Overview

overview

10

Static

static

3

061ed335bc...9b.exe

windows7-x64

3

061ed335bc...9b.exe

windows10-2004-x64

10

067e5c3ecf...b6.exe

windows10-2004-x64

10

1ec8ce9ace...96.exe

windows10-2004-x64

10

349cf4c964...66.exe

windows10-2004-x64

10

4250b0250d...ee.exe

windows10-2004-x64

10

56dbfb10e0...5d.exe

windows10-2004-x64

10

5951daaf24...9a.exe

windows10-2004-x64

10

59c1607382...01.exe

windows10-2004-x64

10

74cf5b47d1...8d.exe

windows10-2004-x64

10

795a49ee81...4a.exe

windows10-2004-x64

10

8b549a8688...5b.exe

windows10-2004-x64

10

91da85daf6...d8.exe

windows10-2004-x64

10

a8dffd83e4...8a.exe

windows10-2004-x64

7

ab124875ee...6a.exe

windows10-2004-x64

10

ccc5c313f4...94.exe

windows10-2004-x64

10

cce5498639...83.exe

windows10-2004-x64

10

ce9f75c073...16.exe

windows10-2004-x64

10

dda511575f...2f.exe

windows10-2004-x64

10

eb81f341bc...da.exe

windows10-2004-x64

10

f943251c5b...1b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    15.9MB

  • Sample

    240509-v1ktxsdf5x

  • MD5

    70e315fd68caa94d53547a2bac55496e

  • SHA1

    084e11f8fb2d92ff8939dcbf945b7d757b47a00b

  • SHA256

    62bdf7c8bc61b7d1bd73ccc8685e220edf33b9a5ba1ab3c192a61c31da9b1a9f

  • SHA512

    248d9aa5fc61e37f0c5c76e485166a6c1ce5cb572677e85feebe1e03d27d1532dc9e933bd6d8c814e3257ca8a941cedc09b87032f7b7c9d73f33de679cb2ac09

  • SSDEEP

    393216:FrFaSOsGZK8W0ewl2tM/A2Vq60xj1BClYan/f+CbMSAcZ:FFDHGZ/gtB2Vq60ti5/fZgST

Score
10/10
amadeyhealerredlinesmokeloader5345987420darmkirakrastlamplandemashanahernasabackdoordiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

naher

C2

77.91.68.48:19071

Attributes
  • auth_value

    62708e72becb72a24cf8843b46acc6a1

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67
Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

5345987420

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes
  • auth_value

    d88ac8ccc04ab9979b04b46313db1648

Targets

    • Target

      061ed335bcb896e77ccede19faa208e6e0bb34be9b0a811676474ad16869699b

    • Size

      274KB

    • MD5

      6c4def0b3cbfee0d4bef19b45a66497f

    • SHA1

      3a7c9a3488652361ee05e7ec4c188c8547403427

    • SHA256

      061ed335bcb896e77ccede19faa208e6e0bb34be9b0a811676474ad16869699b

    • SHA512

      2d2ea7bb5e71b763139dd49249d7c76e0285e64024ae1c7a3dc916bc59d86251dc4746cea70622b7248c1b35e2885d1115ec890c3ae008f5ca45dbfc14e1dd29

    • SSDEEP

      6144:N4lAc4+AxvS28hwm2UgDqNpwIeitNYvsJywpB:NEAcDLwBjQqBit//pB

    Score
    10/10
    redline5345987420discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      067e5c3ecff330d7c89e0a5c37fec8e0f642f8b31f9a396325cc5782eaa456b6

    • Size

      556KB

    • MD5

      69014fa7a78edd320abd2fbc65911205

    • SHA1

      6e4eb344b44399213baf461c5bedc2bf49eecfc9

    • SHA256

      067e5c3ecff330d7c89e0a5c37fec8e0f642f8b31f9a396325cc5782eaa456b6

    • SHA512

      6bac499e063dffff0336efecc320653de75320e9d897143c5a2ab349e086c5a6723607748ba4088b40b7eeeb18ea3285e0d8ac47b02242935237e7aea2360a4d

    • SSDEEP

      12288:lMray903CqtYfE5UHygzucgH5mpHoU9mhdKPLW:XyKCpjyAO5/UCdKPy

    Score
    10/10
    redlinedarminfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396

    • Size

      1.0MB

    • MD5

      2c2992bee297eb92a1c30c47f171520d

    • SHA1

      1aa27a41eb69ed9a6ab90e36fcfb302fd0fd89af

    • SHA256

      1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396

    • SHA512

      efb5cd6594ce8dbc6635cc04210e5e362f0a3ae2c65d5bc161ec903cd96cd58ffaee72fef87fd72fd71e67e09cb7ee0255e82d9944940d6cdb96277f4eacbbb7

