Overview

overview

10

Static

static

3

00dc3a43dd...78.exe

windows10-2004-x64

10

1b26ae68f4...45.exe

windows10-2004-x64

10

277f52adcf...94.exe

windows10-2004-x64

10

32df5b0360...59.exe

windows10-2004-x64

10

3d03f2fde9...00.exe

windows10-2004-x64

10

50be51fdd5...4b.exe

windows10-2004-x64

10

53b6f1fa7f...02.exe

windows7-x64

10

53b6f1fa7f...02.exe

windows10-2004-x64

10

6286d393c9...52.exe

windows7-x64

3

6286d393c9...52.exe

windows10-2004-x64

10

6547f1c95b...de.exe

windows10-2004-x64

10

6c066f3c43...19.exe

windows10-2004-x64

10

6fca9c5ffc...25.exe

windows10-2004-x64

10

9a3f5d3f84...b2.exe

windows10-2004-x64

10

ae66f2f071...07.exe

windows10-2004-x64

10

b11b1b57a3...06.exe

windows10-2004-x64

10

b7da28873d...d0.exe

windows10-2004-x64

10

d49a64853d...65.exe

windows7-x64

3

d49a64853d...65.exe

windows10-2004-x64

10

d599ef82af...3c.exe

windows10-2004-x64

10

d7873c75af...a3.exe

windows10-2004-x64

10

db2419395b...f8.exe

windows10-2004-x64

10

e7b8d2cb79...0b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    12.1MB

  • Sample

    240509-wh1cbsaa24

  • MD5

    165966224755edeecb737af9647ef789

  • SHA1

    cbe6944c32d5e1034f148fc5adc57331134c77ae

  • SHA256

    292b6242a8248f18030260bd0c373ec14be1362f7f7494bca33e42fcc97580b0

  • SHA512

    f516947b469273ecd4818e7e0a93b00b154eab77f23e34fb5f7637a1aa8ee00e7462ee03e2c529b62d005af830e9bab7c40bded68d63d4586a938e968b86fae9

  • SSDEEP

    196608:ZJR9khydn/byPOggIUs8BxOx8nkpKxy3/Suk9boOsd6PSehcYACe6bkNZyXv:ZzDjyPOhI2AKaxNdoSeqAe6byuv

Score
10/10
amadeyhealerredlinesmokeloaderzgrat5345987420crazykirakrastlamplandemashanasanewsbackdoordiscoverydropperevasioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://5.42.92.67

http://77.91.68.61
Attributes
  • install_dir

    ebb444342c

  • install_file

    legola.exe

  • strings_key

    5680b049188ecacbfa57b1b29c2f35a7

  • url_paths

    /norm/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

5345987420

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

crazy

C2

83.97.73.129:19068

Attributes
  • auth_value

    66bc4d9682ea090eef64a299ece12fdd

Targets

    • Target

      00dc3a43dda255a61bd370ebbf0fc0431112da3c176a205489b4a2113c396878

    • Size

      390KB

    • MD5

      b98729272c6d4df3a64402281ace8eb9

    • SHA1

      e7085276b6444b67bafa946b8dc7d97cb9724481

    • SHA256

      00dc3a43dda255a61bd370ebbf0fc0431112da3c176a205489b4a2113c396878

    • SHA512

      51119438a29cea3ec18fc0196016d1eb4e61a9c97b198704251cb5ce762cced3257a6fb62d7c7be76f0eb60ae0cb551d31bc946f3bef89f4f3242be910b39229

    • SSDEEP

      6144:Kiy+bnr+4p0yN90QEgIDkih24KNWnnVOYvWUo/+K1DEn0q9qkzlM4uM:SMrIy90+IJKNcOb/+K2nzokzlMM

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      1b26ae68f4d9a6a0bfd1a8c92489c6dcdb1a4e6ca483442c2b307329cdfb9345

    • Size

      390KB

    • MD5

      bb0753dc0f21ba5b88f9efdfd5760f86

    • SHA1

      ed86f97a30aa9d415af373a150da9ed444cc93aa

    • SHA256

      1b26ae68f4d9a6a0bfd1a8c92489c6dcdb1a4e6ca483442c2b307329cdfb9345

    • SHA512

      eb37c103e0d993f7021887a7447f4d158a90f1316d24d82041f4576996ea819ecbe7f03c382407e3a64e1bb0ad9c33c77f18f4fefe76dc8c74298a76a965b7b0

