General

  • Target

    205ae779babd66a06edef8f4549388af61dbb854e06c82a7f291317f4dbe780e

  • Size

    12.7MB

  • Sample

    240510-qf89kagd51

  • MD5

    71379bb448b24849e22e252ad252ebdb

  • SHA1

    8876742a774b784adb7ccec50d621299fe3e170f

  • SHA256

    205ae779babd66a06edef8f4549388af61dbb854e06c82a7f291317f4dbe780e

  • SHA512

    801ab8a256e4b9522cfc0ae39b4deff3deaac867adc308d06851b4304736900160f9ae7796cf40aed3c8f47c2d54a5650adc43c60058dbf1a1c068e2984cffba

  • SSDEEP

    393216:rewl2tM/A2e29i13FwPxuvhG3Z9W2ZPYeqBtZQX2:rgtB2e29izwAGpc2Hat1

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

5345987420

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

crazy

C2

83.97.73.129:19068

Attributes
  • auth_value

    66bc4d9682ea090eef64a299ece12fdd

Extracted

Family

redline

Botnet

muha

C2

83.97.73.129:19068

Attributes
  • auth_value

    3c237e5fecb41481b7af249e79828a46

Extracted

Family

redline

Botnet

mihan

C2

217.196.96.101:4132

Attributes
  • auth_value

    9a6a8fdae02ed7caa0a49a6ddc6d4520

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Targets

    • Target

      082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172

    • Size

      390KB

    • MD5

      2b4fcfb0f2ae522aa294a88b8c2b93cf

    • SHA1

      55641e78c33b0eada8f3dd92dd81089902bcc4ba

    • SHA256

      082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172

    • SHA512

      b3ebd6657abb087950de61eda914202f72f0c3e2984a4b47fe4d157f79d60418f72b0c9ace2fb3ded85def218ab024c858ca4ecc4a7415ad15b83812e547f9ce

    • SSDEEP

      6144:Kzy+bnr+np0yN90QEJAR3Z0skWcnZNbQR51uTrfrDMSxlP+mzNFe7gHa0O:xMrXy90XC3Z0Msrf0Sxp5Fe7gpO

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6

    • Size

      390KB

    • MD5

      2b277cdb588cc9fb0f2256f45147e890

    • SHA1

      ce9bba3d9d6d9ebeaab7419a9fd6706e2368725e

    • SHA256

      0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6

    • SHA512

      1613e946430e79a02de882f55490d2a0e7333d81483555972353ba607861296409cc0be202842edd08378741ad87a93c08ed71a05ffac15d5c75f9a94c5485a8

    • SSDEEP

      12288:FMrYy90N5WijQtbLnsq7zKtM6zMJB4RyAJ:FyC5VwHsq7zCe34RyAJ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01

    • Size

      514KB

    • MD5

      2ad41d644161496d089d17fdd8d829ed

    • SHA1

      5353f2219c0942b87a463658c7c57e4eb717e14c

    • SHA256

      136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01

    • SHA512

      ffba38e48ac854b9677aa86b54f40ae2e32854f441b7384eab914370c621fb2e25d30879adf86891c2ac9bf20caa3f17e777bda26d395cff2788f5dea8ff14d3

    • SSDEEP

      6144:KMy+bnr+pp0yN90QE3F0y6b9bDenEqXctZ2x1vdHsTdkuzy6lZOTbp84K/F+Gvln:8Mrxy905F0DBb8MsiqRu418yG6BGj0S

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396

    • Size

      1.0MB

    • MD5

      2c2992bee297eb92a1c30c47f171520d

    • SHA1

      1aa27a41eb69ed9a6ab90e36fcfb302fd0fd89af

    • SHA256

      1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396

    • SHA512

      efb5cd6594ce8dbc6635cc04210e5e362f0a3ae2c65d5bc161ec903cd96cd58ffaee72fef87fd72fd71e67e09cb7ee0255e82d9944940d6cdb96277f4eacbbb7

    • SSDEEP

      24576:XyWfk2aKNRcqflTT5z/22Rc02/wECzdKXeJvTYqejortkq:iWfpanqfL+212/d+Ayv8zU

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      28e73a10869c3ce55af51de963cb8f48eac48b8f171602308b167d940e58899a

    • Size

      2.5MB

    • MD5

      29c903a2fd59a9ff991b74327763b884

    • SHA1

      6bd0461a714710b555e47769941789f2a7b18c39

    • SHA256

      28e73a10869c3ce55af51de963cb8f48eac48b8f171602308b167d940e58899a

    • SHA512

      4bb94ba18754cbdcd449b6e69b3d3b326756070f0a367e6bcae214d2f245ddf92c25215a1eae901d824f4de3ef3d1e72a10ce7128cae6db723075a29c128be63

    • SSDEEP

      49152:Jk9cDJgdz+ukkDbCyJjGTESO8AT6ZlyUR96NEJZeVJtFagAGgVBvzu:26FIz5vnjGTEN8AmZcM9vZWtFEGgVBq

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092

    • Size

      1.0MB

    • MD5

      2a7b1612e39c878b57a90f1ba48107f4

    • SHA1

      51068a24348c3b407040ac2ff89880ee0d288175

    • SHA256

      3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092

    • SHA512

      499bb38c777c8f2af14abff205ef997541a49521f6b873274d05d891486ac0a55144c4bb4ef99930b0bc4f36761235ba9fbf02d15859cd7dadf6ba0c05cfda14

    • SSDEEP

      24576:8ybG6hufBVZ66lWbl9hIPGYN/2/nxult1qKTs5E/yldbAfIL:rjQ3s0Wb1IPGYNUnxuZ9Ts5E/Kk

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d

    • Size

      390KB

    • MD5

      2bc8e8cd130285a0cbea66c6ae7859e9

    • SHA1

      bb229611ae9e5c6a807ceb371b3a282f631324ad

    • SHA256

      56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d

    • SHA512

      6b79aa03ecc4989a5f51f7b9776add2110146890a355a712569d0ad8b0e2399e744ffee8c51888b8f1bcb9d8ede9ee927d9fd35b4c228e2b521f91e0534dd933

    • SSDEEP

      6144:K3y+bnr+8p0yN90QETG840XYwvb4mF4xCVPLXsX2NmV5BCcHnlRHuzoiFqv7m:hMrMy90dhI05uCVPZoUcHnl9Woi8vq

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5

    • Size

      332KB

    • MD5

      2a84ac6a70bf18fce3d4af2b04356f16

    • SHA1

      4a9d0508a54994bac1ab3543be1c19ca80db0d9a

    • SHA256

      5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5

    • SHA512

      554f6d13b08359b48fabedf051584c90975c1066c6dc01379f16ef360cb30bf11b13ca9a988242429a8bf7e3c25e7e405a18a5d2d844241f0850e49c7720d579

    • SSDEEP

      6144:11Bwp/lwz9PI8/T6f5mUz7S3RMyghv1P9NKkY4WB4NSFUv1qcoH5+0Xp:1Pjz9PI8/Tzeyg91pY4WBJO1qcT0Xp

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812

    • Size

      389KB

    • MD5

      29dfe0bcbc16089e569919b85c5a7790

    • SHA1

      0a2e017700ed6019d90506d0f309795934f216b2

    • SHA256

      660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812

    • SHA512

      8579f6677026e6db6e96d7e71f214913eaa333efbe61f988419a8ead7f3a76de641fd6bb4ed908acfff80bee63d72386cd3fa44ebe9a7d9c3975fadd8fac4576

    • SSDEEP

      6144:K/y+bnr+np0yN90QENy5RPekKFyJzuw6UyecP8KoaH7dmktY0gBZ+t4+Dsu007cb:xMrDy906RPeTyJByecuiZK0gBYC+4VZ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8

    • Size

      863KB

    • MD5

      2a6e1fb8b08aaa808c7fb58476b6e43a

    • SHA1

      7ad750caf7fae9d5a84a40ceaa6b717687c8f8c0

    • SHA256

      6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8

    • SHA512

      e1ebc658f348be796144da8d64139e1736e028448e15e922663202fbb9234ae5eff82fe5323cd3b0b192f238eaa4dcbe91364fe0a46385726f91ec0afc892db8

    • SSDEEP

      24576:zybHwr+znBAxCLaz/qplMPNYrlWCn+QCh2:GbQr+jBQL+M2R+Qq

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a

    • Size

      390KB

    • MD5

      2b5197c2b3a9c14d7cb949b809a27863

    • SHA1

      e78dac9c729de8b6e9064b3bb2043401063ed616

    • SHA256

      795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a

    • SHA512

      622de70b8d20486c805cf25e5b32bc9351a28c4feca5fcde29c279761444450ca57f74a3b737a09eecf689fa909a1f89d729b528758f9a7a237dfe2511b80bbc

    • SSDEEP

      6144:KXy+bnr+Op0yN90QEymQY+TOYTc28XYmEhrORHTqij+jmMrLWJeXsuIGpt:BMr6y90r1+TOSp8oNhCqij+pzXs5Mt

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      7d1f6eeb31bd2e40692c777766b604a0bf50848518f5c931a53d7c48b988e8ef

    • Size

      389KB

    • MD5

      2a5fee3aeb178d6f9d0ad8da6752ed62

    • SHA1

      abca698074e3b9b736a667d16876d0d6962d3f94

    • SHA256

      7d1f6eeb31bd2e40692c777766b604a0bf50848518f5c931a53d7c48b988e8ef

    • SHA512

      12be27e3e7a4960cf33ad6ee696ab0b7a15c40e02420e1da54d310d3ac75e02755ade67c86a658a3c0e41399d98ccdd34a28b17581dfd1bdb58a143bc4649a5c

    • SSDEEP

      6144:K1y+bnr+cp0yN90QEurtXOTTx4fEcn5ohF38TkpAfrFcnfdyWv9:zMrAy900rtX814f3ovm0AfrFiv9

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94

    • Size

      389KB

    • MD5

      2ade2eca7ef3588a241faa5eb9c4edc5

    • SHA1

      0cb3f7a34bbd6fc353cf75997ca96974255f6243

    • SHA256

      80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94

    • SHA512

      6a180e614bebf77a83ab8efeaec6ac20d4b7ceef19b01610b8f19f325e5fe37c5cdea4a88d858bfee0e7d5574da41867d738d2b0b526830e73e5ff8c2693991a

    • SSDEEP

      12288:0Mrpy90UHPXysVcfTOgBYCNLVbx2oXQSvd:tybv1G7NzHVESvd

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d

    • Size

      390KB

    • MD5

      29f49a573cb9d9eefa26b783575a7833

    • SHA1

      39eca76bc506027b137c37b95465789b1f63889c

    • SHA256

      85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d

    • SHA512

      ccc26765e258526db126fb0a0a724226895f587cc8d0bd7b2200f2767374d8b513f9229a7ba81e96abf5ac4653cbcfcad500f16127f68b160e048a2578795946

    • SSDEEP

      6144:KZy+bnr+Vp0yN90QEIbPyhWbmhXtqYnlkff2MDV2m7qbOvvRxsh68j:PMrJy90ZFhkYnlk2MDVvUh6w

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26

    • Size

      828KB

    • MD5

      2a32d9865596340119086b9e9d7407d7

    • SHA1

      cd4daf419b213c6a34241bb7a791f2b59f4d80d8

    • SHA256

      bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26

    • SHA512

      2bcd417c9bc9e1cd1fb0a63dc62fa1599b78f7ea6b3205f2b6c9b5b9f805183b80318fd0f9ff4dd3ca8b55dfafab6cfd8300c638c97e22269904362434e001b8

    • SSDEEP

      24576:9y4zSdEWEkPt03UTE04CiNCAFab9dmcZgf:Y4OEW2rCiUAYJn

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      c429566ed481fe562466b6e87d2cfe6fc492efeb3007819b63dd4cf45594d639

    • Size

      309KB

    • MD5

      2b9af2f423ddd5e5022d79ce0fc8ef82

    • SHA1

      5e2592a9d3167b27d130b4f054175cf9a4ec407a

    • SHA256

      c429566ed481fe562466b6e87d2cfe6fc492efeb3007819b63dd4cf45594d639

    • SHA512

      19274e6cc635c5c8bcd4c48f4859e0d40f023eabf94413d8845c98c4a2d41a676c30129002956e9bbfb0835cc1ec0749df326fd95efdf9dc849d84ab6b1123e4

    • SSDEEP

      6144:KDy+bnr+ip0yN90QEx5F5OYc1u31g4TBymqSI6pz9wfWF33OHqK:VMr2y90Rxc1u31TTEYZ3wfWlMqK

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      c47b15f9672b5795b62a389de76336302127184be510254d08b9b5100134dd7d

    • Size

      309KB

    • MD5

      29b6f7f057eac5b191f6c8afd570de01

    • SHA1

      42d70940116df9fd978d8c6c8429c125fc421670

    • SHA256

      c47b15f9672b5795b62a389de76336302127184be510254d08b9b5100134dd7d

    • SHA512

      08da0693b309a1b7549610f10e1f90e47deb87033a78403caa0220e916ffb2f4126f07848d7a8c1f94c947ce2915933ad205cb4e5ba54f5d0d560cf486642207

    • SSDEEP

      6144:KHy+bnr+Up0yN90QE05F5OYc1u31g4TByPS6C+jIQpO56Iw:9MrEy90uxc1u31TTEP/7vxd

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716

    • Size

      864KB

    • MD5

      2c52c514ed30a21dbfc181f9a56e756d

    • SHA1

      251cf6719d43e1fd2c52df211e76b8644c3cd2b0

    • SHA256

      ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716

    • SHA512

      e59f6f72001fbfb87dfbdf3ac73832f17ba334a5877f395f3c3173d18ba41c3a962714d6f91ce92d484ffe5368bf3ff90b388be4175032dc20a2bee0005c000b

    • SSDEEP

      24576:5yQ6k1XlUuV6gbsDRA/vTXLp3qiwikDLDJtgYBNSu+KpEFMe:sQ6knTs2XTXLpFusYKu+yQ

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3

    • Size

      514KB

    • MD5

      2993a209322f7d93406fd78632f4a545

    • SHA1

      e141503a5dc185ee91e131b8404ee5f563ff1cd1

    • SHA256

      cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3

    • SHA512

      cb8d9e79b3ed4ba5711cd8933590ce1dd9e349f7a399c38650a1b3611c4a50a415f0b7de91701f3e77e8297d38bb433fc7fb3d53cfd1e46e76f99772aeabfc3b

    • SSDEEP

      12288:cMrzy90i9beiGTgODcYq3pB/npmVb66azq:vy/bhGT5Pq3Lhm/

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda

    • Size

      1.7MB

    • MD5

      2bf06baa3ecdf15e0690a49d48c89a5c

    • SHA1

      d26ee7ba4b6739d79aa2f675011692fc81510b23

    • SHA256

      eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda

    • SHA512

      c535d51b89349b1a6bf2aa7f31c2ad2c48cdf7bab24fe1aab4663c42ddee295bdcaa806e713902457be0580feba4650fecce7ce30b4a0a1e4a57fd5b7752f5fc

    • SSDEEP

      49152:Wsgn+koTVHgULqwjeUM3/Pa5dNAq8UYidJGLW9slbFS:mnZuHgULqwXUIrA3mwqylb

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

upx
Score
7/10

behavioral1

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

upx
Score
7/10

behavioral6

upx
Score
7/10

behavioral7

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

Score
3/10

behavioral10

redline5345987420discoveryinfostealerspywarestealer
Score
10/10

behavioral11

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

healerdropperpersistence
Score
10/10

behavioral13

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

healerredlinecrazymuhadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral19

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

redlinekirainfostealerpersistence
Score
10/10

behavioral21

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.