    • SSDEEP

      24576:XyWfk2aKNRcqflTT5z/22Rc02/wECzdKXeJvTYqejortkq:iWfpanqfL+212/d+Ayv8zU

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      349cf4c964ecebee87078b30505525ffc97ba82548f3193c0d6347693c8ad666

    • Size

      514KB

    • MD5

      66f54ffe709bab07100af569ead4119a

    • SHA1

      1cb8a599e4e929dd6a1b918a8b67a8febc8a0750

    • SHA256

      349cf4c964ecebee87078b30505525ffc97ba82548f3193c0d6347693c8ad666

    • SHA512

      6636bf298a646868b20110f1b4c43ab4e3f68a3d4cc667edf2baf1c757e320164a65e749eef096ae046344bbb9942e2f1b73ac7835c87a28e298d7307612d5fa

    • SSDEEP

      12288:6Mrby90AubVaRq5diuRCH+QykIb80gtid1ZUcTL/:JyjZuRCH+Qy73gtiD7

    Score
    10/10
    amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee

    • Size

      390KB

    • MD5

      2d00f96e74fa01be6c570782f56ca124

    • SHA1

      17ed1713ade7f79ea2ed1bb9130871ca56b0c072

    • SHA256

      4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee

    • SHA512

      6b359ebae2e3607603393e1ff2d950987194e77089ef6dee3513b17defc0c0d20950ce3554e76e68500e4b4ed23138bfdc922088881958a1dfe0a9c65e416575

    • SSDEEP

      6144:KWy+bnr+rp0yN90QE0PZI9HwPGTICcWt4JZe6vzwYFeXx3Rhye2coLju:SMrvy90iXVztj1MNSeB+S

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d

    • Size

      390KB

    • MD5

      2bc8e8cd130285a0cbea66c6ae7859e9

    • SHA1

      bb229611ae9e5c6a807ceb371b3a282f631324ad

    • SHA256

      56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d

    • SHA512

      6b79aa03ecc4989a5f51f7b9776add2110146890a355a712569d0ad8b0e2399e744ffee8c51888b8f1bcb9d8ede9ee927d9fd35b4c228e2b521f91e0534dd933

    • SSDEEP

      6144:K3y+bnr+8p0yN90QETG840XYwvb4mF4xCVPLXsX2NmV5BCcHnlRHuzoiFqv7m:hMrMy90dhI05uCVPZoUcHnl9Woi8vq

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      5951daaf249b9db6c83832a3b7a244dffb52f45eb746f6edb9a2315fe8e4349a

    • Size

      389KB

    • MD5

      674f568312cd04d72fdbde0d68c141d5

    • SHA1

      feb25de484a1e0340f22dd4dced0b7a2698c5277

    • SHA256

      5951daaf249b9db6c83832a3b7a244dffb52f45eb746f6edb9a2315fe8e4349a

    • SHA512

      55c2a08010efe01db2d9c8bb526b43f554806d33d058c68115f6d1391a31976698f009bce72eaa8d6337634bb4e3bc2433c174cbffbb67c13a1b85747ab042e5

    • SSDEEP

      12288:JMr5y901c1gCNbRA4eredqAigBYC9K4Jj4qxj:IyecxNbRHTRz04JjP9

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01

    • Size

      390KB

    • MD5

      2eceda61e6e0bef77aa4e2d0e99f765d

    • SHA1

      05a5e56dec75029e3b8e483d649e7b5ff6f8daa2

    • SHA256

      59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01

    • SHA512

      fc20de5d3d22d2f7b331aa892563cbdd0d496cbbf4004048cacc6bb0af9e45e0c0df64df3b1d19119fb5f2b1c76e773aa36e81051dab31c74e6705894b22c5d3

    • SSDEEP

      6144:KNy+bnr+qp0yN90QEPnSCpusoviHGXWnzdpGWXAL6A5202cF1zV5cPMdDExP:bMruy90B/0lUDdwL6m203zVJdDExP

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      74cf5b47d1d63bb3f8b3b593ca7e2fe868afb92a8d82b4631bae9e2d0eb2398d

