Overview

overview

10

Static

static

3

06ca8c24aa...f2.exe

windows10-2004-x64

10

082abd50bc...72.exe

windows10-2004-x64

10

0a65c97791...d1.exe

windows10-2004-x64

10

0a70b4612b...f6.exe

windows10-2004-x64

10

131675744e...29.exe

windows10-2004-x64

10

136b546d35...01.exe

windows10-2004-x64

10

3a5fd7dfde...92.exe

windows10-2004-x64

10

42aaf3452f...91.exe

windows10-2004-x64

10

51b44e7fef...e7.exe

windows7-x64

3

51b44e7fef...e7.exe

windows10-2004-x64

10

51d640efcf...44.exe

windows10-2004-x64

10

565e580e21...f4.exe

windows7-x64

1

565e580e21...f4.exe

windows10-2004-x64

1

58f6935c15...59.exe

windows10-2004-x64

10

660944c2e2...12.exe

windows10-2004-x64

10

6b061fa476...e8.exe

windows10-2004-x64

10

7d1f6eeb31...ef.exe

windows10-2004-x64

10

80f298c436...94.exe

windows10-2004-x64

10

85555569bb...4d.exe

windows10-2004-x64

10

bd2cad4003...26.exe

windows10-2004-x64

10

cfdc6cd562...d3.exe

windows10-2004-x64

10

d9d3f90c8c...39.exe

windows7-x64

3

d9d3f90c8c...39.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    9.3MB

  • Sample

    240509-wxyr2sah96

  • MD5

    f089338a72913dbddd612282e8509c66

  • SHA1

    0aca82c51f54a2024fa662a66024c98d59cea9b7

  • SHA256

    0d3870d43882a263c0511d1f89fbae94912261a6be64dc949d87cdad8f3a7de8

  • SHA512

    eb2d9d220cab0bf69c828034d71d68ba98b6de0f8299b76ef8e385f0abdaedd8adf75e2a0bbd4f2f14fdc7b476a6cfb8c389fb3f854e539ef1c3dde62c00ca4f

  • SSDEEP

    196608:Rn9MKzCAysa+lEi793L4drPxwrvhHmal+Qm92yV94YBmKooLia:3MKGA29i1LwPxuvhG3Z9bXBRFLZ

Score
10/10
amadeyhealerredlinesmokeloader7001210066crazykirakrastlandemashamuhanahernasabackdoordiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://5.42.92.67

http://77.91.68.61
Attributes
  • install_dir

    ebb444342c

  • install_file

    legola.exe

  • strings_key

    5680b049188ecacbfa57b1b29c2f35a7

  • url_paths

    /norm/index.php

rc4.plain
1
a091ec0a6e22276a96a99c1d34ef679c
rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

crazy

C2

83.97.73.129:19068

Attributes
  • auth_value

    66bc4d9682ea090eef64a299ece12fdd

Extracted

Family

redline

Botnet

muha

C2

83.97.73.129:19068

Attributes
  • auth_value

    3c237e5fecb41481b7af249e79828a46

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

naher

C2

77.91.68.48:19071

Attributes
  • auth_value

    62708e72becb72a24cf8843b46acc6a1

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Targets

    • Target

      06ca8c24aac1dfc98dcff3632bd9a2a735d5a57c7e634d8c9100f6446b5423f2

    • Size

      390KB

    • MD5

      cdb9f33e3db3faea925260edf3aeb4c9

    • SHA1

      f5c2a6b9bf59a9901d79f6b3c123140433def0ba

    • SHA256

      06ca8c24aac1dfc98dcff3632bd9a2a735d5a57c7e634d8c9100f6446b5423f2

    • SHA512

      1579fa476abc80b2180471e95ccebb0adb6c2beb7e970867d699b7fd03dcf977e5695826ba20c7b3855ddd4d0f04530c3df1a8e8eca458643261a13bf14a4042

    • SSDEEP

      6144:Kny+bnr+5p0yN90QEfWKctyhWbGhdlACOpb6xtV6LcfkvlsVAAxuL:hMr9y90AfMlwpWwLcfb9x8

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172

    • Size

      390KB

    • MD5

      2b4fcfb0f2ae522aa294a88b8c2b93cf

    • SHA1

      55641e78c33b0eada8f3dd92dd81089902bcc4ba

    • SHA256

      082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172

    • SHA512

      b3ebd6657abb087950de61eda914202f72f0c3e2984a4b47fe4d157f79d60418f72b0c9ace2fb3ded85def218ab024c858ca4ecc4a7415ad15b83812e547f9ce

    • SSDEEP

      6144:Kzy+bnr+np0yN90QEJAR3Z0skWcnZNbQR51uTrfrDMSxlP+mzNFe7gHa0O:xMrXy90XC3Z0Msrf0Sxp5Fe7gpO