    • SSDEEP

      12288:/Mrvy905HLz6SlnopjauhTjgBYCDSViHApFnQA:UycrPlnop2upczGViHAp1z

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      277f52adcffdae3b95ac4c1b928de6c4a507600023471054f5c9d34f3b852f94

    • Size

      389KB

    • MD5

      be20e8d108cf9e94319678c0f61393d4

    • SHA1

      9ca7da9916d071095a2985ecb2408f24f9978453

    • SHA256

      277f52adcffdae3b95ac4c1b928de6c4a507600023471054f5c9d34f3b852f94

    • SHA512

      4a60a1bb61a320deabeeebb508685a024c2b6c1d065221bc5a2682a90193300899d49e355675b84293875486cd08e94d582c95df886ca3330bef74cb0921afca

    • SSDEEP

      6144:KPy+bnr+Lp0yN90QE9dx9l253NzJGHDRezddZ5ULvrGEf51/HmbTME:FMr7y90P25uFEnwrGEr/YT5

    Score
    10/10
    healerredlinenasadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      32df5b0360337fb2cb7c64f82fa3d8fde28ff3c1028c424475918553f0dae959

    • Size

      390KB

    • MD5

      b48f4d5e5ebbba5540571afc35141edb

    • SHA1

      c17c04823151ba15dc89d1dfc7ce39ab04f007ce

    • SHA256

      32df5b0360337fb2cb7c64f82fa3d8fde28ff3c1028c424475918553f0dae959

    • SHA512

      239ec2798b6fa61225c8e27f9d7068b3770d76d431cae4eba1417df71a6d9ab9cf802fc05e960c3ef358767f1ba43ebbeaadc6c82eee0055b3fe06bb1ac35de4

    • SSDEEP

      6144:KTy+bnr+Qp0yN90QEqBbYug653PMwusov9HGDMtgb99PpXrEd4+e2F1zdiZ5MoVY:9Mr8y90fh65kflNgQgbNrxOSVMf1d

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      3d03f2fde9b9bf8b3069d0b3bdf2625973d4f23daa92673be4185d9c0d5f2500

    • Size

      389KB

    • MD5

      bf563439432ac3c78acc59067f958e56

    • SHA1

      23ccf3dce712ac5e26a59aba66593b785b8f7463

    • SHA256

      3d03f2fde9b9bf8b3069d0b3bdf2625973d4f23daa92673be4185d9c0d5f2500

    • SHA512

      93983179bc5dd6bc8fb1cc75bf93553b427d2b84e4bbb3f2407e8c0b554280a259f89667007e12157a32ce99f379cfbfe67ad61015b6ef8e0298d686ff521505

    • SSDEEP

      6144:KTy+bnr++p0yN90QEzo3Vcq21/X3pKBlMUepPXqKmCrjywubTdubmRVmjnVu6F34:dMr2y90sOq21/oalLvy3u42wWg97

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      50be51fdd59dbf4ac078600bca6c8481f0e5baf0010085e6e0ce8d763e87da4b

    • Size

      390KB

    • MD5

      b98765fd9fa676950200180126ca55fa

    • SHA1

      b90c5fb7694835cf0d411b0573a6e5ccfc87029e

    • SHA256

      50be51fdd59dbf4ac078600bca6c8481f0e5baf0010085e6e0ce8d763e87da4b

    • SHA512

      72fc0386dc80c3fcd3306be8cac7b85435adc9c61f2834f0c660023e6e8ae16a67d95600ed251d3999cc1e4b33be0f678ede05ae8c805641217f10782bb386f8

    • SSDEEP

      6144:KJy+bnr+Fp0yN90QEtKC6Z223SgfSsBjvDfu/xLGC9wxrRf9x3S5V+ekRsR9TNKI:TMrpy90bL+i+7YF1wt59R5eOsTTkypL

