amadey

Sharing

General

Target

red.zip
Size

14.0MB
Sample

240509-swhsnabh52
MD5

e799d06d984af7c88d0d4ad41a34e872
SHA1

35d3e1dcaa0705ddef9c21fab692a14874756f91
SHA256

b2e3ef893eb456057652ab4434c1204484055bd056354e8672fc45f069c32800
SHA512

d4ba7ce808582953034ac9bcbefc094ecb903ad143c05a8899913f85db07d828f2611b1f33406c6f8386072426ffb547178093be5dc6f4c6cf3c13e2b6d4987a
SSDEEP

393216:ZcUBcn0B7ig/ppmmgXHn+qeeSzkJgXv3L6F64jXy:W03LgXHnRSwJgXv3ETy

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

3.86

http://77.91.68.61

http://5.42.92.67

Attributes

install_dir
925e7e99c5
install_file
pdates.exe
strings_key
ada76b8b0e1f6892ee93c20ab8946117
url_paths
/rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

krast

77.91.68.68:19071

Attributes

auth_value
9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

masha

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

redline

Botnet

5195552529

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

lande

77.91.124.84:19071

Attributes

auth_value
9fa41701c47df37786234f3373f21208

Extracted

Family

amadey

Version

3.85

http://77.91.68.3

Attributes

install_dir
3ec1f323b5
install_file
danke.exe
strings_key
827021be90f1e85ab27949ea7e9347e8
url_paths
/home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Targets

- Target
  
  143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5
- Size
  
  390KB
- MD5
  
  302c8027c8728a76aebbdaa358bcf27f
- SHA1
  
  b377bb11e4b31fac3779736dafd77d3930e68349
- SHA256
  
  143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5
- SHA512
  
  bec37bef66ef5ab381607b0ce2f3e4852b9c91e44187376e5065026db2b62150f418ea58b7646011c86bf096e4d22de36f28f8f54efbe137bbf54bc081615c8e
- SSDEEP
  
  6144:KBy+bnr+6p0yN90QE7f11dRzGQkV6oNImWSzVGBmIqS8a0lCG:rMrey90lf1zcQkHNwSzAd0YG
Score

10^/10

amadey healer redline krast dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1
- Target
  
  22c5bd0a3e3c03e512f45c0ebd81b9cf7695279360a1c40cec90cf3efea5f219
- Size
  
  390KB
- MD5
  
  719e6ea06a5fac6ac3a3730e45fd1b75
- SHA1
  
  fa45885b397266a12ceb20cd060f70fd0f2e4b1f
- SHA256
  
  22c5bd0a3e3c03e512f45c0ebd81b9cf7695279360a1c40cec90cf3efea5f219
- SHA512
  
  3c3e4348ad6d76094f65dd34ba3b659b405f058aff738b43a27c87264a3ee706443e484cb1221326bc0ffcc641008c3c7fa0f81a81fd1192d7527ada3eaa30d5
- SSDEEP
  
  12288:VMrqy90GeXkEY3eepM9CcrGdRcHnl9yUBQJ:Py9VEY3sC5mHs
Score

10^/10

amadey healer redline nasa dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral2
- Target
  
  291dafd2314b673e9b81ee6bd583911db702f910a342dc716c49ce5922bcefe9
- Size
  
  390KB
- MD5
  
  74fbbed192dfe6039db97efc9100b00e
- SHA1
  
  31fa1d6672aa5b8faafc983fd19aa0f1fdea5eb5
- SHA256
  
  291dafd2314b673e9b81ee6bd583911db702f910a342dc716c49ce5922bcefe9
- SHA512
  
  2c0fc43eb279264970e2933ffc3beaff746ed79a2d044979b37ca26721a3e434ca62c667349167ba0e794d28449525a825194cd0d7b9b51fc31c701904356193
- SSDEEP
  
  6144:Kvy+bnr+Tp0yN90QEa5lMqNa1nox/kioWJvGeNb+I63Cfa8HJpOkl:5Mrvy9045/gxoxMFWpxh6R8TX
Score

10^/10

amadey healer redline lande dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral3
- Target
  
  2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b
- Size
  
  1.2MB
- MD5
  
  2f8765ddfb5eb9cf565d416a2fef07a9
- SHA1
  
  ceb22309b872f04d9c5df1e6fe3cc35fa616e6cd
- SHA256
  
  2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b
- SHA512
  
  6489262e8b6394e895ef7ea59c94f8b460affbb17130a1136df23b47f1cc50f3c09db0fd10319484e28679ef65d583c15086b38b5d0d27858906e4f4504f7b85
- SSDEEP
  