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      0a65c977910ca28680d005dc6473013f3db66862b80fc54be76caaa774022bd1

    • Size

      864KB

    • MD5

      c86ea9744ea3cca905b7657585568de6

    • SHA1

      ba018b2d08a84d2e411b27e314cb8a23a06865f8

    • SHA256

      0a65c977910ca28680d005dc6473013f3db66862b80fc54be76caaa774022bd1

    • SHA512

      720bb844157dddb335fd3660b32ee9bec30ae3853fe5b26d3194ea517481a9f6b265b977e5d8bbbc92316f7ed9d173380192d93ab3b4fe2521d26462798c05b8

    • SSDEEP

      12288:9MrBy90lDtGyHT69dmXPVxG0IYjxSkZiUnt6YdipFOj47Ec0yWLcp6pSa8YmZ41:kyQtGyHh9xV5QFpQj4T0HLc5NtO

    Score
    10/10
    healerredlinekiradropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6

    • Size

      390KB

    • MD5

      2b277cdb588cc9fb0f2256f45147e890

    • SHA1

      ce9bba3d9d6d9ebeaab7419a9fd6706e2368725e

    • SHA256

      0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6

    • SHA512

      1613e946430e79a02de882f55490d2a0e7333d81483555972353ba607861296409cc0be202842edd08378741ad87a93c08ed71a05ffac15d5c75f9a94c5485a8

    • SSDEEP

      12288:FMrYy90N5WijQtbLnsq7zKtM6zMJB4RyAJ:FyC5VwHsq7zCe34RyAJ

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      131675744e12e01eb73fd34a82dd03d2d5ab80bd88b854836a13d0065e536c29

    • Size

      1.1MB

    • MD5

      cdbe20f934581f5c98cf64bba69e40c7

    • SHA1

      4952ea7971e0cf5e9e9db73003b789af8df9c9b2

    • SHA256

      131675744e12e01eb73fd34a82dd03d2d5ab80bd88b854836a13d0065e536c29

    • SHA512

      5da129aace6efdeacffb11f38ad3aaffa9737dd6617c0968f1db6b95e149e380fad2418dad7584c033d4827519609841e1837009a1b00a31136895631b861360

    • SSDEEP

      12288:TMrzy90lhQNUVdkipE9ZCoTsNl/lewqlgMVyaOZW/ybxUfAoAp3LlrGvP8cemBD4:MyA1CKoTsPleJdmOwxaWZtSBCYg

    Score
    10/10
    amadeyhealerredlinenaherdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01

    • Size

      514KB

    • MD5

      2ad41d644161496d089d17fdd8d829ed

    • SHA1

      5353f2219c0942b87a463658c7c57e4eb717e14c

    • SHA256

      136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01

    • SHA512

      ffba38e48ac854b9677aa86b54f40ae2e32854f441b7384eab914370c621fb2e25d30879adf86891c2ac9bf20caa3f17e777bda26d395cff2788f5dea8ff14d3

    • SSDEEP

      6144:KMy+bnr+pp0yN90QE3F0y6b9bDenEqXctZ2x1vdHsTdkuzy6lZOTbp84K/F+Gvln:8Mrxy905F0DBb8MsiqRu418yG6BGj0S

    Score
    10/10
    amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092

    • Size

      1.0MB

    • MD5

      2a7b1612e39c878b57a90f1ba48107f4

    • SHA1

      51068a24348c3b407040ac2ff89880ee0d288175

    • SHA256

      3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092

    • SHA512

      499bb38c777c8f2af14abff205ef997541a49521f6b873274d05d891486ac0a55144c4bb4ef99930b0bc4f36761235ba9fbf02d15859cd7dadf6ba0c05cfda14

    • SSDEEP

      24576:8ybG6hufBVZ66lWbl9hIPGYN/2/nxult1qKTs5E/yldbAfIL:rjQ3s0Wb1IPGYNUnxuZ9Ts5E/Kk

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      42aaf3452f3dbd3fec800b9307def7e1463e88016e6585d09719f8642ef8f491

    • Size

      389KB

    • MD5

      cdcecd3749891f697a0af96762cb9124

    • SHA1

      b31636aa34b1b3eeb7caefef82c37f2f093c6b64

    • SHA256

      42aaf3452f3dbd3fec800b9307def7e1463e88016e6585d09719f8642ef8f491

    • SHA512

      3e6576b30044df2139e96401cf30439229ca0dfc3f3df77d4fcad7aefb5f9ae2112df018e8fb655505d0ea79eee96ff2580aa148d60cd93fddc55255d37bd044

    • SSDEEP

      6144:KOy+bnr+3p0yN90QEHP8pAkeKHGqQ4ewNu043Hvyj6qxNnUvDrqmPB:eMrny90himqQXWMHG6qX+rx

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      51b44e7fef51fc7ece012253c1667cd5cb95636d10007d0e2be5e98e7fd405e7

    • Size

      315KB

    • MD5

      290b0115d137ba7f6f75557dea9a3418

    • SHA1

      4fd841d032858a7bc39d598eca329371bc48a118

    • SHA256

      51b44e7fef51fc7ece012253c1667cd5cb95636d10007d0e2be5e98e7fd405e7

    • SHA512

      b843b5beea655f803deb8473cb9ed4f06e0d99c46480dcce39d321b1bcb4b4dff4350bd7c41f6ca0f3eaae31e73e9351ec5de920eddfedc809f119effe362a34

    • SSDEEP

      6144:8A9pI60nbM8uPZy3+8KIDJgu+PchgHadTi7ZiEfXHS:H9+60nbnueg3cy6RFEPHS

    Score
    10/10
    redline7001210066discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      51d640efcf425557c7e898a690d229994ff2fc0610138596398e8cdd60583244

    • Size

      390KB

    • MD5

      29559e945f56a313b5e9264dd6ca7a3b

    • SHA1

      008abf8dd4f1da5ce1cac168e042ef8bcee54607

    • SHA256

      51d640efcf425557c7e898a690d229994ff2fc0610138596398e8cdd60583244

    • SHA512

      f2dd23e29d5ef28323a0b4741e6ab5c79deeba8dd27bc0565826700e87350ab5f74059e669be30f28054e2e52af57519193099abe75b56be2f65d7071542c14c

    • SSDEEP

      12288:TMroy90EgA20duD7uAomGFLqcHnl9movoHz:LyVgAy7uGGFL5Ha

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      565e580e2113d8503456c9416021bb7200f7fedadd8020c6d19340c32be7e1f4

    • Size

      309KB

    • MD5

      cb6e6dd23036d3e9c3fd6fcc4e12690f

    • SHA1

      4a5ef41dca4f37163bec679914d69cf895069c51

    • SHA256

      565e580e2113d8503456c9416021bb7200f7fedadd8020c6d19340c32be7e1f4

    • SHA512

      cd8004da2fe9d31748171b180aab8d2d650f08ab57e8f08d748db120dbd10730a6ad2bba28618501cc1dad2f175084df0f44db0f0a002d9124832c8ae45031aa

    • SSDEEP

      6144:P6hm2uPpiUxyd2eVps3AzNsNkZ8+cxdj91FtG0UyfvVR7/I:Sm2uPpit6eNsN08+oz/FUy3VR7I

    Score
    1/10
    behavioral12behavioral13

    • Target

      58f6935c15dbff1158f14839ec623027150c9807c5e1aeaaf3896d516c27be59

    • Size

      390KB

    • MD5

      28d3660c5b5ef787497ffb61b19f8e61

    • SHA1

      af3674bb9549c5af5b3a156aeb98f2b073b50dbb

    • SHA256

      58f6935c15dbff1158f14839ec623027150c9807c5e1aeaaf3896d516c27be59

    • SHA512

      f2132054b9f63b405c4a1c3cbbb693e391433b5f08d0b6671ea3e0ec1c558452a38f12863f5d58747efcc46117f184cdb26fd3dc8fbae7608b325f067d67c115

    • SSDEEP

      6144:KGy+bnr+Ap0yN90QErXGkWKjZN7QR5nPl1t7Oack6pfBNEmMXmoA:CMrcy90NmlrVMpNgXm1

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812

    • Size

      389KB

    • MD5

      29dfe0bcbc16089e569919b85c5a7790

    • SHA1

      0a2e017700ed6019d90506d0f309795934f216b2

    • SHA256

      660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812

    • SHA512

      8579f6677026e6db6e96d7e71f214913eaa333efbe61f988419a8ead7f3a76de641fd6bb4ed908acfff80bee63d72386cd3fa44ebe9a7d9c3975fadd8fac4576

    • SSDEEP

      6144:K/y+bnr+np0yN90QENy5RPekKFyJzuw6UyecP8KoaH7dmktY0gBZ+t4+Dsu007cb:xMrDy906RPeTyJByecuiZK0gBYC+4VZ

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8

    • Size

      863KB

    • MD5

      2a6e1fb8b08aaa808c7fb58476b6e43a

    • SHA1

      7ad750caf7fae9d5a84a40ceaa6b717687c8f8c0

    • SHA256

      6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8

    • SHA512

      e1ebc658f348be796144da8d64139e1736e028448e15e922663202fbb9234ae5eff82fe5323cd3b0b192f238eaa4dcbe91364fe0a46385726f91ec0afc892db8

    • SSDEEP

      24576:zybHwr+znBAxCLaz/qplMPNYrlWCn+QCh2:GbQr+jBQL+M2R+Qq

    Score
    10/10
    healerredlinekiradropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      7d1f6eeb31bd2e40692c777766b604a0bf50848518f5c931a53d7c48b988e8ef

    • Size

      389KB

    • MD5

      2a5fee3aeb178d6f9d0ad8da6752ed62

    • SHA1

      abca698074e3b9b736a667d16876d0d6962d3f94

    • SHA256

      7d1f6eeb31bd2e40692c777766b604a0bf50848518f5c931a53d7c48b988e8ef

    • SHA512

      12be27e3e7a4960cf33ad6ee696ab0b7a15c40e02420e1da54d310d3ac75e02755ade67c86a658a3c0e41399d98ccdd34a28b17581dfd1bdb58a143bc4649a5c

    • SSDEEP

      6144:K1y+bnr+cp0yN90QEurtXOTTx4fEcn5ohF38TkpAfrFcnfdyWv9:zMrAy900rtX814f3ovm0AfrFiv9

    Score
    10/10
    healerredlinenasadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94

    • Size

      389KB

    • MD5

      2ade2eca7ef3588a241faa5eb9c4edc5

    • SHA1

      0cb3f7a34bbd6fc353cf75997ca96974255f6243

    • SHA256

      80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94

    • SHA512

      6a180e614bebf77a83ab8efeaec6ac20d4b7ceef19b01610b8f19f325e5fe37c5cdea4a88d858bfee0e7d5574da41867d738d2b0b526830e73e5ff8c2693991a

    • SSDEEP

      12288:0Mrpy90UHPXysVcfTOgBYCNLVbx2oXQSvd:tybv1G7NzHVESvd

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d

    • Size

      390KB

    • MD5

      29f49a573cb9d9eefa26b783575a7833

    • SHA1

      39eca76bc506027b137c37b95465789b1f63889c

    • SHA256

      85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d

    • SHA512

      ccc26765e258526db126fb0a0a724226895f587cc8d0bd7b2200f2767374d8b513f9229a7ba81e96abf5ac4653cbcfcad500f16127f68b160e048a2578795946

    • SSDEEP

      6144:KZy+bnr+Vp0yN90QEIbPyhWbmhXtqYnlkff2MDV2m7qbOvvRxsh68j:PMrJy90ZFhkYnlk2MDVvUh6w

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26

    • Size

      828KB

    • MD5

      2a32d9865596340119086b9e9d7407d7

    • SHA1

      cd4daf419b213c6a34241bb7a791f2b59f4d80d8

    • SHA256

      bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26

    • SHA512

      2bcd417c9bc9e1cd1fb0a63dc62fa1599b78f7ea6b3205f2b6c9b5b9f805183b80318fd0f9ff4dd3ca8b55dfafab6cfd8300c638c97e22269904362434e001b8

    • SSDEEP

      24576:9y4zSdEWEkPt03UTE04CiNCAFab9dmcZgf:Y4OEW2rCiUAYJn

    Score
    10/10
    healerredlinecrazymuhadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3

    • Size

      514KB

    • MD5

      2993a209322f7d93406fd78632f4a545

    • SHA1

      e141503a5dc185ee91e131b8404ee5f563ff1cd1

    • SHA256

      cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3

    • SHA512

      cb8d9e79b3ed4ba5711cd8933590ce1dd9e349f7a399c38650a1b3611c4a50a415f0b7de91701f3e77e8297d38bb433fc7fb3d53cfd1e46e76f99772aeabfc3b

    • SSDEEP

      12288:cMrzy90i9beiGTgODcYq3pB/npmVb66azq:vy/bhGT5Pq3Lhm/

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      d9d3f90c8cee71d17c70e5d1c7d465726e06b1c7cb5b617fd47d203403a1e439

    • Size

      315KB

    • MD5

      cdff25efc7f7e69dc426b36f31b873ed

    • SHA1

      339a84e0af5d6442c2b11eea5f802635cbc0c776

    • SHA256

      d9d3f90c8cee71d17c70e5d1c7d465726e06b1c7cb5b617fd47d203403a1e439

    • SHA512

      f1ca99cbe6e504d5e695ccb31dafc3b8b4e01faaed77d3058163011add4a47159ba4629e98b422145cefbea0dc07216e5c36837545911f800378f636bf700fa3

    • SSDEEP

      6144:aH9pI60nbM8uPZy3+8KIDwZuNVXSZmn3qPOYTn/MHBXHS:e9+60nbnujZaMY6pjGHS

    Score
    10/10
    redline7001210066discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral22behavioral23

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

amadeyhealerredlinenaherdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

Score
3/10

behavioral10

redline7001210066discoveryinfostealer
Score
10/10

behavioral11

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral19

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

healerredlinecrazymuhadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

Score
3/10

behavioral23

redline7001210066discoveryinfostealer
Score
10/10

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.