Overview

overview

10

Static

static

3

0e13a10fd6...cb.exe

windows10-2004-x64

10

1d089addfe...b5.exe

windows10-2004-x64

10

35d50aca92...42.exe

windows10-2004-x64

10

3ab23a3036...c6.exe

windows10-2004-x64

10

58ac39bbc6...9e.exe

windows10-2004-x64

10

64792ffeec...35.exe

windows10-2004-x64

10

654aa4d5e8...3b.exe

windows10-2004-x64

10

677afbc183...fd.exe

windows7-x64

3

677afbc183...fd.exe

windows10-2004-x64

10

71d1420ff1...80.exe

windows10-2004-x64

10

7a08e2a624...2b.exe

windows10-2004-x64

10

8c7a2623ea...7d.exe

windows10-2004-x64

10

c64d3873d4...2e.exe

windows10-2004-x64

10

cbd8058875...48.exe

windows7-x64

3

cbd8058875...48.exe

windows10-2004-x64

10

ec20c35511...9b.exe

windows10-2004-x64

10

eca60134d9...3f.exe

windows10-2004-x64

10

ecc005f21f...de.exe

windows10-2004-x64

f0fb625894...03.exe

windows10-2004-x64

10

f66a0103e4...71.exe

windows10-2004-x64

10

ffa14d4c0b...02.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    red.zip

  • Size

    9.6MB

  • Sample

    240510-rkj1xaac4t

  • MD5

    d61b3dde7b9f8821f9e9310dd9a6725b

  • SHA1

    3e09483c22528f79504bbc42afccc6c2f1d2c334

  • SHA256

    efe008ef2d2f134b3dc13b0e7774cf5afaac37652f491658b45665e175cf12b9

  • SHA512

    bb3c79065b5fb4996a113d814ac2d946252b31022628086dd131582ef953906ab007a08e32f8ba1c94eb950bd3e5869895c2551805142d4a74a09fd30b2c3deb

  • SSDEEP

    196608:w3KiL4p6YPYtkF4ePhaKqUhbQHxUgkXZTZF5DrlEaQwyYlrvFqUPbf1m:nFgYPTFFPTNGrkXRjJrlVzyYl7pT9m

Score
10/10
amadeyhealerredlinesmokeloaderzgrat5195552529dumudkirakrastlamplandemihannasaromabackdoordiscoverydropperevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

amadey

Version

3.86

C2

http://5.42.92.67

http://77.91.68.61
Attributes
  • install_dir

    ebb444342c

  • install_file

    legola.exe

  • strings_key

    5680b049188ecacbfa57b1b29c2f35a7

  • url_paths

    /norm/index.php

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

mihan

C2

217.196.96.101:4132

Attributes
  • auth_value

    9a6a8fdae02ed7caa0a49a6ddc6d4520

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Targets

    • Target

      0e13a10fd67a47892e598c6953856fd7786d3e7b1f70c519cae5cfe6b7ce37cb

    • Size

      515KB

    • MD5

      3e4e8d216a0d15843b0aec01c987bd3c

    • SHA1

      f97fd9bdafbc200bfb0fc0831ba2f467f292e5b5

    • SHA256

      0e13a10fd67a47892e598c6953856fd7786d3e7b1f70c519cae5cfe6b7ce37cb

    • SHA512

      ae797941b8f5e7cf81093a47b49c043c3e22b6df6cfeb4f11d6a484c43aaefb59c913763024b54bd9955e38c84549b75854de1e248080b6a669e95ed56b096ef

    • SSDEEP

      12288:RMrRy90hbABebqT7LJ525DJbwwIHlNkeI9UhJGT:cyEwGqG5Dl8FNWe2

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      1d089addfe2c948a1a6c3e3f250f79ed616a211060d99b5efec78c1eb1b2b0b5

    • Size

      307KB

    • MD5

      406420c14aa174852320d385d123709e

    • SHA1

      7d024d2fa2371bafadc17f0f0b6f99e27066f96a

    • SHA256

      1d089addfe2c948a1a6c3e3f250f79ed616a211060d99b5efec78c1eb1b2b0b5

    • SHA512

      854da09f5d7affd56b0053dee765ae569ddb42cdbb80b5290bf1671630b9e0e938b04e5a26c04ba9cd7f4721918eaa487858497bdd241417d92339b6a938a859

