrZAz38uIrbDgTncDTLc97yZe6r5H+LcPyK:lyUaz38rrvgQfLc1ylwoPh

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      798aee8abbe13acdcba7ded2507144abfb3a7bdb36dfad1f88ebd752af5e0c5b

    • Size

      390KB

    • MD5

      77871a3c4e9d08f0bc052ba62e12af12

    • SHA1

      3ef6e6678685530de4df5af5fd5b9d60787c3b8d

    • SHA256

      798aee8abbe13acdcba7ded2507144abfb3a7bdb36dfad1f88ebd752af5e0c5b

    • SHA512

      89eeeb2049d79b7ad1c4858c5f06c126780e2e0e13023ce18835930f6c9d127a1054fafbb1f25045483e741a5adf45ce7f60056b37f8f0ef913719b7f614c60f

    • SSDEEP

      12288:AMrXy90QaSqo3yXhVTXgBYCMwDg8vz2zI:HyeSL3uhezjs8rII

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      7b57226b37b29e8c8fc26bb0a8f5f069da16548a19709cb24661efa4e037303e

    • Size

      515KB

    • MD5

      7d2ce35a27a37baf28988e65cab27fcb

    • SHA1

      55a23ab7eb441e4a904916bad1ebefe8aa212d2d

    • SHA256

      7b57226b37b29e8c8fc26bb0a8f5f069da16548a19709cb24661efa4e037303e

    • SHA512

      eb8c1c631efb67b344bf93ffb8398f26009b1cc158e8d0a05ccf39bd989bb6267b743b8175fcf59933dc227cbbc7f5ffc2de94feefbdc97735e64fe71bf5f6e4

    • SSDEEP

      12288:UMrxy900zkSW5R1HN6zM61qV0h6B9UDGElqD:9yjyHNr61uVjUDGX

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      7fe3c5296017a9495bcbb4b7a050afbb8dc455250cb5390bf962b0738814d69b

    • Size

      390KB

    • MD5

      798ec07025f058b2e7791a88ea7ebba1

    • SHA1

      0dff838f77c7f19abac6b32af4cfbc6bdafff37b

    • SHA256

      7fe3c5296017a9495bcbb4b7a050afbb8dc455250cb5390bf962b0738814d69b

    • SHA512

      c738e0fde4583cae6cb744679a081a343b810a2087d86767f14fc1544570ff551c55ff80c6891b553d3fc85299dccba2dc8afc53d0c2dc47eaa5592692b35309

    • SSDEEP

      6144:Key+bnr+4p0yN90QEDHkWGjZNJYh7TNog5hSFkM/qVmBsSlmoNds:2MrYy90BfseSFHFlBzs

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      8e6c08ec1ca5a8b0e5817eb7d07c526a20804925c4c4b8bc94ce28ad3f6abd56

    • Size

      515KB

    • MD5

      7bd87547abe694ea73c8cc5c4ad142e1

    • SHA1

      fc2dd14f3d0bd26bd0dcdcc04fb27d7569f0fa9e

    • SHA256

      8e6c08ec1ca5a8b0e5817eb7d07c526a20804925c4c4b8bc94ce28ad3f6abd56

    • SHA512

      a1a522e76403b8ea67ff0dd1b1a23318e2c59517211c36d2b6cc697427b7e7bebc8752a3afb94dd3831466590879b15ec03f8da7b76691b902d695458685f164

    • SSDEEP

      12288:fMrly90IOW2B8Roq5ZzZJVPOmM4fZqRMyu2Ax:6yrGQRPOmM499h

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      9cb8e2b1548adfff7c012acfadb576ae6e5f0fdcfc0942eeb26b4c9fb8613e93

    • Size

      390KB

    • MD5

      77fe152db6ab834d5d19e0bc498a3390

    • SHA1

      061f087d858f6f62bb8b825f97037c6adf09b5ba

    • SHA256

      9cb8e2b1548adfff7c012acfadb576ae6e5f0fdcfc0942eeb26b4c9fb8613e93

    • SHA512

      a184e3974bc54c34a64aa8a8590ebe2112c6197160cfdfdaac025adfc63333af8e6d63ec9e2f20bfc403f6a3e29ef20ea5c3f36bd2376724a170e2a011bc6e44

    • SSDEEP

      12288:cMrqy90Bww5CNmmmx1qYnUAwFcHnl9A0X6YDp:Wy2wwoQmYnpHUQ99

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      a5bd0160df71694767fdadc369e0582970a1182d88c7fea774ca4d3bdb503e49

    • Size

      1.6MB

    • MD5

      7d32073410b319d087fce19d1e06e567

    • SHA1

      db8fc2679ad185f7593223c7c9b1bd24dc9f9c14

    • SHA256

      a5bd0160df71694767fdadc369e0582970a1182d88c7fea774ca4d3bdb503e49

    • SHA512

      7f488b6974d89acb19da09df9784df631203f4ef1693c72092d0eb0cc3ed663332381ae3f052d479942acbf271466f2a8160009ebe0dceddc450a3b5818c6af3

    • SSDEEP

      24576:3y9qneMGcM4DVQJBTkCn/H6tfxjl/zq9exWtOf2K1UkGmTXDqKbv4d3:C4neMZMJBT7n/+JjRq9ex0K2yDei

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0

    • Size

      280KB

    • MD5

      7df1e56d4c1a1612ee126463fcf8ceb4

    • SHA1

      774ab26898cfa2ace41b0d5fa53538d318e0fa57

    • SHA256

      a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0

    • SHA512

      a84427f66c991496b014e82a1e52a969da9b627d6dfebdb93b74acdda4907df02b7b7d17b25cb732999e4a01e7f6e327be630b93b6dd6c55ed78e3d920ccae15

    • SSDEEP

      6144:Kby+bnr+Qp0yN90QE7o6FzcJVDQvj6iftPO3pJ8M:JMrQy90xl9x2stgp+M

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      bfe644d3bd33f0f28361b0b64f6fba6444cbce7ffc0fb0746a6226305bffb229

    • Size

      390KB

    • MD5

      797a5feff99655f0d85ce2a57b7db03c

    • SHA1

      4e6faef04eb706282a621b44f12ab9f1d46c2922

    • SHA256

      bfe644d3bd33f0f28361b0b64f6fba6444cbce7ffc0fb0746a6226305bffb229

    • SHA512

      33d1c0e066306f4d67d1db2aef636e142c515c2fdc4c471c7d0abfb8643181196e752715b44cb6fcf8a7188c93244e109c6e7c02b6c412d2b82293103dc19251

    • SSDEEP

      6144:Kty+bnr+1p0yN90QETEySSJAvVcQlhRAbR4SZZ1QMmHYYgtVNaAL0C/:fMrxy90xEyFkXARPqkNTYC/

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c

    • Size

      514KB

    • MD5

      7d7d33850f01a172965d4ab3500f15ff

    • SHA1

      6c3f6d557ce913e1b4e76c3325e21fdc9f8e1616

    • SHA256

      c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c

    • SHA512

      10f12ecca2c5643a50be160d7343b8f9b48a91efeb5da2b31dbae9b38794cfe944878c0d0fcd37c0786d5291c80a3b883e2d1499fd69b15ebda1790e427fb304

    • SSDEEP

      12288:nMr7y90vbJ4/tt88tW+bsUlC1U/miz9LjHJWH:wy0m/tptW+YB+djpWH

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      c84d7a88c396b7e327907984474a5b186f4adf86792a273b4ded750f4b893ca4

    • Size

      390KB

    • MD5

      78e143d53832462f94df54b039a2500f

    • SHA1

      3166b93218a704270ad88cdcf933f8e7e27ae047

    • SHA256

      c84d7a88c396b7e327907984474a5b186f4adf86792a273b4ded750f4b893ca4

    • SHA512

      c58e52b9de6d11b866e713c2039700d3941507cb6fea50c63dd7343128366dabbeb6c8fd219802ec7bd6ab28bc4c2cf3558bdbcd414a2689630060c3caf4d3d7

    • SSDEEP

      6144:K+y+bnr+Qp0yN90QEsFSlPN+PytrbyJHrPkPGyPLtWc9uNNvHmPRa0xw:GMroy90TxseG+Wc9unmPRX2

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      d637403a7a8d4f4e55e3bd56e000ee3668faae9137eaa6efbcd8dfdcc4744709

    • Size

      384KB

    • MD5

      7bc2d05ad6c8a97ba0e72e08fea76c33

    • SHA1

      34ca4cd11a85d4c4e347e0a3e14bbbce06a52b8a

    • SHA256

      d637403a7a8d4f4e55e3bd56e000ee3668faae9137eaa6efbcd8dfdcc4744709

    • SHA512

      d904d036c3348d6171810adc02588990dc349f6cf8a79f95466b1e4d64bc0ca3dad17de0868260bf66db36b2cc5cdf4ba4437a1833671ab7bc2ed7079e55feb2

    • SSDEEP

      6144:KBy+bnr+Dp0yN90QEwUHh4HZn7ECucO0bGvBJBiZLpD5Fs3zHlG9mLYICwx:nMrzy90pH0gCucO05mDHlG9m0cx

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

Score
3/10

behavioral4

redline5195552529discoveryinfostealerspywarestealer
Score
10/10

behavioral5

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

Score
3/10

behavioral8

lummastealer
Score
10/10

behavioral9

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

amadeyhealerredlinesmokeloaderpapikbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

redlinelampinfostealerpersistence
Score
10/10

behavioral12

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

amadeyhealerredlinesmokeloaderromabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

healerredlinecrazydropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral19

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

redlinedarminfostealerpersistence
Score
10/10