Overview

overview

10

Static

static

3

06ca8c24aa...f2.exe

windows10-2004-x64

10

082abd50bc...72.exe

windows10-2004-x64

10

0a65c97791...d1.exe

windows10-2004-x64

10

0a70b4612b...f6.exe

windows10-2004-x64

10

131675744e...29.exe

windows10-2004-x64

10

136b546d35...01.exe

windows10-2004-x64

10

3a5fd7dfde...92.exe

windows10-2004-x64

10

42aaf3452f...91.exe

windows10-2004-x64

10

51b44e7fef...e7.exe

windows7-x64

3

51b44e7fef...e7.exe

windows10-2004-x64

10

51d640efcf...44.exe

windows10-2004-x64

10

565e580e21...f4.exe

windows7-x64

1

565e580e21...f4.exe

windows10-2004-x64

1

58f6935c15...59.exe

windows10-2004-x64

10

660944c2e2...12.exe

windows10-2004-x64

10

6b061fa476...e8.exe

windows10-2004-x64

10

7d1f6eeb31...ef.exe

windows10-2004-x64

10

80f298c436...94.exe

windows10-2004-x64

10

85555569bb...4d.exe

windows10-2004-x64

10

bd2cad4003...26.exe

windows10-2004-x64

10

cfdc6cd562...d3.exe

windows10-2004-x64

10

d9d3f90c8c...39.exe

windows7-x64

3

d9d3f90c8c...39.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    9.3MB

  • Sample

    240509-wxyr2sah96

  • MD5

    f089338a72913dbddd612282e8509c66

  • SHA1

    0aca82c51f54a2024fa662a66024c98d59cea9b7

  • SHA256

    0d3870d43882a263c0511d1f89fbae94912261a6be64dc949d87cdad8f3a7de8

  • SHA512

    eb2d9d220cab0bf69c828034d71d68ba98b6de0f8299b76ef8e385f0abdaedd8adf75e2a0bbd4f2f14fdc7b476a6cfb8c389fb3f854e539ef1c3dde62c00ca4f

  • SSDEEP

    196608:Rn9MKzCAysa+lEi793L4drPxwrvhHmal+Qm92yV94YBmKooLia:3MKGA29i1LwPxuvhG3Z9bXBRFLZ

Score
10/10
amadeyhealerredlinesmokeloader7001210066crazykirakrastlandemashamuhanahernasabackdoordiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://5.42.92.67

http://77.91.68.61
Attributes
  • install_dir

    ebb444342c

  • install_file

    legola.exe

  • strings_key

    5680b049188ecacbfa57b1b29c2f35a7

  • url_paths

    /norm/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

crazy

C2

83.97.73.129:19068

Attributes
  • auth_value

    66bc4d9682ea090eef64a299ece12fdd

Extracted

Family

redline

Botnet

muha

C2

83.97.73.129:19068

Attributes
  • auth_value

    3c237e5fecb41481b7af249e79828a46

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

naher

C2

77.91.68.48:19071

Attributes
  • auth_value

    62708e72becb72a24cf8843b46acc6a1

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Targets

    • Target

      06ca8c24aac1dfc98dcff3632bd9a2a735d5a57c7e634d8c9100f6446b5423f2

    • Size

      390KB

    • MD5

      cdb9f33e3db3faea925260edf3aeb4c9

    • SHA1

      f5c2a6b9bf59a9901d79f6b3c123140433def0ba

    • SHA256

      06ca8c24aac1dfc98dcff3632bd9a2a735d5a57c7e634d8c9100f6446b5423f2

    • SHA512

      1579fa476abc80b2180471e95ccebb0adb6c2beb7e970867d699b7fd03dcf977e5695826ba20c7b3855ddd4d0f04530c3df1a8e8eca458643261a13bf14a4042

    • SSDEEP

      6144:Kny+bnr+5p0yN90QEfWKctyhWbGhdlACOpb6xtV6LcfkvlsVAAxuL:hMr9y90AfMlwpWwLcfb9x8

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172

    • Size

      390KB

    • MD5

      2b4fcfb0f2ae522aa294a88b8c2b93cf

    • SHA1

      55641e78c33b0eada8f3dd92dd81089902bcc4ba

    • SHA256

      082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172

    • SHA512

      b3ebd6657abb087950de61eda914202f72f0c3e2984a4b47fe4d157f79d60418f72b0c9ace2fb3ded85def218ab024c858ca4ecc4a7415ad15b83812e547f9ce

    • SSDEEP

      6144:Kzy+bnr+np0yN90QEJAR3Z0skWcnZNbQR51uTrfrDMSxlP+mzNFe7gHa0O:xMrXy90XC3Z0Msrf0Sxp5Fe7gpO

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      0a65c977910ca28680d005dc6473013f3db66862b80fc54be76caaa774022bd1

