amadey

Sharing

Copy URL

Twitter E-mail

General

Target

red.zip
Size

51.1MB
Sample

240510-r63p5sbd3s
MD5

d7c845e694c3ccc36cc0a91d6e82c585
SHA1

8f691d574c225e42982103995df13260183bd8d4
SHA256

c9e1bcbbab1fafcf8cc24760bccf3efac8e604baa1ea574dbe47e2dd7ac09433
SHA512

020ea3899d3a2e0831de0c573ab73336072b7f8b4f3ae1ea82ece012e779694012f85f95737c12995107d6397237a8d8cf110aff060e1a6758a5085fb7c51697
SSDEEP

1572864:pCPsgJol5kjVEtpaxs2kwji1p/y+9aOSStwh:pC1Jol5knkUi1pnFSMwh

Malware Config

Extracted

Family

amadey

Version

3.86

http://77.91.68.61

http://5.42.92.67

Attributes

install_dir
925e7e99c5
install_file
pdates.exe
strings_key
ada76b8b0e1f6892ee93c20ab8946117
url_paths
/rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

krast

77.91.68.68:19071

Attributes

auth_value
9059ea331e4599de3746df73ccb24514

Extracted

Family

amadey

Version

3.85

http://77.91.68.3

Attributes

install_dir
3ec1f323b5
install_file
danke.exe
strings_key
827021be90f1e85ab27949ea7e9347e8
url_paths
/home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

7001210066

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

redline

Botnet

dumud

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Extracted

Family

redline

Botnet

roma

77.91.68.56:19071

Attributes

auth_value
f099c2cf92834dbc554a94e1456cf576

Extracted

Family

redline

Botnet

mihan

217.196.96.101:4132

Attributes

auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520

Extracted

Family

redline

Botnet

masha

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

redline

Botnet

5637482599

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

lande

77.91.124.84:19071

Attributes

auth_value
9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Targets

- Target
  
  01aa1629bce01d1d882c10d835fa7765f2a247f51bcbf0d46b77b87362877916
- Size
  
  390KB
- MD5
  
  a076ae6cb1b18ae3f0157f02f17ad575
- SHA1
  
  a51acdd2e42beb97ca8de21d3a07e62f2fbfbfe4
- SHA256
  
  01aa1629bce01d1d882c10d835fa7765f2a247f51bcbf0d46b77b87362877916
- SHA512
  
  311bb21e88f2ad16c04011058906fb15d2329a97a1f8cfa22a10088c4a2b23a5f57d46f156f74c5b1c8c38bf96af54683803f464b38f68ebf589e5033c95f2b1
- SSDEEP
  
  6144:Kyy+bnr+Ip0yN90QEkX3vNbKMTy4HDtPdpS5eJ9cIkiGBmzC9AozEIsGE:uMrQy90KX3RKM2YtPjSKG8F
Score

10^/10

amadey healer redline krast dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1
- Target
  
  0f8698fea90dbf665be173be76a450cd2e77e0ffc44993fbed40dba923374671
- Size
  
  332KB
- MD5
  
  9fceaa1ae1b94cbeea5da147c7a5587d
- SHA1
  
  332404db60a6ddb0c82850675706d733342092d1
- SHA256
  
  0f8698fea90dbf665be173be76a450cd2e77e0ffc44993fbed40dba923374671
- SHA512
  
  ceb39dadde027fde22e99792fe2f5e6c87b8db59e6f94855544d80d6c50c386e0e6599b7074af5322846064a7798bf08d301cf83b6ec0087686070cb7f40f999
- SSDEEP
  
  6144:k3DwTnVE5mxYitLevhwYR+PRCygh3CteoC2jHPKTD+0Xp:kTJ5mxYitL1+ygVL2jOy0Xp
Score

10^/10

redline 5637482599 discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral2 behavioral3
- Target
  
  10c3a4b3e37a803bd0aa6309c39158c1cdc781b3496a972f062f1fe958597862
- Size
  
  390KB
- MD5
  
  a0ca6912e574833240194ec4fe31f631
- SHA1
  
  8755f22d65a895e74cfc8675410f24e255f0827b
- SHA256
  
  10c3a4b3e37a803bd0aa6309c39158c1cdc781b3496a972f062f1fe958597862
- SHA512
  
  4b0b545b1f5bc3d93d71d6a9cd4cb411fb38a56f4c426648fe38837e4bc00c70f8406f679ae08aa8aa296edab828f8aa2b7c3b2db2f7ecb3ca62ee277e6be6ca
- SSDEEP
  
  6144:KFy+bnr+Wp0yN90QEMMHTfcOSn1XrkWGjZNJ2h74Tj98p881bbZKgTDUONPu/:7Mriy90BzfcOS112Tj9g1RKgDUqm/
Score

10^/10

amadey healer redline lande dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral4
- Target
  
  12d321d9a66bfb909ca6ae3097f6aba39263be25c619d424b1dbefd373b20d0f
- Size
  
  390KB
- MD5
  
  a0570c03b2992062f9d7c88983ec0531
- SHA1
  
  ef7a037d1215d81b892aeefd6108df59ccd2167b
- SHA256
  
  12d321d9a66bfb909ca6ae3097f6aba39263be25c619d424b1dbefd373b20d0f
- SHA512
  
  60d7a0422d3a872689e165148ed85c13820017ce7fbbe6e17e1badccb790d1690136144496d3c332c8272e0f94870d90e8bd231b893500f40d0d38e6d45bbf26
- SSDEEP
  
  6144:KYy+bnr+jp0yN90QElD2DJ37wIsWV673NgHi406Yp5EeO2ufKu/:YMrny90rD2DJ372DmB06i5k2uCu/
Score

10^/10

amadey healer redline lande dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral5
- Target
  
  1e8cbc456786daa6da93242154f714f7e224f45514a9556e7a644f39934e3196
- Size
  
  333KB
- MD5
  
  9d97353cb81e2dba6640074038ce5f11
- SHA1
  
  8fc28f957d2532680b6105a7fceb41ba310e6131
- SHA256
  
  1e8cbc456786daa6da93242154f714f7e224f45514a9556e7a644f39934e3196
- SHA512
  
  1a002888c274f608550139ae1a0f3d37e973f2ecefd8824e01f5b98878661f56024983ccf9e22d29bcecb12bf62c03890586a89298c43b18aa659be9fff2cb51
- SSDEEP
  
  6144:X1RwZfFQDOioMvzATd5W0jbSXRYygh2qjjjjjjjSMJRkPpwlem0Kj+0Xp:X/zDOioMvzA+iygUqjjjjjjjSWRrlk05
Score

10^/10

redline 7001210066 discovery infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral6 behavioral7
- Target
  
  27efa43e160a77456643b18b13206f1f8a13410ef51729dbe8fa2997f36694c1
- Size
  
  1.2MB
- MD5
  
  861cdcff71d268dee3580d2ce333ac09
- SHA1
  
  94be6d1757a7ab5c0d5ebd464cafb71bc1c5d33d
- SHA256
  
  27efa43e160a77456643b18b13206f1f8a13410ef51729dbe8fa2997f36694c1
- SHA512
  
  b2e905338edbaaf101bd94b91c801972ff30f49a8f0f4740c67faa7e8d3c2be243d0883cec424f9db46bbf7b403ae72b5a6e3201d0861093e9084e920a9f1581
- SSDEEP
  
  24576:ayE5p8ogugja8IT5+YVQ0SVU97kNQ7hDtYT:hwZgja8G5+k79ANQlDtY
Score

10^/10

healer redline lamp dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral8
- Target
  
  2a2e3be04e8391170c3a71e198b45f6e45c085dff086c4e7b09748919fbeaef7
- Size
  
  514KB
- MD5
  
  9d827bb83640e0913032c63de8cb78f1
- SHA1
  
  449eee66a32c41f5c5aee7d77ded58b575c1b984
- SHA256
  
  2a2e3be04e8391170c3a71e198b45f6e45c085dff086c4e7b09748919fbeaef7
- SHA512
  
  ec3e904df1ce5374b9b94d41edad0e79e012992fe988f1f994766022e1fef388500126c14dbe96487650cc8475611d32314c4f20df4ca271f85ce9d53e3ac695
- SSDEEP
  
  12288:WMrdy90DnHgun+muOlzU2R3jp2W8zmUHlz8nlQH:Ly6nHguntu6f2xmal8lQH
Score

10^/10

amadey healer redline smokeloader nasa backdoor dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral9
- Target
  
  2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c
- Size
  
  325KB
- MD5
  
  a11dbc01603450452854f17aa7ea1eef
- SHA1
  
  18436f7c4a7a4477c0baa93ddc108babce9491bf
- SHA256
  
  2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c
- SHA512
  
  1ac3b35ac7b8742c8eded217595f30ae25eff216409bddd3cc18809ff6e5d873c7feae6e1e3501dc02bebe2205f9f9e8db9718c76315b679ca8ce73aca2135bf
- SSDEEP
  
  6144:K+y+bnr+/p0yN90QEJR9FTYYX8K75Nq/srdzir8IkNO3O0sUBWd:mMrry90bzFFX8KVpirQMFBWd
Score

10^/10

healer dropper evasion persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral10
- Target
  
  4ef1a0149daef80693bc6f0b8f8337399c8687c08ca4792d24e3bdaab9bf6f77
- Size
  
  390KB
- MD5
  
  859f7291df89d775b2c13b9eba46f15e
- SHA1
  
  cd432f7142d19ca13261a674f4456669fff79c8d
- SHA256
  
  4ef1a0149daef80693bc6f0b8f8337399c8687c08ca4792d24e3bdaab9bf6f77
- SHA512
  
  6ffb75ac3d4d5a3cfed9131d46abd4dc0305df6125c5c4e6e926541ee360dfb2e0ed497655873f483089a4154ef5563a691aecb0a5bde83e456e983976411729
- SSDEEP
  
  6144:KOy+bnr+op0yN90QEJVyucfzJ8b9U+BuekimU0dYTCcHnlRHBd11szcoN:6Mrsy90RcF8b20qUscHnl9T11snN
Score

10^/10

amadey healer redline nasa dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral11
- Target
  
  51b44e7fef51fc7ece012253c1667cd5cb95636d10007d0e2be5e98e7fd405e7
- Size
  
  315KB
- MD5
  
  290b0115d137ba7f6f75557dea9a3418
- SHA1
  
  4fd841d032858a7bc39d598eca329371bc48a118
- SHA256
  
  51b44e7fef51fc7ece012253c1667cd5cb95636d10007d0e2be5e98e7fd405e7
- SHA512
  
  b843b5beea655f803deb8473cb9ed4f06e0d99c46480dcce39d321b1bcb4b4dff4350bd7c41f6ca0f3eaae31e73e9351ec5de920eddfedc809f119effe362a34
- SSDEEP
  
  6144:8A9pI60nbM8uPZy3+8KIDJgu+PchgHadTi7ZiEfXHS:H9+60nbnueg3cy6RFEPHS
Score

10^/10

redline 7001210066 discovery infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral12 behavioral13
- Target
  
  51d640efcf425557c7e898a690d229994ff2fc0610138596398e8cdd60583244
- Size
  
  390KB
- MD5
  
  29559e945f56a313b5e9264dd6ca7a3b
- SHA1
  
  008abf8dd4f1da5ce1cac168e042ef8bcee54607
- SHA256
  
  51d640efcf425557c7e898a690d229994ff2fc0610138596398e8cdd60583244
- SHA512
  
  f2dd23e29d5ef28323a0b4741e6ab5c79deeba8dd27bc0565826700e87350ab5f74059e669be30f28054e2e52af57519193099abe75b56be2f65d7071542c14c
- SSDEEP
  
  12288:TMroy90EgA20duD7uAomGFLqcHnl9movoHz:LyVgAy7uGGFL5Ha
Score

10^/10

amadey healer redline nasa dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral14
- Target
  
  7073615f2bb8bdde4bddb204be08de240462e36b437993850d9ebcaa68dc66d4
- Size
  
  307KB
- MD5
  
  9ef8eb127eac07a85f1541a61be71438
- SHA1
  
  4ee1b91a1d2b41f854cb6117b61df899c96f350b
- SHA256
  
  7073615f2bb8bdde4bddb204be08de240462e36b437993850d9ebcaa68dc66d4
- SHA512
  
  cd68198a6da6f1aef7847015a7ffc0298e6cc7d7d205b126900e722c0f457fbd246467cc76d78d720931cb14b64886b88c4ab077a5af757f10776b29460fef33
- SSDEEP
  
  6144:KDy+bnr+kp0yN90QELwSAlxKags0k6BYlPRfq++UU:xMrIy90GrOjfBYjC
Score

10^/10

redline dumud infostealer persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral15
- Target
  
  85963051ece1830904f1352feb417a21d0483c9ef3735855d49b257c6278df13
- Size
  
  43.5MB
- MD5
  
  9de6a6858482f7b8c82bd861ea974e09
- SHA1
  
  772ce6a04f3afed268695f26136337a772c76017
- SHA256
  
  85963051ece1830904f1352feb417a21d0483c9ef3735855d49b257c6278df13
- SHA512
  
  fd11b2455361204a9cf9d046acc2b379989e11f7b06f0add808bc2219b104ff10b772d708ab64752efbf894c281c486509d8421edebfa8c3be608e02eb8f2c77
- SSDEEP
  
  786432:CVTtG42LQOiWTx/iNFcFXBHx+rEpTyfgcRMQS7bYC/vswAdlk1MUOH:CPGFM0RwcFXBHx+wgGV4ydAdxUO
Score

1^/10
behavioral16
- Target
  
  91764c20cbe482b1a5b8aa8c305a606675ac822cf3322e1b30d15c022219581b
- Size
  
  307KB
- MD5
  
  861644a76bd45137c176d6c5c2b82cd5
- SHA1
  
  5cfb78556e08a6c8e79f6df91cf91df3aff5308d
- SHA256
  
  91764c20cbe482b1a5b8aa8c305a606675ac822cf3322e1b30d15c022219581b
- SHA512
  
  b949eb3d0296222433ead224f0905868965dfef8112a5fc33dcd07a3c88f4c1edb999889373faf09dbd06b9b072b76c5c69bcda19d95764839ebc8c2e7f5197e
- SSDEEP
  
  6144:K0y+bnr+mp0yN90QE2wSAl3Oz+7tI9w9F1OQINXV:kMrGy90vr3Oz+7tIOv1OjNXV
Score

10^/10

redline dumud infostealer persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral17
- Target
  
  c7a4524e38a070acf6ba7d4865de5125063cd4a021a47872adb720277271f3ae
- Size
  
  390KB
- MD5
  
  86270699bad2681bb3f5f57f44a7094e
- SHA1
  
  cac5e4b620f438ece23b6e9df463b99d2667a95f
- SHA256
  
  c7a4524e38a070acf6ba7d4865de5125063cd4a021a47872adb720277271f3ae
- SHA512
  
  92ed35d0f3a0c22d5be759b2cf71064194e440601cba0b848d6a4440467820273b446a38069794da757c2d1c8ae760792a5156e69e4cf5aeaeb003f8ee740443
- SSDEEP
  
  12288:sMrYy90slB8Ldj5DBLjkSaHAcHnl9kkN6Kw:MyJ8D1lO/Hc
Score

10^/10

amadey healer redline roma dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral18
- Target
  
  cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721
- Size
  
  309KB
- MD5
  
  290ff81ba12e0d1d1a636eb5a3de8823
- SHA1
  
  98ec545dbb97f4b7c55ee3fc91afe85d8e2d60aa
- SHA256
  
  cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721
- SHA512
  
  f168ae49314180c63bd492aa57a7f74b629f4a4398772ade9e4cc9dbcf3e8f8d228beb23c81a668edc4351c892e32c7c0867f91a77a6a667d7151ddbcec2e6f4
- SSDEEP
  
  6144:KUy+bnr+sp0yN90QEM5F5OYc1u31g4TByQpv2+YtIpTA:IMrQy906xc1u31TTEQh2HtSA
Score

10^/10

healer redline mihan dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral19
- Target
  
  d71ef74d3278f53c23c7f004992b27f41fcafdbf8bf24ae61339ef1fded7d1a8
- Size
  
  332KB
- MD5
  
  858d4fcf018a04375747f4e03421027a
- SHA1
  
  2e35b6de141c7b1b848c89d21f456113865425b4
- SHA256
  
  d71ef74d3278f53c23c7f004992b27f41fcafdbf8bf24ae61339ef1fded7d1a8
- SHA512
  
  52869e505b2dc2e4031b9f6ac060bdefce756223ffa7457de666d1af12449381f4aee7b4407da87801df49a8e76d0aee6698a0d28a4afb89ada7c6db511383a9
- SSDEEP
  
  6144:nlZwB/LgLN340nTaDpOU7riHRkygh0HwLUlpCNIvYCeUZw7NA5/ioDJZq+0Xp:nnhLN340nTP+ygOQLgp0IvYCeSKk/i4c
Score

10^/10

redline 7001210066 discovery infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral20 behavioral21
- Target
  
  de0b656af41759ffa8477cd8c387f71b8e3cbddbc718028139d53bc1c6b95d69
- Size
  
  390KB
- MD5
  
  a16ac9ef7483e3521231c15a522765cd
- SHA1
  
  4d101b7b20025d4bd709a1db554f2f5d4beb4e9e
- SHA256
  
  de0b656af41759ffa8477cd8c387f71b8e3cbddbc718028139d53bc1c6b95d69
- SHA512
  
  a560db70c1b0624ee3d93193830f1c98c94164b8938b7ad7a9066f0ace9fd6c8606671e21d59b6293054216e3326f12245acdef33cbd8438c5561b3c51cbf14d
- SSDEEP
  
  12288:9MrRy90FVDc5PBTcopqsqeYaacHnl9XyLEUH:sykS5P5TgaJHGv
Score

10^/10

amadey healer redline nasa dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral22
- Target
  
  e5410c580a81399010c4afd0cb43116c8c6e79ed10a16ace6ca24b1180f130b5
- Size
  
  309KB
- MD5
  
  9ed6e3149f3de480b6dba815648459a3
- SHA1
  
  0bca971a602e9a23ed01f24d74e00af6dac8a288
- SHA256
  
  e5410c580a81399010c4afd0cb43116c8c6e79ed10a16ace6ca24b1180f130b5
- SHA512
  
  ffa150f81a93e1d49b159b60927b527fa1ab5918c0d5c20b332ef6c350c156f1c3da5c728b23e3a737abbd88d2c9d9bf719357d28f76c43bcc767145e2e4d218
- SSDEEP
  
  6144:O6hm2uPpiUxyd2eVps3AzI5lftT9KJ0te92+RmnlhA7m/I:7m2uPpit6eI5fZ1te9ZsnlhAQI
Score

1^/10
behavioral23 behavioral24
- Target
  
  f47fb04ed8077b20b9ca93eddc8ce4a4f05ca4367177fba67c1d87d2831d1865
- Size
  
  1.5MB
- MD5
  
  85e57bbbfa4b4a93b3389c480fac7189
- SHA1
  
  bd185ed9b704ae08c0fd652ca05ee3f3cbfccef5
- SHA256
  
  f47fb04ed8077b20b9ca93eddc8ce4a4f05ca4367177fba67c1d87d2831d1865
- SHA512
  
  10b7313ed100b1539cf8e4d6caaa996ee8185010d3d475c416b7be8e8f032514605bff766f5210d0921a96a9ad84730bf7583970949c9b62557b42db3d384238
- SSDEEP
  
  49152:pvUrKe4i6MP4mUJJq5ZuIISIxVa46ecL:W34rMP4fTq5ZuxxVJa
Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral25

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

RedLine

RedLine payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

RedLine

RedLine payload

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

SmokeLoader

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings