General

  • Target

    r3.zip

  • Size

    23.3MB

  • Sample

    240510-r2atkaba8z

  • MD5

    b2e6debb0c9b27f6730cc4e7f50f78ef

  • SHA1

    c662aa17a7fbe24240a8da7f29e7cde5ed9d3f85

  • SHA256

    a33c889b1929e9442a2a49de188e05a8ddbddcb32a7231b7c362f6833a45d720

  • SHA512

    6b81338aa18d6283afd4537c66b376b0fd1f4b051086ad2115fe5f0337ef21ad2a90a9c41a3dc72b295eac9e121abf03ebec30f4034670aab15ba310d22e8cfd

  • SSDEEP

    393216:xUpQxq4e+/q3XkdD5qLCX0u0ebivXbaVRtj5xNRMum/DoMjb+sXYCNeeMMty:xvxqSq30Dh0nlaVDNun/DoMjb+kQeHY

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

http://5.42.92.67

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Extracted

Family

redline

Botnet

mihan

C2

217.196.96.101:4132

Attributes
  • auth_value

    9a6a8fdae02ed7caa0a49a6ddc6d4520

Extracted

Family

redline

Botnet

5345987420

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

crazy

C2

83.97.73.129:19068

Attributes
  • auth_value

    66bc4d9682ea090eef64a299ece12fdd

Extracted

Family

redline

Botnet

muha

C2

83.97.73.129:19068

Attributes
  • auth_value

    3c237e5fecb41481b7af249e79828a46

Extracted

Family

redline

C2

91.103.252.48:33597

Attributes
  • auth_value

    562d3280c1a052ff370bad4ad69185f7

Extracted

Family

redline

Botnet

5637482599

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Targets

    • Target

      2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc

    • Size

      514KB

    • MD5

      ad9443ce5e431e8295fd202f57cf1d6d

    • SHA1

      330ab81f8d5d8360f11e9e15f6829608c3ed666e

    • SHA256

      2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc

    • SHA512

      d6bfaf96f61d6055c4e368f22542ba85d8d9c77d652480195953db43eced505a7102d5b10d79842e76483f90b1bbfa22a0d2fd6d0a423166efc8c585c3f665fb

    • SSDEEP

      12288:NMrby90ooS9jGwyQikPj16mcXt3Q+snYfeplV3:GyOSTJj143Q7nmebh

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df

    • Size

      389KB

    • MD5

      ad9be100cf69828b8e7a7a836154d5e4

    • SHA1

      dbf0f2accdb22e674419d2c0abda7fbef534c3dd

    • SHA256

      24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df

    • SHA512

      0e13d0bc6bfffef4ee50fb62eb2168de8426761b4da0091c95eceb7cb1f461bf05f73677bc07ddf504e69e306a3848e148b22c9fc17eeb3a247647a96d7f0446

    • SSDEEP

      6144:KKy+bnr+Rp0yN90QEnI11PokWcnZNbQR5nfyQPLaW5F/tyKYuNcUNQfMFkkhgVRn:WMrdy90uTPTcty+dqMS/VRi1nm

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      2590c6aee0971ee73ddf13b31120ab5a7a7268c588bc55a8fe221b203913c447

    • Size

      314KB

    • MD5

      a2e82df6d2a9597325d8523d3625b7c9

    • SHA1

      1a5bf994f2bc9c0cd810e94776a3fc480f5d7f3b

    • SHA256

      2590c6aee0971ee73ddf13b31120ab5a7a7268c588bc55a8fe221b203913c447

    • SHA512

      1a89b7a438d12b21e4c2b2b9afbc348fcab3bfbce86b03ae49b001a5a184ed911cbf5f484da987c23957fec7afe9deebfc815215ef956bb3a8edf692a000eb10

    • SSDEEP

      6144:znnpI60nbM8uPZy3+8KIDx7uVKBrC27XXJCWsgg5DeQhNM9PXHS:zn+60nbnuK7I+rC0XX4gg5CQhqHS

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      2a4e0bfefe7b6b2a94d46c408fe05d1682392c66666138b8b0c32e028bf15aad

    • Size

      1.0MB

    • MD5

      aa56dc80d4e82ae017ce150cf8fa48cc

    • SHA1

      2a7ee36a1296e0438ef0e7a9ab41d8ff03496ec4

    • SHA256

      2a4e0bfefe7b6b2a94d46c408fe05d1682392c66666138b8b0c32e028bf15aad

    • SHA512

      ce4c8441785c866d0bc9ab8a5c23bba8815fd8a1e30b9ab10ec6a36c6aaba2ebf70bf3c53a9515a52402014daf6e2b25542397fc498bb9a12ad11ee602769daf

    • SSDEEP

      24576:XyaHBh7s7f2+6EFDn3Q521V2AJ56SANT0kAZJzgc:iahwfsEd3F1sAJ565gke

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      30b28fbbc6f9f8aa27776aa07f15f77a8fe9829ca5ded9e75d26ca377674a46a

    • Size

      514KB

    • MD5

      a5906f38456848691daa7ad90e16383b

    • SHA1

      5eed856722109411b99eb607e5bbe4f4dc1537d8

    • SHA256

      30b28fbbc6f9f8aa27776aa07f15f77a8fe9829ca5ded9e75d26ca377674a46a

    • SHA512

      ab8d1c01d7de39c82df4db1f704c0ae70d907c32dbf96bf9482d08ff4de06c7afb0636ba770b67b34af76fa848b6391b3b97a9aa6fa09bd993033b691b2c114c

    • SSDEEP

      12288:QMrZy90Xngq0rDJXt+/xLRjDd2zMpoCGmhF631xFKrn+CjYd:Zy60Pq/xFAwFGNFxFw+4k

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      45405e326148ce7f80326893b92fe8efe62819ee5465fdc13767a76472e21566

    • Size

      514KB

    • MD5

      a3b12999051bccd12021b96b6f86c928

    • SHA1

      d8fa4600a37079cabc0b61744970a0e1efaeb502

    • SHA256

      45405e326148ce7f80326893b92fe8efe62819ee5465fdc13767a76472e21566

    • SHA512

      d795296547eefe35537e545f47a5b3bfb2a2cbc298c0ec422a62fd888fab370685b2102c4ee289ad8cc34e30f97dd616ec53e8cce3682d711ab28c5504a933b4

    • SSDEEP

      12288:kMrPy90Ptd6fvSMfJOjUlYm3Yw+uMNdwmD+gV3:DyTfqMfJOjQY2z+dwmD7

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      4daea23a41245608877f956cf37370e6533344758835349d21470fee22792f5a

    • Size

      307KB

    • MD5

      a9938a8bf2e4c5465b0c1f8d94199778

    • SHA1

      21a10d69514111047d789e5fabe472a9cb8b190f

    • SHA256

      4daea23a41245608877f956cf37370e6533344758835349d21470fee22792f5a

    • SHA512

      5404f81f3dae9f4c5192c18448aa15f90ff15e5823d6f971cafb3670d301f620c0928ed02bec680fedb7213b631d7e72e1748e097a0c477fa73df7c430f320f2

    • SSDEEP

      6144:KLy+bnr+lp0yN90QEv5F5OYc1u31g4TByxV7KJytDAUYss:dMrZy90Pxc1u31TTExV7KEt0UYss

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      6568836094de3a32f9c325ced189bb981eb0cf8f4492e1b8b901ef52879c063d

    • Size

      390KB

    • MD5

      a6f8f7131f6c47621b2e965cd6b6c981

    • SHA1

      327a8177a15d3a0838e98aa40ea5a8a46c655d95

    • SHA256

      6568836094de3a32f9c325ced189bb981eb0cf8f4492e1b8b901ef52879c063d

    • SHA512

      d2b98015331f39aefb690df721fc0a0696dd17a621828cf729efca2cde927a8e603e5f88df50414d46020df7a52b49470df60cd7eb08a0ca9301a6ba50d00b3f

    • SSDEEP

      6144:KSy+bnr+Sp0yN90QE3zx3tQ3dNyVO12a/QNe9EOgqOLjBavFo4:mMr2y90pV3tQVo0QCaFma4

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      72a27ce3ad4f2daa863374d24914b9bdd41f5b34e08b440b9988fd847de7a3a5

    • Size

      389KB

    • MD5

      aa413f00a634a54138763909ad2d91fd

    • SHA1

      1878f20db3f565f33a3e719132e7c1a26169a938

    • SHA256

      72a27ce3ad4f2daa863374d24914b9bdd41f5b34e08b440b9988fd847de7a3a5

    • SHA512

      1e87efeb14401efd75d2e76423e750a0dd78e70f579c62a5a876e046300674dddde54ff450f06dfad4c95ae85e8d96f0f8199b1222cc206912b8d1aaa4567a5e

    • SSDEEP

      12288:tMrKy90lN9Rx8Rh/VCUR3OFegBYCRCThPL:vykFx8RhVCUB+9zuL

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      7ba9a3982314fb26523fd5988b2b520e3a32094566503b3706d39e88d9a9b35d

    • Size

      309KB

    • MD5

      a8738037b8124a9ad50d2479fa535762

    • SHA1

      3d7c656a7fe926fbf6c6a8d860b5524c0d1c1afb

    • SHA256

      7ba9a3982314fb26523fd5988b2b520e3a32094566503b3706d39e88d9a9b35d

    • SHA512

      1a8354d7e3941de59fdf8692c9473f1bd3b837c81e892909ce3641a5dc63fe52cc6854c11ebe26c57ec2c1eaf5add870ef3ef616b8b8d870a9676755c3668c23

    • SSDEEP

      6144:KTy+bnr+Sp0yN90QEV5F5OYc1u31g4TByk8zYHwl0UV8Mj:ZMrSy90Nxc1u31TTEk8xj

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      7f181e671ca7e88969b8dbb65e5906d2d04178a6bfb5756591ea3bc12c4809fc

    • Size

      332KB

    • MD5

      b00adcc86618a8f28690451ebc279d6d

    • SHA1

      c7bdbc58ba0151095793c5d57183060eaefed14f

    • SHA256

      7f181e671ca7e88969b8dbb65e5906d2d04178a6bfb5756591ea3bc12c4809fc

    • SHA512

      71a756e6328b3b226e8c52a8d3a831253b1221b1934cac2951d55c704c1c00153d9cc55bdf44380f21e82bf19d5a39bffc83154f33150c45a748cb4eaf6b56f6

    • SSDEEP

      6144:klZwB/LgLN340nTaDpOU7riHRkyghGiypL8yFxCFXTAXDREodP+0Xp:knhLN340nTP+yg0iylxxCFUGodW0Xp

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a

    • Size

      12.3MB

    • MD5

      a1e5c187755b1d1f6ecd92de6a1ee13d

    • SHA1

      b809713035e9e0451f7ab7e7b8f29b2c8e44dff5

    • SHA256

      8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a

    • SHA512

      c6e484d4668cd78d67b5ba5f65ab4639c2c03906e8585388aba521ec0ec062f9ea24109f174e9c4805c33230b5162a40ffcc65095f68d6baa14ef6b69490ecf0

    • SSDEEP

      196608:tUSP+yQZ55mfaEsVpxlTCUmT3p84YcgYp6OfPe1VyW4PTPJetC93t:tFw/41sVpTTC89PYgmPe1VSrPoC

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      ae6ddd393a98c003c8da6717e815e71c83f5a3b75783ce55e2793d35c51a9ad7

    • Size

      307KB

    • MD5

      a2ee8b5bb221af85a82fdb873d58d8e8

    • SHA1

      9e3456c33ad34ac4c394a031e6fd2e03a37503eb

    • SHA256

      ae6ddd393a98c003c8da6717e815e71c83f5a3b75783ce55e2793d35c51a9ad7

    • SHA512

      f52c8ab86819dafeae654e56cabf9157b1cb8f50098134dc4821edb8051bb739c5d1fe9f7b2fda560e028c3158065cd1ebb607e80a81a2d2ea41483d7f1fbca9

    • SSDEEP

      6144:KDy+bnr+Ugp0yN90QEX5F5OYc1u31g4TByS8EvbNk3yReoWkD:pMr3y90nxc1u31TTES8kk3p+D

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa

    • Size

      919KB

    • MD5

      aa26cccde046b0e54b832825a5756c35

    • SHA1

      f5c538220421870979edb4d93fdf8b02a4d0ecbc

    • SHA256

      b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa

    • SHA512

      60ace7d38dccf257e75c6e369355975b84757c127f93afecd6e58f4316bd7f1d13cf55f7d4264d6928e37f62a37d838f9b044567ea49f8bd27eec9511130a290

    • SSDEEP

      24576:IyAXaONmQk2uEBNOAaIGqgK1wjH9AxXChzyvp:PAr+RpItggoH9ARC4

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      c39e49cedba79cf37944568e6b8975f59cf50c3ee02bad2cb56a9047b12fcee5

    • Size

      2.3MB

    • MD5

      a4fb9883ee8a8beb10c262b023906548

    • SHA1

      b332a89c7ab5de8e522f00cec3df72fb251e3ee9

    • SHA256

      c39e49cedba79cf37944568e6b8975f59cf50c3ee02bad2cb56a9047b12fcee5

    • SHA512

      9b13e63c323cdc49c48ded53ae80d9249545f8ad8630c0c2613cc48619bf7df669e76e15b6f255a1fc19ebc2a562dbcd03350b90dc90b15ea07405a45dfc5014

    • SSDEEP

      49152:AdeZsBDZfkum6kQgZxV0+qU9NOqbc5alaZVQ9ViNiv5DNwRFCrKB:ASMDk+cxV0+HbFcogZVQ9ViNiv5BwWg

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc

    • Size

      1.6MB

    • MD5

      aed3e716f608104e2440f5a872c969de

    • SHA1

      07bd20370b5dfebd101d421c64d040163aab20fc

    • SHA256

      cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc

    • SHA512

      80b1c179f57468ff121a0909e7e6940af32122e2086754329463c9c1877ea6e2cd4cfd0eccfe3f31b830a5d51fec6ceaacbd9e6c8eb6254cd734b0c4cdf00b5b

    • SSDEEP

      24576:fyl8gNcSnpEaZYaoMZ7R9DkPAjuhhqT5zoCVQcx/e1jTfIHBx8sEwZZl7:qHDVq0NZkPmKh8zoCVQt1/Inxz

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      cfcca94dd6bef9e4222fd6347d090711d60251b7718a2a4955753cd95d8e9a6e

    • Size

      390KB

    • MD5

      ac4ef0a8163aa70cb3fb5a2c03402872

    • SHA1

      1f1ce96331c7c08e874f90e466a2617aa1295cfe

    • SHA256

      cfcca94dd6bef9e4222fd6347d090711d60251b7718a2a4955753cd95d8e9a6e

    • SHA512

      65e603525a657b938a3a0bef0faae91a787e00c8f28670e3113090340c8f982291e01455756e46b5e4abca68cc8598d8887f8b30c984b444f03b18a102c44e54

    • SSDEEP

      6144:KYy+bnr+Vp0yN90QEjJh/9hdzrnZ9YgDCV4ZfWb33aY3sJ41IwTSU3VqAtGay:8Mr9y90RblfzPtDCV4tyHsJh5AtGay

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff

    • Size

      862KB

    • MD5

      a85e4b8403f70f8c8c2a4694b484c3a8

    • SHA1

      ee614a34528cda5db2c436bbc77247c3fe213f60

    • SHA256

      dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff

    • SHA512

      457c453516d49626c8f0e5e9a446962314e44c1cfa8ae5b50f0fe344590ceb2a20f53936c3d6a6aff9e0379bbe8e0b9afdb3ec994ce1ad0980620919f29b5157

    • SSDEEP

      24576:5yRfeUF4xX+YYKqx+QgmUpqWngJeXUXDH7:ssUF4xXPY5gmRVJeX

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Target

      f25337a343c26cdecd99eb7f095938fd24fb233463a8af3fa69acc5201eed956

    • Size

      435KB

    • MD5

      a76aada563b5fff5cf81824d40e87c25

    • SHA1

      b6c50c7d69b765a396e3995642cd3c82ed9eb370

    • SHA256

      f25337a343c26cdecd99eb7f095938fd24fb233463a8af3fa69acc5201eed956

    • SHA512

      093e3da142ee67a4da1c8f352460e5d90e9565ec60855285a19eb6e2c2f85d8b8ec22e0b5f46194222954ffeb19e1a8451f9d364c8869f1ef8050decc7154a56

    • SSDEEP

      6144:KGy+bnr+2p0yN90QERSilWQs1fiFwqQdcKrObo6czcJVDQvY6iflPOxpJOrtND4h:CMruy90HSil5s16yMbl+xHslOpMzKL1

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      f5d16598bff76b7aeece243b4478a48e666bbf1a2adb20f2684cefe2f7d06616

    • Size

      490KB

    • MD5

      a9b440ad0e7d76d9fa2ec485fa53eeba

    • SHA1

      179dcad63a03197776e3b9ee4354dbfa413f7528

    • SHA256

      f5d16598bff76b7aeece243b4478a48e666bbf1a2adb20f2684cefe2f7d06616

    • SHA512

      bbdbfdf856719da627de9c70324edfeec3e2d91d32550c12fd2923302456da68768618f45788bc68e71d48de3f30e731181b9a69139624a70bf936a8a7de3a15

    • SSDEEP

      12288:quFz06FWD5fReUOLoFCaK40dC3l8qjNG8AR:qr+WVJeVLeK4PljJA

    Score
    10/10
    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

6
T1053

Persistence

Create or Modify System Process

15
T1543

Windows Service

15
T1543.003

Boot or Logon Autostart Execution

16
T1547

Registry Run Keys / Startup Folder

16
T1547.001

Scheduled Task/Job

6
T1053

Privilege Escalation

Create or Modify System Process

15
T1543

Windows Service

15
T1543.003

Boot or Logon Autostart Execution

16
T1547

Registry Run Keys / Startup Folder

16
T1547.001

Scheduled Task/Job

6
T1053

Defense Evasion

Modify Registry

45
T1112

Impair Defenses

29
T1562

Disable or Modify Tools

29
T1562.001

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

11
T1012

System Information Discovery

15
T1082

Peripheral Device Discovery

3
T1120

Collection

Data from Local System

4
T1005

Command and Control

Web Service

2
T1102

Tasks

static1

upx
Score
7/10

behavioral1

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

Score
3/10

behavioral4

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral5

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral6

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

healerredlinedumuddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

amadeyhealerredlinenewsdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

Score
3/10

behavioral13

redline5345987420discoveryinfostealerspywarestealer
Score
10/10

behavioral14

persistence
Score
7/10

behavioral15

healerredlinedumuddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral16

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

upx
Score
7/10

behavioral18

upx
Score
7/10

behavioral19

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral21

healerredlinekiradropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral22

healerredlinecrazymuhadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral23

redlineinfostealer
Score
10/10

behavioral24

redlineinfostealer
Score
10/10