  24576:Cy4hgIcCM5IddKY63yg7MVZeoCNElcacqdf36HXe:p4hdcidKY63jwSDEa923
Score

10^/10

healer redline lamp dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral4
- Target
  
  499d652934b65eebaaa2d82a49a8810d8dbc1d3feb82c20d3193b41d1d599648
- Size
  
  309KB
- MD5
  
  6ef8f31678925f2d219958320d6dcdfd
- SHA1
  
  0406dda51bcd8b5e414929570a204f88c190fee7
- SHA256
  
  499d652934b65eebaaa2d82a49a8810d8dbc1d3feb82c20d3193b41d1d599648
- SHA512
  
  72dfd60f5fadd620d09c3ed64c9332427d95f0cc6369521f569b08deadbf29447f52ece80239da1c7527d35fdda0db9fb8c188472ca1fd74b13322842e03f226
- SSDEEP
  
  6144:qch22uPpiUxyd2eVps3Az8MWsFXrYP5IkldbXKQ4/I:522uPpit6e8yFXri5d/mQSI
Score

1^/10
behavioral5 behavioral6
- Target
  
  4b8eb941853bd390287dbcbe8dae61e1b226baa6661172eff6766605a0047ec3
- Size
  
  1.2MB
- MD5
  
  71be01bb024a89a23ca18aa6a77d160b
- SHA1
  
  4d11090dcfa1809209f5ead33ff2359628985a5f
- SHA256
  
  4b8eb941853bd390287dbcbe8dae61e1b226baa6661172eff6766605a0047ec3
- SHA512
  
  47a8989ec3f915a900af0c9413dc51d16a706a20e219c34f9425472a21d70711599ee0d9c3990f2463a1050867afd6f4a483be27169124b8ae0c5b7589ae8668
- SSDEEP
  
  24576:9yzGzXUUN6D6ScsWIPYUSsXqzlIQBo+/RpyPQqhNFGIO/:YQXUUN6D6CwvsXsWKoIRsxhNw
Score

10^/10

healer redline lamp dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral7
- Target
  
  4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf
- Size
  
  1.2MB
- MD5
  
  2ff65e9ca8a0b92b2f9ead3ba8dd7ed2
- SHA1
  
  bc118c8a4ba9391e5bc4315eef3d0dd83afaebfd
- SHA256
  
  4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf
- SHA512
  
  4fd459726173efd0412638d81884d4636b385098696b6dee1b403b809a3eb79c2202394ca4ca5e8f3f1630e83e02af723a78931c58242cf161abe1974b32137a
- SSDEEP
  
  24576:YyZkbJInDZr4+HhuBykcdH3B3laSprA5MBkWUhLfYTemxmdza8xPjo:fZkbSDZTHc9cdH3aSBA5I4FduaPj
Score

10^/10

healer redline lamp dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral8
- Target
  
  4fbcb0a2f45aaeb44239e2e00233d34f6efb6c46aa551acf21567602c1b83573
- Size
  
  390KB
- MD5
  
  7029bd0b72ef68903ba7755403ef837c
- SHA1
  
  7e5fe966a2e74bc6e5ccff71339f8794ce8c4d7b
- SHA256
  
  4fbcb0a2f45aaeb44239e2e00233d34f6efb6c46aa551acf21567602c1b83573
- SHA512
  
  7e3df6771e74e7c26f4453cf89b5ef9dc0e0a184afd945b93f68c77221d63012b24a4de3e03b79bc82adf4cc12175f41cfb9c79d386651aed080eab1d7a84377
- SSDEEP
  
  6144:K7y+bnr+8p0yN90QES1d8f5qOkWcnZNbQR5zRPdQwiAZAKWJaLu5GIJwEUR:FMrUy90QfMQwNZQJEu5HJwEUR
Score

10^/10

amadey healer redline krast dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral9
- Target
  
  53ecffef24ddea22780ff63e0224bd9c1bf9d8533760949fff138bd5c432ce36
- Size
  
  389KB
- MD5
  
  721cdf94a8e81b489d510d66052c869e
- SHA1
  
  57c76085e66f4dabbcd3a06f782688f323722642
- SHA256
  
  53ecffef24ddea22780ff63e0224bd9c1bf9d8533760949fff138bd5c432ce36
- SHA512
  
  1f2a7bb699d0b71a7b96d1fbe71209762c008372a5780e2eb944d45a0261b4f2f9053553b34f5682125a39e4118f11d78a63ad3ef95d95a0b589413206f6442f
- SSDEEP
  
  12288:nMr8y905KXq38E0oTFiMibgBYCU4tRuvk:fyUKO8Ku0zjfgk
Score

10^/10

amadey healer redline krast dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral10
- Target
  
  59a57474ebe62f572bb724c334e3f51070b9605bdb8a26ca62aa328af1683a06
- Size
  
  919KB
- MD5
  
  7744901dc80e2afe3afa4c7b5c399d3b
- SHA1
  
  78f4dbbd8afb9973e7927e8d11602eda9f1d7cd3
- SHA256
  
  59a57474ebe62f572bb724c334e3f51070b9605bdb8a26ca62aa328af1683a06
- SHA512
  
  22c73528904d0f012e057e565a21ef8c1c583704c25d82f6b628056b02ede91aed7fe6c2323b16f140b7a792ccb10dab610bce923959b35ab2137b46171a7161
- SSDEEP
  
  24576:OyIUn4LTjk0iz8Bw5jfsEyAHVTUk19I/faYKbrVa5Y:dIHbPE84fxy6HIFKb
Score

10^/10

healer redline lamp dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral11
- Target
  
  61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b
- Size
  
  1.6MB
- MD5
  
  2f1c41adf7b880f2e9f9b1b0286a143b
- SHA1
  
  606acc7a67ec4f0241b3850a1b0ce2241774c9de
- SHA256
  
  61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b
- SHA512
  
  c1b593f1e6600aa2124262f90c0a1ad77f46dc1e87ce836c1d9bf2160352d974f5cbff78100bc7c380071b3de8d0ef3cd653423efa26e73c005beb59a6fa0596
- SSDEEP
  
  24576:gye1lDVXnpy0e+JaxMbVa2H2t2BCl1EDD9uh4iVtjGE0Nx:nEneZxoDH42BClumNVL0N
Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral12
- Target
  
  6aec183a583bea0012704d51b860a5d4dc2eaa2d5a1b16c1b991a8fb1cc86e31
- Size
  
  390KB
- MD5
  
  7653cb530bb1afc8d4dd75cc8af7929d
- SHA1
  
  d38792a7e9d0450270adb2794d98b5c3f3ee92cb
- SHA256
  
  6aec183a583bea0012704d51b860a5d4dc2eaa2d5a1b16c1b991a8fb1cc86e31
- SHA512
  
  13abdf87e14a9493b0d122e45d2811f01a4938f1ecbd736fa74b4d44b23b14e5d965b9a7fcd3875cd2bacef83a6eab575531ee5444b2be3cd6185e9a814b26b2
- SSDEEP
  
  6144:Kiy+bnr+Ip0yN90QEeOFQXweVg+CxX/OW2ASWuXgneKZIWXcJHWKPx8x:aMrEy904ueVWuwfq6lKp8x
Score

10^/10

amadey healer redline krast dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral13
- Target
  
  71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce
- Size
  
  306KB
- MD5
  
  6ee7eb36e567f6e466aaaf24c199df75
- SHA1
  
  b0c3b1eaf357df0d49b6db112d91f5b863f05253
- SHA256
  
  71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce
- SHA512
  
  dda4269111e1fee9ce47c059884171e43cb165916976763e4cfe484b9bd5dcc12269a4544fb01f1602a168ae920df31de1a06d03c3121560d5388644c0dae743
- SSDEEP
  
  6144:mUZl9vSWh60RVAtljy11j8A/QGetb58moOBJyL98R:bZKWhHJBYGetvhDyL98R
Score

10^/10

redline 5195552529 discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral14 behavioral15
- Target
  
  7506757ba820d7ae28d178498db7124eb1c6e346d4700098f7492a46d5e851b0
- Size
  
  390KB
- MD5
  
  713e68fe7fdc9f18e24725872ad2e179
- SHA1
  
  bc6f0ed8fd7f4af277e25581ee669ec9ee6b08b9
- SHA256
  
  7506757ba820d7ae28d178498db7124eb1c6e346d4700098f7492a46d5e851b0
- SHA512
  
  f704e30255406f3c9ed6caa2b9a76372bc02953c74643130393a515613059ba174200c3c20506f8e273c87e959481fbf166976699632b3825bd7b45d4e6d654b
- SSDEEP
  
  12288:5Mr2y904SbHVJXbS8Il4aDCAQaZOhqdGm4bZ:HyCXb0lJjwZ
Score

10^/10

amadey healer redline lande dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral16
- Target
  
