Overview

overview

10

Static

static

3

1238663077...be.exe

windows10-2004-x64

10

2176dd1779...68.exe

windows10-2004-x64

10

25c57e6714...48.exe

windows7-x64

10

25c57e6714...48.exe

windows10-2004-x64

10

3931c3ca01...c1.exe

windows10-2004-x64

10

611b640fd7...5e.exe

windows10-2004-x64

10

61ec6f7f31...74.exe

windows10-2004-x64

10

6c15f1899d...ed.exe

windows10-2004-x64

10

75997a0972...ce.exe

windows7-x64

3

75997a0972...ce.exe

windows10-2004-x64

10

7a4ee83882...ea.exe

windows10-2004-x64

10

7b22e6cc31...ce.exe

windows10-2004-x64

10

8a68d5e2ce...71.exe

windows10-2004-x64

10

9a72ed316b...b3.exe

windows10-2004-x64

10

b2abc74f29...1f.exe

windows10-2004-x64

10

b577c897b2...2b.exe

windows10-2004-x64

10

ba5c9d840c...7b.exe

windows10-2004-x64

10

ba769ab008...cb.exe

windows10-2004-x64

10

be7c09289a...43.exe

windows10-2004-x64

10

c29b675475...fe.exe

windows10-2004-x64

10

f5875e99d2...63.exe

windows7-x64

3

f5875e99d2...63.exe

windows10-2004-x64

10

fd5bd6afc5...4f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0ff9bc0436d6052b24d3174a3e4aeb590fa03a5b78a09d0b6a5a4084006891e2

  • Size

    8.8MB

  • Sample

    240510-pnty6sed2w

  • MD5

    7852e65b4474575ef29f2acb78f18923

  • SHA1

    4c63144d957d0f3391d9dfc494fb16f3c86d6fec

  • SHA256

    0ff9bc0436d6052b24d3174a3e4aeb590fa03a5b78a09d0b6a5a4084006891e2

  • SHA512

    e5946818af1c0898567277916f75a38bc3768907fd753f11feedcdc40aa11194dea2ec1299665510cc4f636c52d12f9633a8841a877001bda163dfcd8929aca4

  • SSDEEP

    196608:Ij5FQIhoAgnTIVVpjUEAyPFSLG9dNKKNp5KMpibDfoq/5kGWktUc:Ij5FQWlUOSOd4KNpRsroojUc

Score
10/10
amadeyhealerredlinesmokeloader13662207485637482599krastlamplandelogsdiller cloud (tg: @logsdillabot)mihannasanewspapikwelosbackdoordiscoverydropperevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

5.42.65.77:6541

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67
Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

mihan

C2

217.196.96.101:4132

Attributes
  • auth_value

    9a6a8fdae02ed7caa0a49a6ddc6d4520

Extracted

Family

redline

Botnet

papik

C2

77.91.124.156:19071

Attributes
  • auth_value

    325a615d8be5db8e2f7a4c2448fdac3a

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Extracted

Family

redline

Botnet

5637482599

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

1366220748

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

welos

C2

77.91.124.156:19071

Attributes
  • auth_value

    9605367dc0a1f64eb2f71769fb518fcf

Targets

    • Target

      1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be

    • Size

      923KB

    • MD5

      15a66b0dbcfb940814f615e4ee68aba4

    • SHA1

      176b68418045780c00cfd3d7d80bfbfbfc5d5c06

    • SHA256

      1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be

    • SHA512

      567bb1ceafb234ae79165a19f029455b169fb1fdd09ef2117194e1b7445ded3f790c7dd677e1ec9dda5e87b8ec80e03f948c1a182a88af23667aa937136e5490

    • SSDEEP

      24576:AyTpevOGPbwWB1yeCa0va2vLKpWF8XggzXjeMsP0upbt:H1TGPbceC7mpteM8pb

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368

    • Size

      515KB

    • MD5

      11c22c7a24b8f0576c3470af1561a6e9

    • SHA1

      47ba63be9cdf137c5356465791cca7e8d26048f9

    • SHA256

      2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368

    • SHA512

      acef19e6e351f779b034509e7eeff3eedebae468702c75c6b3a6c844b9024c84dffd25e768a8214df451fb33d094f979ad458bd0ad80d1a25bc312338b4d071e

    • SSDEEP

      12288:AMrpy90pbhdTlggxZzkUrC7pfy4NHWisj53QEEXOsM0:ZyGzlgrUGPWjhQR

    Score
    10/10
    amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48

    • Size

      188KB

    • MD5

      137f89538b18fec4e18561f3c0074666

    • SHA1

      05285ca1589e7eb544b78319c5a6bf2ad8093bf5

    • SHA256

      25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48

    • SHA512

      dac288d4c46586147800406f74a1e6cc3263c86a7ace1c62ed58277fe68b601a20c2a7783ffb2bda19899138b827f33c4005155b8fd32b58f46f3fbc3bc6a0d1

    • SSDEEP

      3072:zF0Z64zJQzbb/Qt0Vf3I/jGRf8pdXyprmw4USCkHdSzw0WQEEhmwfdxTI6Exfx:zyZJzezbkef8pdCdmNUSZHWeEhmwfdxe

    Score
    10/10
    redline1366220748discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral3behavioral4

    • Target

      3931c3ca01cc35353f3a071c6ef787511253396b8e24e12cdf7dbbe451ac80c1

    • Size

      769KB

    • MD5

      173ce39c7f3c5a40e98f2dba7b2bd47e

    • SHA1

      5565bb09baf037dfc79a68eb6a74d05dadbbac92

    • SHA256

      3931c3ca01cc35353f3a071c6ef787511253396b8e24e12cdf7dbbe451ac80c1

    • SHA512

      5fa0ba08f4dee61fa64836a6738e35a24e89fbd68accaeb93f78e2016ec33319d3d487531c60bf0327ef1da78183f5a43c5dca2ce91195cc24ff49a33d923cbe

    • SSDEEP

      12288:XMr8y906F6kccByXDZiyDAHQec61kznMvAb5bWCAS7zYXaOwa:zyRFsDUyDkXIMcB1ASHYXqa

    Score
    10/10
    redlinelampinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e

    • Size

      390KB

    • MD5

      1602d64d0a81f84e8fbf24150b9e5cc6

    • SHA1

      ec4e0320a3700cacb7f21891710c7bc83b2f9ae5

    • SHA256

      611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e

    • SHA512

      a9301d045d511c9a63c086feb19d2cd749b64039c409832018648b7c0408b4d81fac1a4770101936a0277b240ee6e7bdc5ab8b9faa0be615a17bf0a256f74abb

    • SSDEEP

      6144:KRy+bnr+Jp0yN90QEda+mxeyHanMZ+gpv9LBQIhcgBZ+t4ED2RcbuvhPcfY1UT:fMrVy90VmAy6nST3LBQIGgBYCEarZsR

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974

    • Size

      680KB

    • MD5

      15c6e3a281fa49b0888ba712bdcf5d2d

    • SHA1

      215c908f8d6cea84000eb0e217088146a89e1be7

    • SHA256

      61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974

    • SHA512

      e42aae85487285410c2df8fc02941556cab4528aec809f2467c13de83ca8e6cbcdd6a24b34214c4fac674dc16a08fefdef64814feebac1b51553c9fbd253fde4

    • SSDEEP

      12288:UMrty900Sjwa4O2Nx174H8O9yWGxVeO+/n24gzqzC0W3PJyW:hyewOmxxyYWGXFI24g2zC0+R

    Score
    10/10
    amadeyhealerredlinesmokeloaderwelosbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed

    • Size

      390KB

    • MD5

      11154b27576c4246f2e8eb83278bc984

    • SHA1

      83b173354ca803be9f5fdf756544b600dc3fb825

    • SHA256

      6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed

    • SHA512

      7451cbe817cb1e6482209b82c13db65be7a1933f1cba91d279fb6bc69821b3b7447f28ec179cfcff923abf1266b1808bdf8d2d0012c5de4d5412dfa9258d1786

    • SSDEEP

      6144:KNy+bnr+Sp0yN90QEhBDbF8ftda/5ONdFSA/rtWX3X0ijvDrJMFWDsC8:zMrey90dDhywwMADkH9pMF1C8

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce

    • Size

      527KB

    • MD5

      144e3fc197d288b006018a06681636eb

    • SHA1

      82bc88c1799ade03d1dcecb8b13653c0aa90f475

    • SHA256

      75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce

    • SHA512

      def371308bbde6c659c4b72a5d144bb9149931ec985ae2ccfe68cbb7acc6d15446cb917e4799908dfa4b65dae77a01980c5f52e6f80a3d39586039827d03cb40

    • SSDEEP

      12288:vJYO+vkfgJbreygSCTUPAKRccEedsTm0eynOpWcDMvH0Xp:vJYmfgdRwedsTTPnfcDMvU

    Score
    10/10
    redlinelogsdiller cloud (tg: @logsdillabot)discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea

    • Size

      390KB

    • MD5

      118c662f820166afa9227a295d5e2cc2

    • SHA1

      a2b6493129c6fa84aa662e694cdaee7685aa51b3

    • SHA256

      7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea

    • SHA512

      cddcd80647224fd43dfb4c2cf76675c9fe5b4cce16947cc45b638e07fa4fea9c31d9c1fc488a07840880f61a559f24d307243b4cc1113e1b82c7a68efcb52666

    • SSDEEP

      12288:HMr+y90/RJg07IvDFwhm5YY2sRO/vUCA:5y4OVvnL2sk3UCA

    Score
    10/10
    amadeyhealerdropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce

    • Size

      390KB

    • MD5

      11baa1b7efc317dced301ee22d864dc8

    • SHA1

      1e1fdb8796ff4ecf41d61973f20484ca2bdd97f2

    • SHA256

      7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce

    • SHA512

      af00cd09654d001b8ffffbdd673bfce35c800ec96acfe849b89dfca7d83b4aaeaf79ac91783684b216c1341ca2e510120fd6042a5329d239dce40e9cf006f49f

    • SSDEEP

      12288:KMrIy90ROSK9OUDX81nBWW3U0qgRYYGlcVg:GyCiOEs9brweg

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171

    • Size

      769KB

    • MD5

      1256f708f701022984164fbee3ae9434

    • SHA1

      4c7032f4aea509e7dab6d37602c79e2478611936

    • SHA256

      8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171

    • SHA512

      0b045b632fb716c67ceacf43bed145e119f540ebcf1b427a78f84ea6055377643ee0919f8cbad7ffd034afb2f444a9eda5f6ae127ffce89be0a774e170510917

    • SSDEEP

      12288:8Mrsy90bwIM4l9soPBH8D0eRmQWnFQ3oas8VuA0Nb7+yZQvMou61+T:gyqZKcHM0ZnGYaxUA0Nbi+QkB61+T

    Score
    10/10
    redlinelampinfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3

    • Size

      390KB

    • MD5

      148b6fe5b9664b83b4638511e86c6c5d

    • SHA1

      2ed10943376474af81580c75911d18644060d893

    • SHA256

      9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3

    • SHA512

      6025b79dcb7b5219b2981673fce6555cb2bf7575dbe3df2cb1ede8b3d1d7031b3b54bc7b209f758c005915c84b805872ca9e7b2adcb5bffae316426d1f0c8b05

    • SSDEEP

      6144:Kzy+bnr+Jp0yN90QERX4tm0kXjd0hkWWnZNuj++5LxpD3RsN+UBr5hPy11+GHHLo:ZMrJy90jow0e09++9xxBssUdnP+HHs

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      b2abc74f29ed52ec7d83d19dcdda578b75bfabfe3cb6be161acad9d570a9601f

    • Size

      389KB

    • MD5

      12f3bbee6e856924c7409555272d08f6

    • SHA1

      d3d1e4683056f11053fa888359ef50aa7bc3389c

    • SHA256

      b2abc74f29ed52ec7d83d19dcdda578b75bfabfe3cb6be161acad9d570a9601f

    • SHA512

      67d3f742d4b926b1293910fced3a3887ef875d21a77797bf6e6c39e60a649e48c836f00a984447e5708f2c404d272be2cfca07d691991e561ec7a4d9a2e1fe91

    • SSDEEP

      6144:Kty+bnr+Yp0yN90QE/qCUXAU08Nad122iFyAjm6FftxVY2xmT1fNPch1saI:/Mrgy90/mAKgT2jyAjLpC2xs9NPpb

    Score
    10/10
    healerredlinenasadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      b577c897b2be38c4bed293104f5424d9cc6213dcbf6ee85b26b1d55373ce3f2b

    • Size

      309KB

    • MD5

      14ba77399e2828379dffd3f017c28a2f

    • SHA1

      150695a6bf518f08f731d1d3868df837902ea221

    • SHA256

      b577c897b2be38c4bed293104f5424d9cc6213dcbf6ee85b26b1d55373ce3f2b

    • SHA512

      cf7358c702a76e53d07492cbd3de1398c0f963e00446550381d7343356bd7eb45ffcdc7b64bce1c63ff9e4b18bd35a0200ee4ed61d505a53dce8e2b7c23e3679

    • SSDEEP

      6144:KWy+bnr+Kp0yN90QEy5F5OYc1u31g4TByzVywI6CLxYhPxrnN:+MrSy90Mxc1u31TTEzVy76Mx2Pxp

    Score
    10/10
    healerredlinemihandropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b

    • Size

      517KB

    • MD5

      16d385b1becdbc8e36f5d1d0fd57615f

    • SHA1

      fd744f498fdb587a65b48947c62f7e6e1cd6e2aa

    • SHA256

      ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b

    • SHA512

      d39ea9b235a5618061ade83805fbf0d14ce8462aa3e3ff47687df7632f357f46526b64681b17703d3fe508f0f8fc6e2a1b55c9dacee7f5dc8661fa2f4d7fb7eb

    • SSDEEP

      12288:uMrHy90dtJ2zSNyj+Tmq3mC9wH5/bCoeANWG:JyPZj+T9x9E5GY

    Score
    10/10
    amadeyhealerredlinepapikdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb

    • Size

      389KB

    • MD5

      1609a44aaea41e6f7d2749f49a60a1af

    • SHA1

      bd745dd9d52800299333f09809c9caeab5ea42ec

    • SHA256

      ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb

    • SHA512

      3e0702c99f8610d92686884ad475e5ccd40781cc549f42b64ea467aa9eadb17938b4e39d0422f60c2c1982458640ac3bad6d35f782cc334587ffbd8dcb175218

    • SSDEEP

      12288:lMrxy90Auu38NGdG+riCgBYC+DTTjl6SZV:oyi9xzwTj0mV

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      be7c09289a731533f9a2ca91d21b2f010905c445c8710ce84ae829cfe48d3343

    • Size

      481KB

    • MD5

      16ef4643d37ade1e4b6a3bb489ca0934

    • SHA1

      233f5590be08f449ab3aac6e17c1f5a74020100b

    • SHA256

      be7c09289a731533f9a2ca91d21b2f010905c445c8710ce84ae829cfe48d3343

    • SHA512

      f03256d775c6e65e7c147baa2881a65f16946361651aa4f6d1aed11b1864f2d26362a1795f8f19401666772b606f90cde5843444a2c3991fda1853e9b0866f4b

    • SSDEEP

      12288:OMrzy906bFlK8mMsz5c1u31DTP0L0L3lMEbBQpKpklOv:Fy9zpsdX9T8LylMEbBQMmW

    Score
    10/10
    healerredlinemihandropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe

    • Size

      390KB

    • MD5

      163816fafd3946cc9e0b0a56dbb544e0

    • SHA1

      a9306aaebf9e16c1e6d97130dcf711017894c10e

    • SHA256

      c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe

    • SHA512

      5c88643b23d96c41ec903e804077f9ec6e49cb54752a5c2b1a5476f284c43c859803bcd9cea53a9816752cc392a5b2dd16920f21c37ef5101b746f5cc80fea07

    • SSDEEP

      6144:KKy+bnr+kp0yN90QEU3oZDwSSJAvVcQlPRAbR4SHgUTyxrDumDiaobYNZTBCo9V9:2Mrcy90oe8Fk5ARkFrivbYrBCHPtEb

    Score
    10/10
    amadeyhealerdropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363

    • Size

      306KB

    • MD5

      12247e55e50ac27c0e204010cb8a6ff2

    • SHA1

      9bc069328ac9347cab83c6d6851635d81a2e830a

    • SHA256

      f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363

    • SHA512

      6eb1536f155bdf040497c4801dfde22d45ddc5ea0f9d6961369d4b89d2c4cd8611747cc4759a7f02320a8d2ade593f01b853ddacf623b9beee4dd28b2c5e814c

    • SSDEEP

      6144:47Zt9vSWh60RVAtljy11d4vOGvue6v5cltn32HxJyL98n:mZSWhHL4v7v53IzyL98n

    Score
    10/10
    redline5637482599discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f

    • Size

      923KB

    • MD5

      14826c2b7764c3ae77eb12b79dd1aaf8

    • SHA1

      c46b126efed7e3f415170c28c72fe5728f9d3736

    • SHA256

      fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f

    • SHA512

      e6c8c0033d6dfe041cccc39706b792848dc616a558c4335a684b90b4699b741878e5bd6154091fcdc5edea5aa6182461cf77d8502570d757e8139dd923e34817

    • SSDEEP

      12288:FMrty90DTg0LJebSzCkCFAsbuJE0AR6N+nNuSXFdjlocBpRDPUYz+tEAF15+pqE7:QyshkYdCFduoNjrl5XBPUW+78qE/j

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral23

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

8
T1053

Persistence

Create or Modify System Process

15
T1543

Windows Service

15
T1543.003

Boot or Logon Autostart Execution

17
T1547

Registry Run Keys / Startup Folder

17
T1547.001

Scheduled Task/Job

8
T1053

Privilege Escalation

Create or Modify System Process

15
T1543

Windows Service

15
T1543.003

Boot or Logon Autostart Execution

17
T1547

Registry Run Keys / Startup Folder

17
T1547.001

Scheduled Task/Job

8
T1053

Defense Evasion

Modify Registry

48
T1112

Impair Defenses

30
T1562

Disable or Modify Tools

30
T1562.001

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

6
T1552

Credentials In Files

6
T1552.001

Discovery

Query Registry

13
T1012

System Information Discovery

21
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

6
T1005

Exfiltration

Command and Control

Web Service

2
T1102

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

redline1366220748discoveryinfostealerspywarestealer
Score
10/10

behavioral4

redline1366220748discoveryinfostealer
Score
10/10

behavioral5

redlinelampinfostealerpersistence
Score
10/10

behavioral6

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

amadeyhealerredlinesmokeloaderwelosbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

Score
3/10

behavioral10

redlinelogsdiller cloud (tg: @logsdillabot)discoveryinfostealerspywarestealer
Score
10/10

behavioral11

amadeyhealerdropperevasionpersistencetrojan
Score
10/10

behavioral12

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

redlinelampinfostealerpersistence
Score
10/10

behavioral14

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

amadeyhealerredlinepapikdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral19

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

amadeyhealerdropperevasionpersistencetrojan
Score
10/10

behavioral21

Score
3/10

behavioral22

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral23

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10