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02

    • Size

      302KB

    • MD5

      c0e3f771bcbb789d734e7d3e1b1f4e65

    • SHA1

      02e6e5e508188955181ac98bb1b9c414d2c1aa9e

    • SHA256

      53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02

    • SHA512

      c983b76772a50aece42107a39c828abfa768fc33c8865df73de57e1beca2919e8cc7b8afe1d5ae3e7556273519e311d5e49ed6d52eaf895c3c3d7c34608d2118

    • SSDEEP

      6144:QWzRT5OXkMMnTDs7UNVS49kCNQSzrs5kLJhHVugiqtciLRcx:X1T5nD7NQSzrs5kLJhHVugiqtciLR

    Score
    10/10
    redlinecrazyinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      6286d393c93044fd5b8363ccad5324fadfde3e3d9b340ec908941eab3fe90652

    • Size

      315KB

    • MD5

      bf89c72f6388b3884699e8081c8314c4

    • SHA1

      587f7e952669cc84756181deff315132cba078d4

    • SHA256

      6286d393c93044fd5b8363ccad5324fadfde3e3d9b340ec908941eab3fe90652

    • SHA512

      fa90330bb2e3a16579de6ae76bda2371b7e18e246ebcaa7432d010f2743e944bbf5e494941bb2d3192cc4816fa97e64cefe31f61817cd6cf18b38e9cc81b02ce

    • SSDEEP

      6144:pR99pI60nbM8uPZy3+8KIDP3uSEykJUxDyvPH3ef5AvnKXHS:pr9+60nbnuY3PEykJ2M3ehAsHS

    Score
    10/10
    redline5345987420discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      6547f1c95bc0b060cd5e5f6b8e5e968b730cd21f758f6dd5371e802b13a5a1de

    • Size

      2.4MB

    • MD5

      b56c9c48c9be9fe4136433ba42ff386b

    • SHA1

      ca41a545b363d093d54478164341a674d14fc20e

    • SHA256

      6547f1c95bc0b060cd5e5f6b8e5e968b730cd21f758f6dd5371e802b13a5a1de

    • SHA512

      cd0d1d2515ddfa2f82c0a231ac628087ec07e12ae18f16725c8c00f143e42babbdf6fdaa364c3a73995b11c500229ed2b80fb0b49ee9c053b27d00c0318b30f4

    • SSDEEP

      49152:aMZY5u/t3C4s8PuNe0etckWRrdj3mCaEshhFeEsuHECTOz88kUOgL:4uc86Wc7pj3mCohHeXuHaxkUOW

    Score
    10/10
    evasionpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Drops startup file

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11

    • Target

      6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119

    • Size

      1.5MB

    • MD5

      b6bd0fe9e2f14162d22a601e59a1740b

    • SHA1

      5a60ae626817e3638caca0fc80ad9a8200357e52

    • SHA256

      6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119

    • SHA512

      af2f072c83766dc801720af1f3a94dca12035b46b3a038a4df7afecfb85021020f25b2f4827bcba7d6109176631730e0527772b37946564a40d6dc9ea92ae8d0

    • SSDEEP

      24576:GygAJsoOr2n6P8VRrbjJJ+XODPh25hMojCFMQsEtJoFs/dboavD3ZCzY2:VgABQ+6kpcoh2MntHdbJvD3ZCz

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      6fca9c5ffc57888f92c438ff3dd7d9247b7f7e696e9a6b1b63c3aa2a801b0625

    • Size

      515KB

    • MD5

      c138f8ea750795895b64bd99b1fcd8da

    • SHA1

      b815664dadb4d1ff91862b2af099b84b230e1aeb

    • SHA256

      6fca9c5ffc57888f92c438ff3dd7d9247b7f7e696e9a6b1b63c3aa2a801b0625

    • SHA512

      d6056b12443f399230bc7a469f11ae18fbe83915ac64966d4650ebeade16f6ae5033a7dc66415bbdc4e5f740a7568b1ee18dafb4ded14bee85b3c40e3350a6ee

    • SSDEEP

      12288:kMr2y90vRliN0WXndhbap8sQM9oVgswQWT3l:Kygi0andh08sQM9oVbol

    Score
    10/10
    amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      9a3f5d3f84858840f8bdd8879b66a6c1ccb772e507f7f09dfe1c5a88e2d33db2