    • Size

      1.1MB

    • MD5

      6e23ce77b8eadf69971ce2729e2dc264

    • SHA1

      be53621f2277dac9ee2a33bcc6f31837efc05f30

    • SHA256

      74cf5b47d1d63bb3f8b3b593ca7e2fe868afb92a8d82b4631bae9e2d0eb2398d

    • SHA512

      74c77141db73defabadd0c570d2c8e6aa2f2f21ed514ef51189ce26e2894e81c4fb0564c261278b373a283da1353f12dc057bedb3f5b21f479dc6cc8379b9cc5

    • SSDEEP

      24576:oygMfa7QOzNGs+DFO8m8C8+PwW7urzpkujeOO6:vgaa7jzN5+DuM+/k1BXO

    Score
    10/10
    amadeyhealerredlinenaherdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a

    • Size

      390KB

    • MD5

      2b5197c2b3a9c14d7cb949b809a27863

    • SHA1

      e78dac9c729de8b6e9064b3bb2043401063ed616

    • SHA256

      795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a

    • SHA512

      622de70b8d20486c805cf25e5b32bc9351a28c4feca5fcde29c279761444450ca57f74a3b737a09eecf689fa909a1f89d729b528758f9a7a237dfe2511b80bbc

    • SSDEEP

      6144:KXy+bnr+Op0yN90QEymQY+TOYTc28XYmEhrORHTqij+jmMrLWJeXsuIGpt:BMr6y90r1+TOSp8oNhCqij+pzXs5Mt

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b

    • Size

      390KB

    • MD5

      2e8378a779c529d72cae6f125711e88c

    • SHA1

      4b1d1bab9924629cc6b968efc89925468c90cdb9

    • SHA256

      8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b

    • SHA512

      24dbf09588cf022952aabbd463efa15a209f9511fa20bbce46e8c24d785658449632d429dd30bac24750e0bc697be4b8b8dc0b217540195a0264a72f0957145e

    • SSDEEP

      6144:K3y+bnr+Kp0yN90QE5HRKn43pGULDIfkdamIgLWFlv1/ea+AFw5YMdc5bcg9xb:lMriy90rUn4zLDIcABv1x+kLiecgjb

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      91da85daf6df1f2a381493425471c65c1caf622791472ee7e1e7d551d4d611d8

    • Size

      1.5MB

    • MD5

      68b9d46cb4498e49e084e54ec73e659c

    • SHA1

      51c333490de2a8150ef39ce4a6fd51bcc439146e

    • SHA256

      91da85daf6df1f2a381493425471c65c1caf622791472ee7e1e7d551d4d611d8

    • SHA512

      1a03f93cce2cbff326ee34f85c896c3b022a9784edc1e0d0f9164325d6e881b687fa5295372394a0379e805f3d4a9cf64b3b2ca076e8e91ab0a0645398f4c1b8

    • SSDEEP

      49152:vRJSITORDkr6F1JXxAiTVG9DWwOESEhU:p4lRDk+F1JB1+OEPh

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a

    • Size

      3.5MB

    • MD5

      2e74d6fa9f7ad6604f4474d3a88df538

    • SHA1

      94ddd1699392c49aea7f9a610ed5487ea5d30a07

    • SHA256

      a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a

    • SHA512

      38725af1c782e2378327ed536ff71e50b429b0fa1eca4299ddaee229ff16d9a18cebfcb44db81d799dfa19278e9f8d961598c1a94c15001be8c8c9daba2667f5

    • SSDEEP

      98304:yHWz45HmcCm7AKb1UcPwX7fVhIdG9k3kKoN:yHWzG1IBnwu

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral14

    • Target

      ab124875eee3aa9c0b98e5ed0dbab9856acaf99e011d97b92abd4d2cf0f5aa6a

    • Size

      919KB

    • MD5

      6ae13efc8817a2e5640ab617edc0ef66

    • SHA1

      56dd6153047a0cd1cdbd047b63e579fd5b8ae25f

    • SHA256

      ab124875eee3aa9c0b98e5ed0dbab9856acaf99e011d97b92abd4d2cf0f5aa6a

    • SHA512

      88e45ea5d7ae364df9c0b8bfc0e3d83f75d844b0bca8b06386f78aa83a1dcfe703595fa648bbf14519529bce6281109675508cd57769011ba46f439767fcc437

    • SSDEEP

      24576:GyF7GXiF68lRgtjHF4l/MI6OxDgdcqSvNB:VFqXic8lRg3PDVcq

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394

    • Size

      389KB

    • MD5

      2eeefdf643f78c415d5773e6839837b2

    • SHA1

      797a0d8433f1b575915a9cb2952795535fb3546d

    • SHA256

      ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394

    • SHA512

      96c66dfb44902289d99a122c9e8b2804a236e61351e81ad56f5406fd935a2c5e65fac58da2bb8dd8f2738e5d7e1251128413b5247a1cfc421e1b5dc6c960272f

    • SSDEEP

      6144:K8y+bnr+9p0yN90QEA748JHJlPx2r5z3HVK9ehKCCB2GTNXeD3zsvHclk:QMrty90mM8VJluVSaKCCEUXau

    Score
    10/10
    healerredlinenasadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      cce5498639767f010fc7b6b7a5e2ae7c721720e093acf7ad8ec6bd81e63ab983

    • Size

      390KB

    • MD5

      6a0feb970b0232737d1ed6729e4f0f46

    • SHA1

      82a778375910a0c96a19c6b455a0b11cb23a99ae

    • SHA256

      cce5498639767f010fc7b6b7a5e2ae7c721720e093acf7ad8ec6bd81e63ab983

    • SHA512

      965df101e912175946921d874c0aceb674147673b6afa72ee1e2c42a18f894ce8e6eb8ddaf5902b082373efec89f467b496feb7b7ea049bb41c4736984e92d1d

    • SSDEEP

      6144:Kxy+bnr+7p0yN90QE1Jy1+Jta10DfACoB1OrkI1wxvaf+1bX+Kx3n9:TMrXy90m+JtYYYdDskpxKQ1x39

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716

    • Size

      864KB

    • MD5

      2c52c514ed30a21dbfc181f9a56e756d

    • SHA1

      251cf6719d43e1fd2c52df211e76b8644c3cd2b0

    • SHA256

      ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716

    • SHA512

      e59f6f72001fbfb87dfbdf3ac73832f17ba334a5877f395f3c3173d18ba41c3a962714d6f91ce92d484ffe5368bf3ff90b388be4175032dc20a2bee0005c000b

    • SSDEEP

      24576:5yQ6k1XlUuV6gbsDRA/vTXLp3qiwikDLDJtgYBNSu+KpEFMe:sQ6knTs2XTXLpFusYKu+yQ

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      dda511575fe2d4e8cc7e7dfbf500a529cbd2a5acc24299b8217d603401322c2f

    • Size

      1.5MB

    • MD5

      6ba00ad9a91f15dd444ad429ac2c2247

    • SHA1

      23f67b9d77ed808f1a3b22a7a48a70bf931ee11f

    • SHA256

      dda511575fe2d4e8cc7e7dfbf500a529cbd2a5acc24299b8217d603401322c2f

    • SHA512

      2bc5fa1df9db17837c37d37773447c485676f0deb06600b6d9d5b82e7a6cb605d175a7121a1688ce875337bd76d0cc18b3e90398a050f451acad22844f7a5261

    • SSDEEP

      49152:xuMNfHwZ5+uSS08H6gD5CoqkmaBshMG6yVn:Z+5+ulaQ5hcaBTG

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda

    • Size

      1.7MB

    • MD5

      2bf06baa3ecdf15e0690a49d48c89a5c

    • SHA1

      d26ee7ba4b6739d79aa2f675011692fc81510b23

    • SHA256

      eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda

    • SHA512

      c535d51b89349b1a6bf2aa7f31c2ad2c48cdf7bab24fe1aab4663c42ddee295bdcaa806e713902457be0580feba4650fecce7ce30b4a0a1e4a57fd5b7752f5fc

    • SSDEEP

      49152:Wsgn+koTVHgULqwjeUM3/Pa5dNAq8UYidJGLW9slbFS:mnZuHgULqwXUIrA3mwqylb

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b

    • Size

      389KB

    • MD5

      2de3042570f5c1958092fccd52196050

    • SHA1

      825a3ed1c11fbbb29f78be5b760b7b2bd09b3608

    • SHA256

      f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b

    • SHA512

      bb05c46d754c4389cc6dd64341b44a27ba466c4786911543a5671b3371541afbb9c69c0052ec37417b7bef11b69d5314d889cc3e62ba5604140876afa1b23541

    • SSDEEP

      6144:Kvy+bnr+1p0yN90QELYTRHY6J0ZCPWEMjxFYWYUn3JSt2fgBZ+t4zDg7RJVrQ3N:BMr9y90I2CPzcnYCM2fgBYCzs7REN

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

Score
3/10

behavioral2

redline5345987420discoveryinfostealer
Score
10/10

behavioral3

redlinedarminfostealerpersistence
Score
10/10

behavioral4

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

amadeyhealerredlinenaherdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

persistence
Score
7/10

behavioral15

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

redlinekirainfostealerpersistence
Score
10/10

behavioral19

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral21

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10