  80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452
- Size
  
  1.0MB
- MD5
  
  774a173c2d0a5266b73ba5527e606bbe
- SHA1
  
  13173b00db1bff7e45c00be7327ae24bbb6e2ca6
- SHA256
  
  80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452
- SHA512
  
  076a9ad2a5d639f932936bc5d614fe0b2bdbfe162134eecbd706ef3ff979930e3efa7a2561935b445ee3f5e6e837c3e1fea8cd4b280d2f73f412106df05f8639
- SSDEEP
  
  12288:dMrly90aVXB6zrLW/kRNgMwsBpdTgep1Ez7O92GtV4zCpGr1DUzAWXZnQ2P++3qG:kylXB6XOALgepYO4GcFrQXZnBP+uqSh
Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral17
- Target
  
  9e8418826f07274a00f90b02756f693711350696a60867c9adff98b6c0268e52
- Size
  
  1.2MB
- MD5
  
  71e8215f45ecb1d3b3b28bc579b27922
- SHA1
  
  8e7aae40eb5db95d0481bf9b72eb4a7d106e7849
- SHA256
  
  9e8418826f07274a00f90b02756f693711350696a60867c9adff98b6c0268e52
- SHA512
  
  2f4298bf325b4c68594b7c8132380c0cb5f29381c59d95235251c2f42dd8c8b989852c587f6d93ebfb3dfc9247af584d5c9253489cdaae32ae98147bb5f3b055
- SSDEEP
  
  24576:VyyC6D5dkr0Rke7qmSYMn6nJq+u/jQPGiEXP5JQ0kvLI8cLaMaV8ceZVyMKwk05j:w0gr0RNqmTMn8JGjyG9ScT2aZVyek
Score

10^/10

healer redline lamp dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral18
- Target
  
  a898d72b49cc00c36f48fd52d4f754e3c8b758780323239ea18208abf91a9b84
- Size
  
  390KB
- MD5
  
  6f6b129948a313fa52a5fa29afab8d9a
- SHA1
  
  e6e75d06359660ed6972eb853ec4f1d9f2494e95
- SHA256
  
  a898d72b49cc00c36f48fd52d4f754e3c8b758780323239ea18208abf91a9b84
- SHA512
  
  33bd9b65fe1946a99dd84b3532d1c694636b36593863d91127965ed104979dc3a35a4927125f091918c57801abc75de201b9c17a0fa465f6206baf06c6f0e48a
- SSDEEP
  
  12288:3MrGy904k9KzMkB6suwkohbTcHnl9G9ON:1yRaIMrsdkYAHi9ON
Score

10^/10

amadey healer redline nasa dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral19
- Target
  
  e6baad5a7e5385bc92311bc785faeabed25354b22d90f6422ffc65d07a913c5c
- Size
  
  1.7MB
- MD5
  
  76a7b68916d548824e6317f882b287f9
- SHA1
  
  4ff4c13e51d3e57b4acf61ba6b2f3a65cde312d7
- SHA256
  
  e6baad5a7e5385bc92311bc785faeabed25354b22d90f6422ffc65d07a913c5c
- SHA512
  
  3deff527545ff0645e3e7b71c04534e1dca51d0e77b100530cfd0560dee5cc9a216fb35e0ef9e7820fb31588cc8c188284fc1472c98357b141e7381719ea0806
- SSDEEP
  
  49152:VaVPPvlrtRgaEQ7fYFGtVzvhIpHkL9yR/qC:ulrtRgaE5EVzvgELsc
Score

10^/10

amadey healer smokeloader backdoor dropper evasion persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral20
- Target
  
  ea3dd01036351608cfd1a08d2d7331439b7acea2492116d550411f5e93529f9e
- Size
  
  1.5MB
- MD5
  
  739572566c4c164a5cfdea959226737f
- SHA1
  
  bd12047781b88543053373c06e32c90d077b7b40
- SHA256
  
  ea3dd01036351608cfd1a08d2d7331439b7acea2492116d550411f5e93529f9e
- SHA512
  
  8909d3d21549c9d54f93294623045ff7da459b48cb460b110627d7a48e1a1f4ca63fa2d20921533343c847522594886420453c67f11de16b433827eb5fb18777
- SSDEEP
  
  24576:yyhKgMcSAnDe7nosL8G+V5OxMxanlh4tRpSPf9vE1dE+VgKPAO6y1k:Zhj5SAnQosAT0Dnr4tRpMs1DgjO6G
Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral21

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings