General
-
Target
e6564b70fa3d9a9e989ad7c1bb2b027f2e5447273c0bb64f84c7940828ecb0ed
-
Size
16.5MB
-
Sample
240510-qnl41agg41
-
MD5
02dce2c23adba83e6b24c76234304713
-
SHA1
647ce3ee7fdbe196db5bf916578d5eb517d903b8
-
SHA256
e6564b70fa3d9a9e989ad7c1bb2b027f2e5447273c0bb64f84c7940828ecb0ed
-
SHA512
4edbc8c739ac92515439bca01b3922348f5b5a2d6f98ba0b702e4768cd75e07b1fc5b056a03bc7d86c28e554172e1f688a4cd38aa9a5c729c3a308a91e504ec5
-
SSDEEP
393216:AGO0HgyGCv3L6564s7Ts4EZXBpVrFaSOsGZJGC8Wq:AeAtCv3e5BpVFDHGZJS
Malware Config
Extracted
amadey
3.86
http://77.91.68.61
http://5.42.92.67
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
news
77.91.68.68:19071
-
auth_value
99ba2ffe8d72ebe9fdc7e758c94db148
Extracted
amadey
3.85
http://77.91.68.3
-
install_dir
3ec1f323b5
-
install_file
danke.exe
-
strings_key
827021be90f1e85ab27949ea7e9347e8
-
url_paths
/home/love/index.php
Extracted
redline
nasa
77.91.68.68:19071
-
auth_value
6da71218d8a9738ea3a9a78b5677589b
Extracted
redline
lamp
77.91.68.56:19071
-
auth_value
ee1df63bcdbe3de70f52810d94eaff7d
Extracted
redline
krast
77.91.68.68:19071
-
auth_value
9059ea331e4599de3746df73ccb24514
Extracted
redline
dumud
217.196.96.101:4132
-
auth_value
3e18d4b90418aa3e78d8822e87c62f5c
Extracted
redline
lande
77.91.124.84:19071
-
auth_value
9fa41701c47df37786234f3373f21208
Extracted
redline
7001210066
https://pastebin.com/raw/KE5Mft0T
Extracted
redline
mihan
217.196.96.101:4132
-
auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520
Extracted
redline
masha
77.91.68.48:19071
-
auth_value
55b9b39a0dae383196a4b8d79e5bb805
Targets
-
-
Target
05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729
-
Size
515KB
-
MD5
311bcc98621f1612a7a0bae8b412dd21
-
SHA1
e6208f01069780dfb69fc831895e3b97cd900842
-
SHA256
05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729
-
SHA512
84aaeae41c97293674a99209e67e09ee915f6c533ef735792493981f7ce8cb6e66b69fa403c6d7fb9a0b9d8041af71484affe045c6582ce98337a4479d596059
-
SSDEEP
12288:LMrhy90ADACn1dQ4Hr1nEb3crjgrngFOW:Syf1dQ4Hreb3crsr0OW
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5
-
Size
390KB
-
MD5
302c8027c8728a76aebbdaa358bcf27f
-
SHA1
b377bb11e4b31fac3779736dafd77d3930e68349
-
SHA256
143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5
-
SHA512
bec37bef66ef5ab381607b0ce2f3e4852b9c91e44187376e5065026db2b62150f418ea58b7646011c86bf096e4d22de36f28f8f54efbe137bbf54bc081615c8e
-
SSDEEP
6144:KBy+bnr+6p0yN90QE7f11dRzGQkV6oNImWSzVGBmIqS8a0lCG:rMrey90lf1zcQkHNwSzAd0YG
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731
-
Size
479KB
-
MD5
31617cece5388ac8787754c9406975d7
-
SHA1
b3315488d6a9295329123bbbce1fd14ae7ed91a6
-
SHA256
2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731
-
SHA512
d3c6bcab9038bcd8de94f30909c7eb12abe56d9a6b04cd46440118f5eb1243499cf87839401a9915ab24c6091d4ce23ddea26ea0cc25fe13ae920d894414f6a7