    • Size

      864KB

    • MD5

      c86ea9744ea3cca905b7657585568de6

    • SHA1

      ba018b2d08a84d2e411b27e314cb8a23a06865f8

    • SHA256

      0a65c977910ca28680d005dc6473013f3db66862b80fc54be76caaa774022bd1

    • SHA512

      720bb844157dddb335fd3660b32ee9bec30ae3853fe5b26d3194ea517481a9f6b265b977e5d8bbbc92316f7ed9d173380192d93ab3b4fe2521d26462798c05b8

    • SSDEEP

      12288:9MrBy90lDtGyHT69dmXPVxG0IYjxSkZiUnt6YdipFOj47Ec0yWLcp6pSa8YmZ41:kyQtGyHh9xV5QFpQj4T0HLc5NtO

    Score
    10/10
    healerredlinekiradropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6

    • Size

      390KB

    • MD5

      2b277cdb588cc9fb0f2256f45147e890

    • SHA1

      ce9bba3d9d6d9ebeaab7419a9fd6706e2368725e

    • SHA256

      0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6

    • SHA512

      1613e946430e79a02de882f55490d2a0e7333d81483555972353ba607861296409cc0be202842edd08378741ad87a93c08ed71a05ffac15d5c75f9a94c5485a8

    • SSDEEP

      12288:FMrYy90N5WijQtbLnsq7zKtM6zMJB4RyAJ:FyC5VwHsq7zCe34RyAJ

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      131675744e12e01eb73fd34a82dd03d2d5ab80bd88b854836a13d0065e536c29

    • Size

      1.1MB

    • MD5

      cdbe20f934581f5c98cf64bba69e40c7

    • SHA1

      4952ea7971e0cf5e9e9db73003b789af8df9c9b2

    • SHA256

      131675744e12e01eb73fd34a82dd03d2d5ab80bd88b854836a13d0065e536c29

    • SHA512

      5da129aace6efdeacffb11f38ad3aaffa9737dd6617c0968f1db6b95e149e380fad2418dad7584c033d4827519609841e1837009a1b00a31136895631b861360

    • SSDEEP

      12288:TMrzy90lhQNUVdkipE9ZCoTsNl/lewqlgMVyaOZW/ybxUfAoAp3LlrGvP8cemBD4:MyA1CKoTsPleJdmOwxaWZtSBCYg

    Score
    10/10
    amadeyhealerredlinenaherdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01

    • Size

      514KB

    • MD5

      2ad41d644161496d089d17fdd8d829ed

    • SHA1

      5353f2219c0942b87a463658c7c57e4eb717e14c

    • SHA256

      136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01

    • SHA512

      ffba38e48ac854b9677aa86b54f40ae2e32854f441b7384eab914370c621fb2e25d30879adf86891c2ac9bf20caa3f17e777bda26d395cff2788f5dea8ff14d3

    • SSDEEP

      6144:KMy+bnr+pp0yN90QE3F0y6b9bDenEqXctZ2x1vdHsTdkuzy6lZOTbp84K/F+Gvln:8Mrxy905F0DBb8MsiqRu418yG6BGj0S

    Score
    10/10
    amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092

    • Size

      1.0MB

    • MD5

      2a7b1612e39c878b57a90f1ba48107f4

    • SHA1

      51068a24348c3b407040ac2ff89880ee0d288175

    • SHA256

      3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092

    • SHA512

      499bb38c777c8f2af14abff205ef997541a49521f6b873274d05d891486ac0a55144c4bb4ef99930b0bc4f36761235ba9fbf02d15859cd7dadf6ba0c05cfda14

    • SSDEEP

      24576:8ybG6hufBVZ66lWbl9hIPGYN/2/nxult1qKTs5E/yldbAfIL:rjQ3s0Wb1IPGYNUnxuZ9Ts5E/Kk

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      42aaf3452f3dbd3fec800b9307def7e1463e88016e6585d09719f8642ef8f491

    • Size

      389KB

    • MD5

      cdcecd3749891f697a0af96762cb9124

    • SHA1

      b31636aa34b1b3eeb7caefef82c37f2f093c6b64

    • SHA256

      42aaf3452f3dbd3fec800b9307def7e1463e88016e6585d09719f8642ef8f491

    • SHA512

      3e6576b30044df2139e96401cf30439229ca0dfc3f3df77d4fcad7aefb5f9ae2112df018e8fb655505d0ea79eee96ff2580aa148d60cd93fddc55255d37bd044

    • SSDEEP

      6144:KOy+bnr+3p0yN90QEHP8pAkeKHGqQ4ewNu043Hvyj6qxNnUvDrqmPB:eMrny90himqQXWMHG6qX+rx

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      51b44e7fef51fc7ece012253c1667cd5cb95636d10007d0e2be5e98e7fd405e7

    • Size

      315KB

    • MD5

      290b0115d137ba7f6f75557dea9a3418

    • SHA1

      4fd841d032858a7bc39d598eca329371bc48a118

    • SHA256

      51b44e7fef51fc7ece012253c1667cd5cb95636d10007d0e2be5e98e7fd405e7

    • SHA512

      b843b5beea655f803deb8473cb9ed4f06e0d99c46480dcce39d321b1bcb4b4dff4350bd7c41f6ca0f3eaae31e73e9351ec5de920eddfedc809f119effe362a34

    • SSDEEP

      6144:8A9pI60nbM8uPZy3+8KIDJgu+PchgHadTi7ZiEfXHS:H9+60nbnueg3cy6RFEPHS

    Score
    10/10
    redline7001210066discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      51d640efcf425557c7e898a690d229994ff2fc0610138596398e8cdd60583244

    • Size

      390KB

    • MD5

      29559e945f56a313b5e9264dd6ca7a3b

    • SHA1

      008abf8dd4f1da5ce1cac168e042ef8bcee54607

    • SHA256

      51d640efcf425557c7e898a690d229994ff2fc0610138596398e8cdd60583244

    • SHA512

      f2dd23e29d5ef28323a0b4741e6ab5c79deeba8dd27bc0565826700e87350ab5f74059e669be30f28054e2e52af57519193099abe75b56be2f65d7071542c14c

    • SSDEEP

      12288:TMroy90EgA20duD7uAomGFLqcHnl9movoHz:LyVgAy7uGGFL5Ha

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      565e580e2113d8503456c9416021bb7200f7fedadd8020c6d19340c32be7e1f4

    • Size

      309KB

    • MD5

      cb6e6dd23036d3e9c3fd6fcc4e12690f

    • SHA1

      4a5ef41dca4f37163bec679914d69cf895069c51

    • SHA256

      565e580e2113d8503456c9416021bb7200f7fedadd8020c6d19340c32be7e1f4

    • SHA512

      cd8004da2fe9d31748171b180aab8d2d650f08ab57e8f08d748db120dbd10730a6ad2bba28618501cc1dad2f175084df0f44db0f0a002d9124832c8ae45031aa

    • SSDEEP

      6144:P6hm2uPpiUxyd2eVps3AzNsNkZ8+cxdj91FtG0UyfvVR7/I:Sm2uPpit6eNsN08+oz/FUy3VR7I

    Score
    1/10
    behavioral12behavioral13

    • Target

      58f6935c15dbff1158f14839ec623027150c9807c5e1aeaaf3896d516c27be59

    • Size

      390KB

    • MD5

      28d3660c5b5ef787497ffb61b19f8e61

    • SHA1

      af3674bb9549c5af5b3a156aeb98f2b073b50dbb

    • SHA256

      58f6935c15dbff1158f14839ec623027150c9807c5e1aeaaf3896d516c27be59

    • SHA512

      f2132054b9f63b405c4a1c3cbbb693e391433b5f08d0b6671ea3e0ec1c558452a38f12863f5d58747efcc46117f184cdb26fd3dc8fbae7608b325f067d67c115

    • SSDEEP

      6144:KGy+bnr+Ap0yN90QErXGkWKjZN7QR5nPl1t7Oack6pfBNEmMXmoA:CMrcy90NmlrVMpNgXm1

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812

    • Size

      389KB

    • MD5

      29dfe0bcbc16089e569919b85c5a7790

    • SHA1

      0a2e017700ed6019d90506d0f309795934f216b2

    • SHA256

      660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812

    • SHA512

      8579f6677026e6db6e96d7e71f214913eaa333efbe61f988419a8ead7f3a76de641fd6bb4ed908acfff80bee63d72386cd3fa44ebe9a7d9c3975fadd8fac4576

    • SSDEEP

      6144:K/y+bnr+np0yN90QENy5RPekKFyJzuw6UyecP8KoaH7dmktY0gBZ+t4+Dsu007cb:xMrDy906RPeTyJByecuiZK0gBYC+4VZ

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8

    • Size

      863KB

    • MD5

      2a6e1fb8b08aaa808c7fb58476b6e43a

    • SHA1

      7ad750caf7fae9d5a84a40ceaa6b717687c8f8c0

    • SHA256

      6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8

    • SHA512

      e1ebc658f348be796144da8d64139e1736e028448e15e922663202fbb9234ae5eff82fe5323cd3b0b192f238eaa4dcbe91364fe0a46385726f91ec0afc892db8

    • SSDEEP

      24576:zybHwr+znBAxCLaz/qplMPNYrlWCn+QCh2:GbQr+jBQL+M2R+Qq

    Score
    10/10
    healerredlinekiradropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      7d1f6eeb31bd2e40692c777766b604a0bf50848518f5c931a53d7c48b988e8ef

    • Size

      389KB

    • MD5

      2a5fee3aeb178d6f9d0ad8da6752ed62

    • SHA1

      abca698074e3b9b736a667d16876d0d6962d3f94

    • SHA256

      7d1f6eeb31bd2e40692c777766b604a0bf50848518f5c931a53d7c48b988e8ef

    • SHA512

      12be27e3e7a4960cf33ad6ee696ab0b7a15c40e02420e1da54d310d3ac75e02755ade67c86a658a3c0e41399d98ccdd34a28b17581dfd1bdb58a143bc4649a5c

    • SSDEEP

      6144:K1y+bnr+cp0yN90QEurtXOTTx4fEcn5ohF38TkpAfrFcnfdyWv9:zMrAy900rtX814f3ovm0AfrFiv9

    Score
    10/10
    healerredlinenasadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94

    • Size

      389KB

    • MD5

      2ade2eca7ef3588a241faa5eb9c4edc5

    • SHA1

      0cb3f7a34bbd6fc353cf75997ca96974255f6243

    • SHA256

      80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94

    • SHA512

      6a180e614bebf77a83ab8efeaec6ac20d4b7ceef19b01610b8f19f325e5fe37c5cdea4a88d858bfee0e7d5574da41867d738d2b0b526830e73e5ff8c2693991a

    • SSDEEP

      12288:0Mrpy90UHPXysVcfTOgBYCNLVbx2oXQSvd:tybv1G7NzHVESvd

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d

    • Size

      390KB

    • MD5

      29f49a573cb9d9eefa26b783575a7833

    • SHA1

      39eca76bc506027b137c37b95465789b1f63889c

    • SHA256

      85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d

    • SHA512

      ccc26765e258526db126fb0a0a724226895f587cc8d0bd7b2200f2767374d8b513f9229a7ba81e96abf5ac4653cbcfcad500f16127f68b160e048a2578795946

    • SSDEEP

      6144:KZy+bnr+Vp0yN90QEIbPyhWbmhXtqYnlkff2MDV2m7qbOvvRxsh68j:PMrJy90ZFhkYnlk2MDVvUh6w

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26

    • Size

      828KB

    • MD5

      2a32d9865596340119086b9e9d7407d7

    • SHA1

      cd4daf419b213c6a34241bb7a791f2b59f4d80d8

    • SHA256

      bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26

    • SHA512

      2bcd417c9bc9e1cd1fb0a63dc62fa1599b78f7ea6b3205f2b6c9b5b9f805183b80318fd0f9ff4dd3ca8b55dfafab6cfd8300c638c97e22269904362434e001b8

    • SSDEEP

      24576:9y4zSdEWEkPt03UTE04CiNCAFab9dmcZgf:Y4OEW2rCiUAYJn

    Score
    10/10
    healerredlinecrazymuhadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3

    • Size

      514KB

    • MD5

      2993a209322f7d93406fd78632f4a545

    • SHA1

      e141503a5dc185ee91e131b8404ee5f563ff1cd1

    • SHA256

      cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3

    • SHA512

      cb8d9e79b3ed4ba5711cd8933590ce1dd9e349f7a399c38650a1b3611c4a50a415f0b7de91701f3e77e8297d38bb433fc7fb3d53cfd1e46e76f99772aeabfc3b

    • SSDEEP

      12288:cMrzy90i9beiGTgODcYq3pB/npmVb66azq:vy/bhGT5Pq3Lhm/

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      d9d3f90c8cee71d17c70e5d1c7d465726e06b1c7cb5b617fd47d203403a1e439

    • Size

      315KB

    • MD5

      cdff25efc7f7e69dc426b36f31b873ed

    • SHA1

      339a84e0af5d6442c2b11eea5f802635cbc0c776

    • SHA256

      d9d3f90c8cee71d17c70e5d1c7d465726e06b1c7cb5b617fd47d203403a1e439

    • SHA512

      f1ca99cbe6e504d5e695ccb31dafc3b8b4e01faaed77d3058163011add4a47159ba4629e98b422145cefbea0dc07216e5c36837545911f800378f636bf700fa3

    • SSDEEP

      6144:aH9pI60nbM8uPZy3+8KIDwZuNVXSZmn3qPOYTn/MHBXHS:e9+60nbnujZaMY6pjGHS

    Score
    10/10
    redline7001210066discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral22behavioral23

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

amadeyhealerredlinenaherdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

Score
3/10

behavioral10

redline7001210066discoveryinfostealer
Score
10/10

behavioral11

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral19

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

healerredlinecrazymuhadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

Score
3/10

behavioral23

redline7001210066discoveryinfostealer
Score
10/10