General

  • Target

    205ae779babd66a06edef8f4549388af61dbb854e06c82a7f291317f4dbe780e

  • Size

    12.7MB

  • Sample

    240510-qgnn9agd7w

  • MD5

    71379bb448b24849e22e252ad252ebdb

  • SHA1

    8876742a774b784adb7ccec50d621299fe3e170f

  • SHA256

    205ae779babd66a06edef8f4549388af61dbb854e06c82a7f291317f4dbe780e

  • SHA512

    801ab8a256e4b9522cfc0ae39b4deff3deaac867adc308d06851b4304736900160f9ae7796cf40aed3c8f47c2d54a5650adc43c60058dbf1a1c068e2984cffba

  • SSDEEP

    393216:rewl2tM/A2e29i13FwPxuvhG3Z9W2ZPYeqBtZQX2:rgtB2e29izwAGpc2Hat1

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

5345987420

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

crazy

C2

83.97.73.129:19068

Attributes
  • auth_value

    66bc4d9682ea090eef64a299ece12fdd

Extracted

Family

redline

Botnet

muha

C2

83.97.73.129:19068

Attributes
  • auth_value

    3c237e5fecb41481b7af249e79828a46

Extracted

Family

redline

Botnet

mihan

C2

217.196.96.101:4132

Attributes
  • auth_value

    9a6a8fdae02ed7caa0a49a6ddc6d4520

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Targets

    • Target

      082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172

    • Size

      390KB

    • MD5

      2b4fcfb0f2ae522aa294a88b8c2b93cf

    • SHA1

      55641e78c33b0eada8f3dd92dd81089902bcc4ba

    • SHA256

      082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172

    • SHA512

      b3ebd6657abb087950de61eda914202f72f0c3e2984a4b47fe4d157f79d60418f72b0c9ace2fb3ded85def218ab024c858ca4ecc4a7415ad15b83812e547f9ce

    • SSDEEP

      6144:Kzy+bnr+np0yN90QEJAR3Z0skWcnZNbQR51uTrfrDMSxlP+mzNFe7gHa0O:xMrXy90XC3Z0Msrf0Sxp5Fe7gpO

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6

    • Size

      390KB

    • MD5

      2b277cdb588cc9fb0f2256f45147e890

    • SHA1

      ce9bba3d9d6d9ebeaab7419a9fd6706e2368725e

    • SHA256

      0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6

    • SHA512

      1613e946430e79a02de882f55490d2a0e7333d81483555972353ba607861296409cc0be202842edd08378741ad87a93c08ed71a05ffac15d5c75f9a94c5485a8

    • SSDEEP

      12288:FMrYy90N5WijQtbLnsq7zKtM6zMJB4RyAJ:FyC5VwHsq7zCe34RyAJ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01

    • Size

      514KB

    • MD5

      2ad41d644161496d089d17fdd8d829ed

    • SHA1

      5353f2219c0942b87a463658c7c57e4eb717e14c

    • SHA256

      136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01

    • SHA512

      ffba38e48ac854b9677aa86b54f40ae2e32854f441b7384eab914370c621fb2e25d30879adf86891c2ac9bf20caa3f17e777bda26d395cff2788f5dea8ff14d3

    • SSDEEP

      6144:KMy+bnr+pp0yN90QE3F0y6b9bDenEqXctZ2x1vdHsTdkuzy6lZOTbp84K/F+Gvln:8Mrxy905F0DBb8MsiqRu418yG6BGj0S

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396

    • Size

      1.0MB

    • MD5

      2c2992bee297eb92a1c30c47f171520d

    • SHA1

      1aa27a41eb69ed9a6ab90e36fcfb302fd0fd89af

    • SHA256

      1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396

    • SHA512

      efb5cd6594ce8dbc6635cc04210e5e362f0a3ae2c65d5bc161ec903cd96cd58ffaee72fef87fd72fd71e67e09cb7ee0255e82d9944940d6cdb96277f4eacbbb7

    • SSDEEP

      24576:XyWfk2aKNRcqflTT5z/22Rc02/wECzdKXeJvTYqejortkq:iWfpanqfL+212/d+Ayv8zU

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      28e73a10869c3ce55af51de963cb8f48eac48b8f171602308b167d940e58899a

    • Size

      2.5MB

    • MD5

      29c903a2fd59a9ff991b74327763b884

    • SHA1

      6bd0461a714710b555e47769941789f2a7b18c39

    • SHA256

      28e73a10869c3ce55af51de963cb8f48eac48b8f171602308b167d940e58899a

    • SHA512

      4bb94ba18754cbdcd449b6e69b3d3b326756070f0a367e6bcae214d2f245ddf92c25215a1eae901d824f4de3ef3d1e72a10ce7128cae6db723075a29c128be63

    • SSDEEP

      49152:Jk9cDJgdz+ukkDbCyJjGTESO8AT6ZlyUR96NEJZeVJtFagAGgVBvzu:26FIz5vnjGTEN8AmZcM9vZWtFEGgVBq

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092

    • Size

      1.0MB

    • MD5

      2a7b1612e39c878b57a90f1ba48107f4

    • SHA1

      51068a24348c3b407040ac2ff89880ee0d288175

    • SHA256

      3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092

    • SHA512

      499bb38c777c8f2af14abff205ef997541a49521f6b873274d05d891486ac0a55144c4bb4ef99930b0bc4f36761235ba9fbf02d15859cd7dadf6ba0c05cfda14

    • SSDEEP

      24576:8ybG6hufBVZ66lWbl9hIPGYN/2/nxult1qKTs5E/yldbAfIL:rjQ3s0Wb1IPGYNUnxuZ9Ts5E/Kk

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d

    • Size

      390KB

    • MD5

      2bc8e8cd130285a0cbea66c6ae7859e9

    • SHA1

      bb229611ae9e5c6a807ceb371b3a282f631324ad

    • SHA256

      56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d

    • SHA512

      6b79aa03ecc4989a5f51f7b9776add2110146890a355a712569d0ad8b0e2399e744ffee8c51888b8f1bcb9d8ede9ee927d9fd35b4c228e2b521f91e0534dd933

    • SSDEEP

      6144:K3y+bnr+8p0yN90QETG840XYwvb4mF4xCVPLXsX2NmV5BCcHnlRHuzoiFqv7m:hMrMy90dhI05uCVPZoUcHnl9Woi8vq

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5

    • Size

      332KB

    • MD5

      2a84ac6a70bf18fce3d4af2b04356f16

    • SHA1

      4a9d0508a54994bac1ab3543be1c19ca80db0d9a

    • SHA256

      5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5

    • SHA512

      554f6d13b08359b48fabedf051584c90975c1066c6dc01379f16ef360cb30bf11b13ca9a988242429a8bf7e3c25e7e405a18a5d2d844241f0850e49c7720d579

    • SSDEEP

      6144:11Bwp/lwz9PI8/T6f5mUz7S3RMyghv1P9NKkY4WB4NSFUv1qcoH5+0Xp:1Pjz9PI8/Tzeyg91pY4WBJO1qcT0Xp

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812

    • Size

      389KB

    • MD5

      29dfe0bcbc16089e569919b85c5a7790

    • SHA1

      0a2e017700ed6019d90506d0f309795934f216b2

    • SHA256

      660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812

    • SHA512

      8579f6677026e6db6e96d7e71f214913eaa333efbe61f988419a8ead7f3a76de641fd6bb4ed908acfff80bee63d72386cd3fa44ebe9a7d9c3975fadd8fac4576

    • SSDEEP

      6144:K/y+bnr+np0yN90QENy5RPekKFyJzuw6UyecP8KoaH7dmktY0gBZ+t4+Dsu007cb:xMrDy906RPeTyJByecuiZK0gBYC+4VZ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8

    • Size

      863KB

    • MD5

      2a6e1fb8b08aaa808c7fb58476b6e43a

    • SHA1

      7ad750caf7fae9d5a84a40ceaa6b717687c8f8c0

    • SHA256

      6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8

    • SHA512

      e1ebc658f348be796144da8d64139e1736e028448e15e922663202fbb9234ae5eff82fe5323cd3b0b192f238eaa4dcbe91364fe0a46385726f91ec0afc892db8

    • SSDEEP

      24576:zybHwr+znBAxCLaz/qplMPNYrlWCn+QCh2:GbQr+jBQL+M2R+Qq

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a

    • Size

      390KB

    • MD5

      2b5197c2b3a9c14d7cb949b809a27863

    • SHA1

      e78dac9c729de8b6e9064b3bb2043401063ed616

    • SHA256

      795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a

    • SHA512

      622de70b8d20486c805cf25e5b32bc9351a28c4feca5fcde29c279761444450ca57f74a3b737a09eecf689fa909a1f89d729b528758f9a7a237dfe2511b80bbc

    • SSDEEP

      6144:KXy+bnr+Op0yN90QEymQY+TOYTc28XYmEhrORHTqij+jmMrLWJeXsuIGpt:BMr6y90r1+TOSp8oNhCqij+pzXs5Mt

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      7d1f6eeb31bd2e40692c777766b604a0bf50848518f5c931a53d7c48b988e8ef

    • Size

      389KB

    • MD5

      2a5fee3aeb178d6f9d0ad8da6752ed62

    • SHA1

      abca698074e3b9b736a667d16876d0d6962d3f94

    • SHA256

      7d1f6eeb31bd2e40692c777766b604a0bf50848518f5c931a53d7c48b988e8ef

    • SHA512

      12be27e3e7a4960cf33ad6ee696ab0b7a15c40e02420e1da54d310d3ac75e02755ade67c86a658a3c0e41399d98ccdd34a28b17581dfd1bdb58a143bc4649a5c

    • SSDEEP

      6144:K1y+bnr+cp0yN90QEurtXOTTx4fEcn5ohF38TkpAfrFcnfdyWv9:zMrAy900rtX814f3ovm0AfrFiv9

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94

    • Size

      389KB

    • MD5

      2ade2eca7ef3588a241faa5eb9c4edc5

    • SHA1

      0cb3f7a34bbd6fc353cf75997ca96974255f6243

    • SHA256

      80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94

    • SHA512

      6a180e614bebf77a83ab8efeaec6ac20d4b7ceef19b01610b8f19f325e5fe37c5cdea4a88d858bfee0e7d5574da41867d738d2b0b526830e73e5ff8c2693991a

    • SSDEEP

      12288:0Mrpy90UHPXysVcfTOgBYCNLVbx2oXQSvd:tybv1G7NzHVESvd

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d

    • Size

      390KB

    • MD5

      29f49a573cb9d9eefa26b783575a7833

    • SHA1

      39eca76bc506027b137c37b95465789b1f63889c

    • SHA256

      85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d

    • SHA512

      ccc26765e258526db126fb0a0a724226895f587cc8d0bd7b2200f2767374d8b513f9229a7ba81e96abf5ac4653cbcfcad500f16127f68b160e048a2578795946

    • SSDEEP

      6144:KZy+bnr+Vp0yN90QEIbPyhWbmhXtqYnlkff2MDV2m7qbOvvRxsh68j:PMrJy90ZFhkYnlk2MDVvUh6w

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26

    • Size

      828KB

    • MD5

      2a32d9865596340119086b9e9d7407d7

    • SHA1

      cd4daf419b213c6a34241bb7a791f2b59f4d80d8

    • SHA256

      bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26

    • SHA512

      2bcd417c9bc9e1cd1fb0a63dc62fa1599b78f7ea6b3205f2b6c9b5b9f805183b80318fd0f9ff4dd3ca8b55dfafab6cfd8300c638c97e22269904362434e001b8

    • SSDEEP

      24576:9y4zSdEWEkPt03UTE04CiNCAFab9dmcZgf:Y4OEW2rCiUAYJn

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      c429566ed481fe562466b6e87d2cfe6fc492efeb3007819b63dd4cf45594d639

    • Size

      309KB

    • MD5

      2b9af2f423ddd5e5022d79ce0fc8ef82

    • SHA1

      5e2592a9d3167b27d130b4f054175cf9a4ec407a

    • SHA256

      c429566ed481fe562466b6e87d2cfe6fc492efeb3007819b63dd4cf45594d639

    • SHA512

      19274e6cc635c5c8bcd4c48f4859e0d40f023eabf94413d8845c98c4a2d41a676c30129002956e9bbfb0835cc1ec0749df326fd95efdf9dc849d84ab6b1123e4

    • SSDEEP

      6144:KDy+bnr+ip0yN90QEx5F5OYc1u31g4TBymqSI6pz9wfWF33OHqK:VMr2y90Rxc1u31TTEYZ3wfWlMqK

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      c47b15f9672b5795b62a389de76336302127184be510254d08b9b5100134dd7d

    • Size

      309KB

    • MD5

      29b6f7f057eac5b191f6c8afd570de01

    • SHA1

      42d70940116df9fd978d8c6c8429c125fc421670

    • SHA256

      c47b15f9672b5795b62a389de76336302127184be510254d08b9b5100134dd7d

    • SHA512

      08da0693b309a1b7549610f10e1f90e47deb87033a78403caa0220e916ffb2f4126f07848d7a8c1f94c947ce2915933ad205cb4e5ba54f5d0d560cf486642207

    • SSDEEP

      6144:KHy+bnr+Up0yN90QE05F5OYc1u31g4TByPS6C+jIQpO56Iw:9MrEy90uxc1u31TTEP/7vxd

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716

    • Size

      864KB

    • MD5

      2c52c514ed30a21dbfc181f9a56e756d

    • SHA1

      251cf6719d43e1fd2c52df211e76b8644c3cd2b0

    • SHA256

      ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716

    • SHA512

      e59f6f72001fbfb87dfbdf3ac73832f17ba334a5877f395f3c3173d18ba41c3a962714d6f91ce92d484ffe5368bf3ff90b388be4175032dc20a2bee0005c000b

    • SSDEEP

      24576:5yQ6k1XlUuV6gbsDRA/vTXLp3qiwikDLDJtgYBNSu+KpEFMe:sQ6knTs2XTXLpFusYKu+yQ

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3

    • Size

      514KB

    • MD5

      2993a209322f7d93406fd78632f4a545

    • SHA1

      e141503a5dc185ee91e131b8404ee5f563ff1cd1

    • SHA256

      cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3

    • SHA512

      cb8d9e79b3ed4ba5711cd8933590ce1dd9e349f7a399c38650a1b3611c4a50a415f0b7de91701f3e77e8297d38bb433fc7fb3d53cfd1e46e76f99772aeabfc3b

    • SSDEEP

      12288:cMrzy90i9beiGTgODcYq3pB/npmVb66azq:vy/bhGT5Pq3Lhm/

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda

    • Size

      1.7MB

    • MD5

      2bf06baa3ecdf15e0690a49d48c89a5c

    • SHA1

      d26ee7ba4b6739d79aa2f675011692fc81510b23

    • SHA256

      eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda

    • SHA512

      c535d51b89349b1a6bf2aa7f31c2ad2c48cdf7bab24fe1aab4663c42ddee295bdcaa806e713902457be0580feba4650fecce7ce30b4a0a1e4a57fd5b7752f5fc

    • SSDEEP

      49152:Wsgn+koTVHgULqwjeUM3/Pa5dNAq8UYidJGLW9slbFS:mnZuHgULqwXUIrA3mwqylb

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

upx
Score
7/10

behavioral1

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

upx
Score
7/10

behavioral6

upx
Score
7/10

behavioral7

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

Score
3/10

behavioral10

redline5345987420discoveryinfostealerspywarestealer
Score
10/10

behavioral11

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral15

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

healerredlinecrazymuhadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral19

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

redlinekirainfostealerpersistence
Score
10/10

behavioral21

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10