    • Size

      390KB

    • MD5

      b93f1a3f111ee22a2f3823ba610df83f

    • SHA1

      baec460007c3386a3ae433bd896bfb94a70bdc3e

    • SHA256

      9a3f5d3f84858840f8bdd8879b66a6c1ccb772e507f7f09dfe1c5a88e2d33db2

    • SHA512

      b1c3a057f81e7bcab8910e9c0d10c9be0e0c1121703036c0f5a92bb8ad2f39689109a88f8b00554cf78899f8903cdd7b56ad9ff65238ae3a27dd61fac738560d

    • SSDEEP

      6144:KVy+bnr+Mp0yN90QEtnrqjIgNYmaprhm7Wy1NEgVNxfCcHnlRH9sCPRmPZGn2RM:rMrMy90PrYNYmaprhYMcHnl9i9RG26

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707

    • Size

      390KB

    • MD5

      bb002c60488c5ef7e62f582fbc73646f

    • SHA1

      0e67525e9d135927871ab92f6db6dd936b7e1b92

    • SHA256

      ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707

    • SHA512

      73d5f57444de77b0e4d52d9bb18dc58c3e715a69669412ada51dc7e978a1890db92f8257e014f3b774c2e25b9bb41bb175ed992e807a4c1afea6aa5944bebc74

    • SSDEEP

      6144:KNy+bnr+zp0yN90QE79p5+F4wAg0rKWKc5Fu048imlYLPrB:rMr3y90NQ4KCHKPolYLPrB

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      b11b1b57a3bb5f7ea58bd5b191ab3813432fcc41e7f4e321fa61b848d8c86606

    • Size

      864KB

    • MD5

      ba371037effb3bc1fb01bb593a705272

    • SHA1

      a557ecb6ba798abf36b6c691d19e50e03e2285df

    • SHA256

      b11b1b57a3bb5f7ea58bd5b191ab3813432fcc41e7f4e321fa61b848d8c86606

    • SHA512

      373624c6d599275cd090fe584cb5ce26f3acabd2ed070623470764e5a43d875a6c0220bd36b056299773f3b8ff12cf19ce261ab7edd80661ad8d5c3b535a7556

    • SSDEEP

      12288:yMrjy90R4n/HwA+x/tRDFjep/9fX7ZqpYM3b3GOfGsBuku78cKIyVUYFYZT5zd+O:Zy4k/HwVZWZqScasI778FIyTYZNsiF

    Score
    10/10
    healerredlinekiradropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      b7da28873d43a4b6acac44b82b109a2489323a219d2cece98db41b834a2f30d0

    • Size

      390KB

    • MD5

      b62325de4a16fa8ef1be00aa14a9fbaf

    • SHA1

      e4a6a42b2ded3585cc3df5a8ae50d737af8ab89b

    • SHA256

      b7da28873d43a4b6acac44b82b109a2489323a219d2cece98db41b834a2f30d0

    • SHA512

      a19baa59e652f92c1159e99c96a752214c2971ae245cc35853b0a7f6d4c010c0380ee6483aa3ccf81d2368f14f2a210e6c457bbfa559e0b7316fdf40330978e4

    • SSDEEP

      12288:KMrRy90wf9rYI/TeNvhlroLgBYCmThEW7Sfz0vip:bytNYwTs7Zzm1EW7SF

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      d49a64853d7fdb5d663df0941d5488cd6e080c07ea46f31a0326e2e0ab34f765

    • Size

      454KB

    • MD5

      b7f76ced093ca9f03e791a1aeb35ed16

    • SHA1

      ad59e7878fe7c94341ee5dad7b3950d168d5a97b

    • SHA256

      d49a64853d7fdb5d663df0941d5488cd6e080c07ea46f31a0326e2e0ab34f765

    • SHA512

      23fd42c33e514c2f21d4ea7fa40c7d3bd94da1fb7bad693e9e3d080310e793b82f35eea8912f7c1619e4705cf4976f892d87955e5e9c7a95d80bf6e8f888a1a2

    • SSDEEP

      6144:ejo7W76rH+prJpH0AY3DYu+e3i27figCzqIU6vdpgRNmeBKZ4cyox1ZS/n4FPCKv:ez76rH+prJpUpYRlq2ejIZNDE/8PfeE

    Score
    10/10
    redlinezgratinfostealerrat

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Suspicious use of SetThreadContext

    behavioral18behavioral19

    • Target

      d599ef82af0badf49dd8c6cc5d7bad517685798e47a31291d482c5768dae4e3c

    • Size

      1.7MB

    • MD5

      b6a277fb73fd2368881e3a1bdfdbee91

    • SHA1

      e266dfa6fd70b7c708e94888ee5c20145de5cf09

    • SHA256

      d599ef82af0badf49dd8c6cc5d7bad517685798e47a31291d482c5768dae4e3c

    • SHA512

      fa58f5ea05bc17a43d77863a82f0de4bfc4ade606d36219d2bf9a2ad2100d427e1007e6a7953f45831f901a3039427fe8acadddd2017a3c9d37bc7aa51c3e5ca

    • SSDEEP

      24576:ky4lOgHEhO36BRximoOF+Is5qO+6XRuyCmjvoQYK83vXtayzWT8oyzzGoDzlJfzD:zY2G6BRL+IaqOXRuylUQYLPRoNCW

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      d7873c75af8bf0f44eedb5171fcab5b70d157578f4a43aff8aaadb23058cb1a3

    • Size

      390KB

    • MD5

      bcf3bf79ffad508d0c6614b13a236386

    • SHA1

      b6123c6da65ce8c9f1d79f74e9b6f2da2a3db14c

    • SHA256

      d7873c75af8bf0f44eedb5171fcab5b70d157578f4a43aff8aaadb23058cb1a3

    • SHA512

      98b8f97c949e8a65ccdcf316c2f5f2fc5fe22618ea2a80ce4395ff66297fd03f324ba3825feaf2997d6dbc596a3527ed495795165ccf5621d1a5cc60f4fb5446

    • SSDEEP

      6144:Kjy+bnr+fp0yN90QE7c7Yla5bG+YvzSs5TpZ+xGYXJfcCcHnlRHuhyGXBcW:JMr3y90BsYlGFAzSk07JVcHnl94XBl

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      db2419395b2091b54fbda644944d811a11fcb035dba5ab2e6d4b5ee327abbdf8

    • Size

      924KB

    • MD5

      b4279fa1a8abab99f422a93f4d79f2f9

    • SHA1

      ccb6ae065ebbb6744b787bf780123a5c22a72042

    • SHA256

      db2419395b2091b54fbda644944d811a11fcb035dba5ab2e6d4b5ee327abbdf8

    • SHA512

      755a9e8fcc2d709c51926d540f7fe57bb5a6633a797ee72de4e71dacf67798cf8ae16919252035f5ec1aa583158b4d06225a2642a67808557174b70ebb664967

    • SSDEEP

      12288:XMrPy90RZnSp8CTLsV3LprI9+sTyIEhbWNAdsJwNywGEsUJRKEtj4L3S3MMm:Yy8SiCTLkrI9+bIEANAu9lUJRKElP3A

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral22

    • Target

      e7b8d2cb79d76cc4434f9525644c524179ad84cea43f8c12ee7ad387710dfc0b

    • Size

      390KB

    • MD5

      b463b4e34c4eabc3471a7e831ca821bf

    • SHA1

      190840beaff3dadf2dd733e2cf26602553034caf

    • SHA256

      e7b8d2cb79d76cc4434f9525644c524179ad84cea43f8c12ee7ad387710dfc0b

    • SHA512

      1b44e81ae0523a111aad4496950c22ded9dc1f979c1ac23492e70001fdba211f9bfe8e9a693fadc1457af61c00c8fabdf580526f791e5940d87a94b47a750ae1

    • SSDEEP

      12288:AMrRy90F1S5fisieQUG5qigHRcHnl9u5zXRQT4:hyG1SlisrQUURcmHKvQ8

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral23

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

redlinecrazyinfostealer
Score
10/10

behavioral8

redlinecrazyinfostealer
Score
10/10

behavioral9

Score
3/10

behavioral10

redline5345987420discoveryinfostealer
Score
10/10

behavioral11

evasionpersistencetrojan
Score
10/10

behavioral12

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

Score
3/10

behavioral19

redlinezgratinfostealerrat
Score
10/10

behavioral20

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral21

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral23

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10