-
SSDEEP
12288:EMrSy90QA01k9EdiY5c1u31vTEmyrZpYgGT7j+h5Va6e:+yoY9X9TwFpY57atTe
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b
-
Size
1.2MB
-
MD5
2f8765ddfb5eb9cf565d416a2fef07a9
-
SHA1
ceb22309b872f04d9c5df1e6fe3cc35fa616e6cd
-
SHA256
2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b
-
SHA512
6489262e8b6394e895ef7ea59c94f8b460affbb17130a1136df23b47f1cc50f3c09db0fd10319484e28679ef65d583c15086b38b5d0d27858906e4f4504f7b85
-
SSDEEP
24576:Cy4hgIcCM5IddKY63yg7MVZeoCNElcacqdf36HXe:p4hdcidKY63jwSDEa923
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee
-
Size
390KB
-
MD5
2d00f96e74fa01be6c570782f56ca124
-
SHA1
17ed1713ade7f79ea2ed1bb9130871ca56b0c072
-
SHA256
4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee
-
SHA512
6b359ebae2e3607603393e1ff2d950987194e77089ef6dee3513b17defc0c0d20950ce3554e76e68500e4b4ed23138bfdc922088881958a1dfe0a9c65e416575
-
SSDEEP
6144:KWy+bnr+rp0yN90QE0PZI9HwPGTICcWt4JZe6vzwYFeXx3Rhye2coLju:SMrvy90iXVztj1MNSeB+S
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
464a7168620633d6f4e27494eec6c1cedff2ae39e5ffda7f9913f43efd93bd38
-
Size
480KB
-
MD5
2e6a4fc6e3fb6ef41f3e9a1c0245473b
-
SHA1
e8b2387fff202d400c02a75b92d31c95400abc95
-
SHA256
464a7168620633d6f4e27494eec6c1cedff2ae39e5ffda7f9913f43efd93bd38
-
SHA512
e9f733e6de8dcee03191129a06f1e72f8858fe89662914be2bc39d595fa7681d02d536136f200836c3fd624c4bf478283d85289fb2c141b21d818debd6281ef9
-
SSDEEP
12288:JMrVy901LN4BkGvpYh66jV8uL3jl8TzH//:oy8GBkqpEt9jSz//
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf
-
Size
1.2MB
-
MD5
2ff65e9ca8a0b92b2f9ead3ba8dd7ed2
-
SHA1
bc118c8a4ba9391e5bc4315eef3d0dd83afaebfd
-
SHA256
4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf
-
SHA512
4fd459726173efd0412638d81884d4636b385098696b6dee1b403b809a3eb79c2202394ca4ca5e8f3f1630e83e02af723a78931c58242cf161abe1974b32137a
-
SSDEEP
24576:YyZkbJInDZr4+HhuBykcdH3B3laSprA5MBkWUhLfYTemxmdza8xPjo:fZkbSDZTHc9cdH3aSBA5I4FduaPj
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01
-
Size
390KB
-
MD5
2eceda61e6e0bef77aa4e2d0e99f765d
-
SHA1
05a5e56dec75029e3b8e483d649e7b5ff6f8daa2
-
SHA256
59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01
-
SHA512
fc20de5d3d22d2f7b331aa892563cbdd0d496cbbf4004048cacc6bb0af9e45e0c0df64df3b1d19119fb5f2b1c76e773aa36e81051dab31c74e6705894b22c5d3
-
SSDEEP
6144:KNy+bnr+qp0yN90QEPnSCpusoviHGXWnzdpGWXAL6A5202cF1zV5cPMdDExP:bMruy90B/0lUDdwL6m203zVJdDExP
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b
-
Size
1.6MB
-
MD5
2f1c41adf7b880f2e9f9b1b0286a143b
-
SHA1
606acc7a67ec4f0241b3850a1b0ce2241774c9de
-
SHA256
61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b
-
SHA512
c1b593f1e6600aa2124262f90c0a1ad77f46dc1e87ce836c1d9bf2160352d974f5cbff78100bc7c380071b3de8d0ef3cd653423efa26e73c005beb59a6fa0596
-
SSDEEP
24576:gye1lDVXnpy0e+JaxMbVa2H2t2BCl1EDD9uh4iVtjGE0Nx:nEneZxoDH42BClumNVL0N
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
68ca177d42ab79022ede5d703f2f3b4e3de42fc1ae56a531b50f66f3339721f8
-
Size
2.6MB
-
MD5
2f7129366c456459ebadc1dd90c439f2
-
SHA1
9ea7a9df8898f50dbeac35a8f2f20b43644fb1fa
-
SHA256
68ca177d42ab79022ede5d703f2f3b4e3de42fc1ae56a531b50f66f3339721f8
-
SHA512
32abc0a370d950b619a7ebb13bb2b497a318ff0043345a5523598465d8a8bf7000d2d5b52e1cac62df6fd21ba143b1df43ff0b392a8c39e8df7e49d5982ae294
-
SSDEEP
49152:zKC9Pmf3aSVILfYuExL71E7gLkPjDv5DIuZ4/vR55kmjCoyfR5L:zP2JeYPOPjlDxIr5Oo6V
Score7/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3
-
Size
515KB
-
MD5
3133d51b9cb5dff2ffb1eb479a3a8197
-
SHA1
c7751780b417509447b6374f2044c4a70bd3aea2
-
SHA256
6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3
-
SHA512
4d0249966b11f4933be1aa3126d2ebd6d93700ff22f858457c0cde49a6e691f89d6480068f00d26b5aaa07b48f71ec0ec67f6ad6951d92815777801153789ae2
-
SSDEEP
12288:2Mr3y90Mp419rk/h+B4egjTgl+ZP3SFgHEgD/r17DZ:ByDp4vg+uegjTgl6PQeESr91
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b
-
Size
390KB
-
MD5
2e8378a779c529d72cae6f125711e88c
-
SHA1
4b1d1bab9924629cc6b968efc89925468c90cdb9
-
SHA256
8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b
-
SHA512
24dbf09588cf022952aabbd463efa15a209f9511fa20bbce46e8c24d785658449632d429dd30bac24750e0bc697be4b8b8dc0b217540195a0264a72f0957145e
-
SSDEEP
6144:K3y+bnr+Kp0yN90QE5HRKn43pGULDIfkdamIgLWFlv1/ea+AFw5YMdc5bcg9xb:lMriy90rUn4zLDIcABv1x+kLiecgjb
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a
-
Size
3.5MB
-
MD5
2e74d6fa9f7ad6604f4474d3a88df538
-
SHA1
94ddd1699392c49aea7f9a610ed5487ea5d30a07
-
SHA256
a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a
-
SHA512
38725af1c782e2378327ed536ff71e50b429b0fa1eca4299ddaee229ff16d9a18cebfcb44db81d799dfa19278e9f8d961598c1a94c15001be8c8c9daba2667f5
-
SSDEEP
98304:yHWz45HmcCm7AKb1UcPwX7fVhIdG9k3kKoN:yHWzG1IBnwu
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9
-
Size
1.2MB
-
MD5
3084e5a05ec994a172379bb42d1f4a6e
-
SHA1
d5705086a050a075520d1e19aa047f924e079ba5
-
SHA256
b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9
-
SHA512
7988b8ced595a143db70f1e668bb0e645fa19621e363061379cd5b042ec6444bf8f9a14184bd65afb126a851e8acfb23eee6f71bce930d135c9eab36d87e06a0
-
SSDEEP
24576:my9QoTLxsXrQ8m0Y3lsvmLEBXibYVetVVosYmmL9hK:19Qwss8ytLqqYjsJmJh
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394
-
Size
389KB
-
MD5
2eeefdf643f78c415d5773e6839837b2
-
SHA1
797a0d8433f1b575915a9cb2952795535fb3546d
-
SHA256
ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394
-
SHA512
96c66dfb44902289d99a122c9e8b2804a236e61351e81ad56f5406fd935a2c5e65fac58da2bb8dd8f2738e5d7e1251128413b5247a1cfc421e1b5dc6c960272f
-
SSDEEP
