Overview

overview

10

Static

static

3

03cef1108b...25.exe

windows10-2004-x64

10

062bf5eda9...2b.exe

windows10-2004-x64

10

1c0cc29edf...ac.exe

windows10-2004-x64

10

1c46e1db34...f7.exe

windows10-2004-x64

10

20811d5e08...84.exe

windows10-2004-x64

10

28627b3333...c8.exe

windows10-2004-x64

10

437213eb4b...b5.exe

windows10-2004-x64

10

54a19d5a7a...d8.exe

windows10-2004-x64

10

6407653fb9...7c.exe

windows10-2004-x64

10

6dd993cade...4e.exe

windows10-2004-x64

10

764d92d88b...5f.exe

windows10-2004-x64

10

9c51d813e0...74.exe

windows7-x64

3

9c51d813e0...74.exe

windows10-2004-x64

10

b813f799e9...17.exe

windows10-2004-x64

10

bc2ed7f926...f9.exe

windows10-2004-x64

10

c1a9af1ad6...d5.exe

windows10-2004-x64

10

cf90d774fa...01.exe

windows10-2004-x64

10

e65fa29126...d8.exe

windows10-2004-x64

10

e81854abc9...1a.exe

windows10-2004-x64

10

ed835b70d5...6c.exe

windows10-2004-x64

10

f48c36cb91...ef.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r1.zip

  • Size

    12.6MB

  • Sample

    240509-wzn1magb2t

  • MD5

    60c2b38730a06227df058699de96abe8

  • SHA1

    4660587615daa86f615e56992c4df296437a1137

  • SHA256

    f6a395732f5dfe45c1b53e1a544f31826d5f310499de2170e9064ac9605a913e

  • SHA512

    ec733239a019533b50ea162d013815e6d3e2333ec588a0f5215a3a7d0ddcecae89b77325d9c29d8289a781a8800c2ab33674d92592d621c541eab4cabf85c749

  • SSDEEP

    393216:6jK4oly4Tt9kDp2g/gYsjyqriZ/5K/yqxTUzEM:6jCXTQp/LsjyqrU/58nYwM

Score
10/10
amadeyhealerlummamysticredlinesmokeloadergigantkirakrastlamplandemashanasaromabackdoordropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

lumma

C2

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Targets

    • Target

      03cef1108b01e5304207d3fb3a53f024ec18e0178c6dc16454723a9c7852ab25

    • Size

      514KB

    • MD5

      21d5e26d80e17d90723eafe2e81f0380

    • SHA1

      8cf32bcc5746e7097e8457cb8072e6af5c3cc078

    • SHA256

      03cef1108b01e5304207d3fb3a53f024ec18e0178c6dc16454723a9c7852ab25

    • SHA512

      265217e57e46b8e9df248deda746bb21b96a1a07b5feb70f5b117c3495f106fabc1e68db9f79097532065a4f6466eee397b8f7062f9d6b452e7395394371822c

    • SSDEEP

      12288:UMrvy90+M2xY8uiV4qLx52eJe9d/Z3Of0c:TysoVp3zov/Z3Of3

    Score
    10/10
    amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b

    • Size

      1.0MB

    • MD5

      22b5f7bbf08fd60f2ee850f51efede9e

    • SHA1

      9ad6d7fdfda1459be16d4e59547a0d933f7c9551

    • SHA256

      062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b

    • SHA512

      6fcb688dd391ed951fef4cd75c8935f65dde1f99658eb8b3438f40837050eb77cdd5425b0325c0b4df069a8dc83bc9ae53d464612f76ebb4914f222f22272744

    • SSDEEP

      24576:XypmCQ2FZ4/Ldo7RGJawprnjhmJcVGTEq:ivFsLdQRIrjYc7

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      1c0cc29edf3fda05ac6cd12ee7acdaf9ca6233c60ef212f53b42d088f670c7ac

    • Size

      390KB

    • MD5

      232287f5d562489800292f58e7147c69

    • SHA1

      6b9b9011bd9a0580c06a3777ca9b55fe2795ca43

    • SHA256

      1c0cc29edf3fda05ac6cd12ee7acdaf9ca6233c60ef212f53b42d088f670c7ac

    • SHA512

      514849f08ef74213c0a9950145b9fa8564028d189d03588fdf023f21da03555a09a910d46ae89561628e556bc64dc02467bb8dfc4b303affb071f30847ab4b15

    • SSDEEP

      6144:Kxy+bnr+ap0yN90QEpKP4ky5OqsVrV8q/9uYF0JwNampLy4dom+/2YLxSjr:LMrWy90ziVrV8qP0JcXpv42aUjr

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      1c46e1db345610fe8ef6a2fe37c7407b77ab614fd47b00a74971f892275e38f7

    • Size

      514KB

    • MD5

      2245adfded81f5615b3656bb86678766

    • SHA1

      5a564c26741b1918ee9614d3a032e5fbaa4831c0

    • SHA256

      1c46e1db345610fe8ef6a2fe37c7407b77ab614fd47b00a74971f892275e38f7

    • SHA512

      74d29b952864b9596037cdaac4e5e8f4435521082aeed7178051e3ef12f07ac23489e2c93b5db259707d11cb07b0a6b74e979ec41ed875d1bedbbbdc1ecbd28d

    • SSDEEP

      12288:HMr7y903dIEV7W7qQAKEh+1mehzeG0XIBJny4:cy+IEVSzrEg1mq+gp

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      20811d5e089d4e2f65301bba6dbb3776615b8a82ea39cd03d088665a7bf27384

    • Size

      1.5MB

    • MD5

      22911db4f8ba085ab5a96d55b39857a1

    • SHA1

      d583bce9bfe82d3b8c69f182fc854c305f99657a

    • SHA256

      20811d5e089d4e2f65301bba6dbb3776615b8a82ea39cd03d088665a7bf27384

    • SHA512

      38d972095a46d503281eb0eb94c9b1d447021f2778086633f43a28a28600c0edc148065eb31f1b4ba841ea87e8db74863ec80444013cfb1a6c466a0c1cd4969b

    • SSDEEP

      24576:QyTuRq2rq3dv5GDA3BhnPJbCI1ej1a6LJg6fTvKBNdY88bSHv9kQFIyt:XTu5gGDAR1PFz12aau6fTvKljzP99Iy

    Score
    10/10
    mysticredlinegigantinfostealerpersistencestealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8

    • Size

      857KB

    • MD5

      237c39297542fa123e7be74d1eaae4e8

    • SHA1

      e4473b2e8bb53b9fc2b0f7e9c4e31721fcb9f0a9

    • SHA256

      28627b333375a37a072336a76d858a5b0758fe2abe01c16f17f6acfab4c573c8

    • SHA512

      a16b6f0ea0e24b4f5898ceaf363599d682d4ad38e4b1f67dbf13d1a2272a49b2d042362816fccde43de295f7354e0c1b62c0e7b9f7c1a378c3431fc4145f5a13

    • SSDEEP

      24576:lyJLHvLRaQFKWeHcPlaBbI29NLrunu79Tf:AJFKWG2cI29NnuCl

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      437213eb4b67386b44ee8203e45489fe45f788fa215cc4f60982184a2231a6b5

    • Size

      390KB

    • MD5

      23e7870a4f54dc6fc956afc6759af6c9

    • SHA1

      5d27746771ffca43b616dc354411cc1095c4c614

    • SHA256

      437213eb4b67386b44ee8203e45489fe45f788fa215cc4f60982184a2231a6b5

    • SHA512

      fefd9eb34cd8bf6916c6cf1e3ab22b4e691fac02a0bd147f5f0c981f56e5df5b7fe377d1ca9ec184f1617192705f2827c884118d83621f878ef20cea455babb1

    • SSDEEP

      6144:KVy+bnr+yp0yN90QEXDMl237e/srokwdpCUVrebbPg4g+AVmCN6bD4GbpDYHoArv:jMrWy90V0Ge/2wdEwn4DAqbVYIArv

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      54a19d5a7a4bbca3496b0edc5d80a240350e944513622d242341964e048d96d8

    • Size

      390KB

    • MD5

      279d33c6bc3c597a48c6625ba1fdefd8

    • SHA1

      0a1d3a2795b88a0071665bb3e9d0f48c0f0ed3a5

    • SHA256

      54a19d5a7a4bbca3496b0edc5d80a240350e944513622d242341964e048d96d8

    • SHA512

      d955c19fa86a344139dcd316674b752e34eafe34e80a68160abf98b7c1e165f487ea819cc6c85d47234703540169b6e0bc59346e8baa1f516b23c81ea8ea5878

    • SSDEEP

      6144:KZy+bnr+Ep0yN90QEJvmjdAmWMjgJZqWh93SUE/LUa1zmAX0TbUf/sduk:XMrsy90nmjdAmVjgDv3SUyDCYfcz

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      6407653fb96eb144397cd5292be81f74ffb0eb8949a8d73e1a21ee3c9e85f97c

    • Size

      921KB

    • MD5

      23035d801b41b05a6f6df0913478eb81

    • SHA1

      c00c74a50b7d973b64d70b10c8793dc0989d8f13

    • SHA256

      6407653fb96eb144397cd5292be81f74ffb0eb8949a8d73e1a21ee3c9e85f97c

    • SHA512

      82eba7b6998d46c337d4d731b8e81d9db3dc3193ed218d7c577c3d22928b22d8d25a3bdb714e6c472e6ac2a6f38d67ff906ccb707a0db37f3dab11c8ff7af66d

    • SSDEEP

      24576:Byve36Qov9lp/uRuA+QUdJFGmdbXVaI8Ui:0veKQU9DujUvFNbFNj

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      6dd993cadea9e368a14c0ab840b0e2d0dd3ca3d699734998da4237aed7f2354e

    • Size

      390KB

    • MD5

      26876f4a5c21fe2a876e64ae3b9045e9

    • SHA1

      e59a29178e77d2d1b3c2bc30361734bd30c66bad

    • SHA256

      6dd993cadea9e368a14c0ab840b0e2d0dd3ca3d699734998da4237aed7f2354e

    • SHA512

      830e3c58d2040582c40847e0229bf29bf540ac5558d05c7e24dff8b5b07e82007f6824ca370b009806451a0db86895775c3575dd32e60dbee5f0e2bfdfa5d73a

    • SSDEEP

      12288:/MrVy90Eq1lOrOvngS/o3QSoEOOBmMvv/:OyZOvDo3ovY

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      764d92d88ba9348555a1351396433cb6b93afd1bc3dcf27a5a06c2bb7aed5c5f

    • Size

      515KB

    • MD5

      2154ece6d371bfbe7b76969405904f7e

    • SHA1

      39f7c2f9abe69a8dc9b42853d10e330b93c9858d

    • SHA256

      764d92d88ba9348555a1351396433cb6b93afd1bc3dcf27a5a06c2bb7aed5c5f

    • SHA512

      da64833b8c9a80598631242e5649164230f586d26e6171af7fac767496319a2e7147df082f7294a7faeb6e97843c03f4031ebfac1244ffab3804102e293a857f

    • SSDEEP

      12288:ZMr7y90W5WJa5xOzgYAkrlzdEEcjXAyEc6hoMzR3VFKTv2h:uyfxOpRzKEOAyEphtzhrKTg

    Score
    10/10
    amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      9c51d813e0b6dfff0694c63e6d13665bb46ddf09cedb2159d701913f09142374

    • Size

      1.2MB

    • MD5

      2147c11ffa13334a34f408d09dcf41c0

    • SHA1

      a8d54ee44c76e334ed711da869eabbb138edc075

    • SHA256

      9c51d813e0b6dfff0694c63e6d13665bb46ddf09cedb2159d701913f09142374

    • SHA512

      491312f8f9c40fc85b5ec96b1c35515e401c61c42c126ec4d9ea44a01cb2e555b4c653fa5f4add5303ae28f1d11a02d301f850af8125e0803fc8c6abbe1223d3

    • SSDEEP

      24576:aFbBVjq4OlBp29oNIn8iagVCU8ubYEobt2j:ax8lBp29oNMYuwtc

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral12behavioral13

    • Target

      b813f799e9c2f3b9ed25625bea968e14cbcad8bb1b3918ebcd79f631192ca017

    • Size

      235KB

    • MD5

      2180205f8ead587dd56762145e7f784f

    • SHA1

      401ccddf09243f26c09e7c8b2d8bb49552835010

    • SHA256

      b813f799e9c2f3b9ed25625bea968e14cbcad8bb1b3918ebcd79f631192ca017

    • SHA512

      138b9393f587ff03c898e001f3d0c7d12a480dfeed417c6c7c22ff3dbd319a68e8ec977e0c0fcd951e3a18676f3ba0e127bc5adc3b69fe0f7bf43182a4fbb32a

    • SSDEEP

      6144:KOy+bnr+Vp0yN90QEchQmyJXNcrGFySYCcHnlRHw7:aMrBy90mC+rGYYcHnl90

    Score
    10/10
    amadeyhealerdropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9

    • Size

      1.2MB

    • MD5

      23f4a44c0cc77486d90c2b5d3db5dfd7

    • SHA1

      7c42f90496bc5d268c92f2c07846c32b7f7513f8

    • SHA256

      bc2ed7f9261c39ac6c835adcdf9ff7f4b70696ce459a50a2645194f5597507f9

    • SHA512

      f4dc5891381f139f01e073b20d0c2c311633eba3cf92b045a739413083a17934f1201b56a48a444325e26b5827077a6ca79bc8aa7a7b3f7fb4e3c855fc222527

    • SSDEEP

      24576:My3sw5khZLecoTZ5TlNzhW4hXNcWCz4YPrwk3iRkrIoDb9nBziioUiDfy:7YhZmTTTlBMmXWt4C1kyhQ37

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      c1a9af1ad640c504ed95e8f26021a55d127de1e35d0794f2bdaddd1451de08d5

    • Size

      390KB

    • MD5

      27244e5f630cfab1b514ce4d15b1028b

    • SHA1

      36c5eed78b2ce9e253c2e176e6d6ae6a8ab849b3

    • SHA256

      c1a9af1ad640c504ed95e8f26021a55d127de1e35d0794f2bdaddd1451de08d5

    • SHA512

      2cdcfee74150bcd5e656009d0b701b8b972a8844f3b4fe48708aea1d7883c92286ed0368a6b24efa0902ea2c99dbe97a48a06ddccd69543cd6835f4023b3a7c5

    • SSDEEP

      6144:K6y+bnr+rp0yN90QEO8EikWGjZNJkp7w8ZWj9jJAVmAAhKAU4u:mMrjy90FEMvWj9jJrhKAu

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      cf90d774faa53f828a5c0c7fd9b7693ab9e6a5b59349863524aae5284b993f01

    • Size

      390KB

    • MD5

      23ce47783e241446f6c0ec7e33d8e709

    • SHA1

      866efc7de0880429d9ea6ba5d691401e0005e3b7

    • SHA256

      cf90d774faa53f828a5c0c7fd9b7693ab9e6a5b59349863524aae5284b993f01

    • SHA512

      b59e08b4ecd06c760819e348a6234c5eb94b4bed22c8053b1fd1f216ccb56249e4fb0c5ce6d4f2a149a616c0d063b6c05f8d8651f707eb0604972569053a2a38

    • SSDEEP

      12288:tMrMy90bKGAGuZhqDSqJCo1zBxA1PSezdo0rrk:ZymyhqDkif4S+oF

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      e65fa291263fc43fdfd3ce7a071b11f1ea2a2f55c02321bfd476a1d4c33e7bd8

    • Size

      1.7MB

    • MD5

      23a30eea537944585019e0227cf6ce12

    • SHA1

      5a1c4526a3fda1e2367e48d5a67e3f259c357501

    • SHA256

      e65fa291263fc43fdfd3ce7a071b11f1ea2a2f55c02321bfd476a1d4c33e7bd8

    • SHA512

      5052e8c1881a454e227a06f72e378676e4542cf6bf6ed8bc545e178aad9b92d166b5a02d5d0744dbec9591e6e7f887868a2bf9594718cc91c767c443be5e817e

    • SSDEEP

      49152:lIuk/VPr7CBoZMyhPa58jwlvh+n2m6ir9RLcf0:e5/p7ha5Ow1h+n2mppRLcf0

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      e81854abc9bd7ae970c918e0839982609691e44919d3a96eee12840676c28e1a

    • Size

      1.0MB

    • MD5

      250d1ecad815535932db86d951b6f70d

    • SHA1

      9d56851eda02a979043c33ec98883e2655bacc30

    • SHA256

      e81854abc9bd7ae970c918e0839982609691e44919d3a96eee12840676c28e1a

    • SHA512

      ede2fc99fe086f427355d95e2b4fad0289da828f3105c5c2b9b48a8aee213928299725b55d066df7ce2f3c139ecdf38ff418bf20ac36244678f0f0d0a7a05c65

    • SSDEEP

      24576:wyt+dYi+Bu0wW31dx/UEvzxRTkICQ/digppmVnXrBh:3tmYiN0t3VfB5VdpAV1

    Score
    10/10
    healerredlinekiradropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      ed835b70d57f3901ebdd0814415cbc64776d5bb9ee43a7077c0894540d7dde6c

    • Size

      390KB

    • MD5

      2115f838100aacbc3124baa1083c9d98

    • SHA1

      7eb9e1272fdcbc6deec8fbdc06d609c69a0a88fc

    • SHA256

      ed835b70d57f3901ebdd0814415cbc64776d5bb9ee43a7077c0894540d7dde6c

    • SHA512

      7a8645ad4437cfa1833f826b9ed83dc329ecf14ceed774d5aea2982f305ee3c89cb69f4a72e31e4d78bc8ecb70937198a732c36e5b0914cce9f42fcf18bfd8d2

    • SSDEEP

      6144:Kwy+bnr+Qp0yN90QEHQvEyqANvRS5KRQrw6kd7lmm39LBGGHlXve5oGvAe:wMr8y90QEyqANc6Qr5KAm9HFXaone

    Score
    10/10
    amadeyhealerredlineromadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      f48c36cb917c3b50876b9e4240a3abaae73007be0713d0630ca8279bfae862ef

    • Size

      359KB

    • MD5

      2787331b97e3aa4d3322ea6e057cdbde

    • SHA1

      63a7e7bc5543dd7d46541dcedc7c75137d347fe0

    • SHA256

      f48c36cb917c3b50876b9e4240a3abaae73007be0713d0630ca8279bfae862ef

    • SHA512

      683f3aec82d00db1e691311a6e770a7ce828bb64cd1672261e9454d50580c7957d76f31b173b74f7fc1a14359b328970470b3002a74b09997f276503b5692bff

    • SSDEEP

      6144:Key+bnr+Ip0yN90QETAAaLHM+RkWt7ZNm8gbAm6NzpjsRsyDDK16sP4/7lw4t:2Mr8y90tAAao+ObAmmZsWyK1b4/7Ge

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

mysticredlinegigantinfostealerpersistencestealer
Score
10/10

behavioral6

redlinekirainfostealerpersistence
Score
10/10

behavioral7

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

Score
3/10

behavioral13

lummastealer
Score
10/10

behavioral14

amadeyhealerdropperevasionpersistencetrojan
Score
10/10

behavioral15

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral19

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

amadeyhealerredlineromadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10