6144:K8y+bnr+9p0yN90QEA748JHJlPx2r5z3HVK9ehKCCB2GTNXeD3zsvHclk:QMrty90mM8VJluVSaKCCEUXau
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b
-
Size
1.2MB
-
MD5
2f0b3a7a3e71a02cf6add7921d910dae
-
SHA1
ca074b29a347d603cff8f6a0977c2838575fee84
-
SHA256
e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b
-
SHA512
4e5929ded1720be274600fb1212258b3cf68beee1eb15349f1fa78cbf3f9186498eda4c450e27a8f2ece52bdb11cfe7d65873239a6f0e07dd875cbb885e636dd
-
SSDEEP
24576:7MRqNUuIoPlMdHs8fvIvv2qJCLHPu4CNXeHZST:7m/oPlMdHs8fvqD4PONuE
Score10/10-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Suspicious use of SetThreadContext
-
-
-
Target
e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228
-
Size
1.2MB
-
MD5
2cf5d69da271a679e8aa11c6fd68bcbc
-
SHA1
592e89ba9a032d875c9955e3c80e9d852f0bc704
-
SHA256
e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228
-
SHA512
b1fe414b8e9d1c7c56c5265a3c1386f9dd37c97af64a65f7a04e9460bbdae8d8143d84090392bb0bd51f053b1e3b21ca20b3c9953844de542059408eb9f2e929
-
SSDEEP
24576:0jqhS297HFlZVrmEP33ZaogYUspWkRR5sC96E4:0WTFlZVrmEZikyw
Score10/10-
Detect ZGRat V1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738
-
Size
479KB
-
MD5
2cb6553c9840b3d0b75e3cb6dfceabdb
-
SHA1
b795b91e6e19782f031fbdae21de93ea2b7be2be
-
SHA256
eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738
-
SHA512
3025a44d0ebb216787f8c39833aa68450592891f7d861a8e010c2f537ea7190192572c0a8a61591f1f889401dcc07ebf4a1b027c692438826b8097907aac9314
-
SSDEEP
12288:7MrLy90YhqS1jB9dQopQaVuKga3WM3s0l5f+nf:Iy9UUldMJaCQmf
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b
-
Size
389KB
-
MD5
2de3042570f5c1958092fccd52196050
-
SHA1
825a3ed1c11fbbb29f78be5b760b7b2bd09b3608
-
SHA256
f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b
-
SHA512
bb05c46d754c4389cc6dd64341b44a27ba466c4786911543a5671b3371541afbb9c69c0052ec37417b7bef11b69d5314d889cc3e62ba5604140876afa1b23541
-
SSDEEP
6144:Kvy+bnr+1p0yN90QELYTRHY6J0ZCPWEMjxFYWYUn3JSt2fgBZ+t4zDg7RJVrQ3N:BMr9y90I2CPzcnYCM2fgBYCzs7REN
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390
-
Size
333KB
-
MD5
2fb6f6336ba7ce88d3c3ae8a9b3dc103
-
SHA1
487a88ca63f36cfbddfd57a8e9c8f9c952e78a91
-
SHA256
fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390
-
SHA512
3c36c4746deff2be3d3f0f2642ca01372e114adae928ef4f5ffbc47f579633758188a8dfa47d82f75d920cdef1785427627a79422a3a829910801009f0c6478e
-
SSDEEP
6144:El5wh/1gr+64UHVXwDMsFGbr195RQyghl1C1bq+C9hfCgH8fGQFG6M+0Xp:EHrr+64UHV6DygP1C1b5SC/fGl6h0Xp
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
15Windows Service
15Boot or Logon Autostart Execution
16Registry Run Keys / Startup Folder
16Scheduled Task/Job
7Privilege Escalation
Create or Modify System Process
15Windows Service
15Boot or Logon Autostart Execution
16Registry Run Keys / Startup Folder
16Scheduled Task/Job
7