    • SSDEEP

      6144:KPy+bnr+rp0yN90QEg5F5OYc1u31g4TByzpGJqadn6ffBCe:BMrDy90Gxc1u31TTEN0Z56f8e

    Score
    10/10
    healerredlinedumuddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      35d50aca923965e5a644e1735c8cd657d562282a8fddd8a654982c84f9258342

    • Size

      389KB

    • MD5

      3e8e3f99da17defbcc54d0b92d42d370

    • SHA1

      4ae4d190f1c7743e707ade02bc452627b85df598

    • SHA256

      35d50aca923965e5a644e1735c8cd657d562282a8fddd8a654982c84f9258342

    • SHA512

      b395d1d18633eae61c9133b42803cac788fe2e636bf2d930e6d5b19b227b64c9c04bb748d440b7664a011626b03ac9e80b284442f63ba3d4948bf3a4ff4e9165

    • SSDEEP

      12288:iMrEy9080eKh/MtcyzhXhwB2GdnXxxEpyFpp:qyUe5tFtRjUkIFpp

    Score
    10/10
    amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6

    • Size

      857KB

    • MD5

      0f0d0b0d1763725ce36c1c1db736fc8e

    • SHA1

      3a5d36a40ae2f0aa832b88db12e8080f83b8503d

    • SHA256

      3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6

    • SHA512

      224c93c379f47a4b1886478c26427daab891b4cdbbacf2dbdce454a8d3acc1c16eda545ff2381cbfe0fb872fe670060471f346986f7fc6ae4007039531322f5d

    • SSDEEP

      24576:nyD97B7U1CjyvR3id1Z0Fr4m5lO5x99+wfCbnBYsVj:yDaCjcipq5lO5X9+wqbGK

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      58ac39bbc629fc59614b3b5578967a587814d2de70f8a9cba5090cdfbbfb469e

    • Size

      359KB

    • MD5

      0f48c5af86633f921e293f8dfaeb4ba6

    • SHA1

      9432c35040d8c06cbce9bf056a7a2db4fdfc5331

    • SHA256

      58ac39bbc629fc59614b3b5578967a587814d2de70f8a9cba5090cdfbbfb469e

    • SHA512

      0062073a20deba2a262cf2f270be098888588abda012c0dbea18f60801efb912a467887e967700f9f901e82021fc4db30ac77aea4bd043349ca363c18bfc3d44

    • SSDEEP

      6144:Kqy+bnr+cp0yN90QE8k1UgFRQpsnz9PUITrnHvOfwz/FYT:iMrMy90CpgFRGspfTjIwz/Fi

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      64792ffeeccbab6bb3d100eb7b35cb61c8c90b802e42d83350baf6d1ceefbb35

    • Size

      390KB

    • MD5

      0f8598fb85f2093ef6d50320bb154ef9

    • SHA1

      2c59e4a20dfbf7509be558e6d23a13b885643055

    • SHA256

      64792ffeeccbab6bb3d100eb7b35cb61c8c90b802e42d83350baf6d1ceefbb35

    • SHA512

      4f02ce78063742780afd98688b40d764f5d27b5cc3877c13ab3a616a2d2b92fbbd800bb64548d43f7b58970cbce83143fb75ba2682c2de3bfaa0db19a9c28b75

    • SSDEEP

      6144:K7y+bnr+mp0yN90QEkE/euW+jgZlHyZgSKaFSJV1MA3lm7ZP1bj40:NMriy90GxufjgvyZtKOSJxabj5

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      654aa4d5e8d49043a4c5b40ef9c1b2fde8bd371386fd43ed6b7c1d719f41533b

    • Size

      515KB

    • MD5

      105d5754387cc3a3140ccc8660c1e50f

    • SHA1

      8dbb756c10678900b0e33893e81976f82ca0b8b5

    • SHA256

      654aa4d5e8d49043a4c5b40ef9c1b2fde8bd371386fd43ed6b7c1d719f41533b

    • SHA512

      538caa75dbcbd33065587c29e6ce0bcbf51eddc8ce50ce8b6684381e4ee0d9bb8c603669afc0272c7e8efd614c7ae87a0d78fe1b3a284006d193389c98243e62

    • SSDEEP

      12288:bMrzy90w4dJ/YUR/O0OI/gbs/YYsDYHHlhctsY6Zqztn7Q6ip2:gyV4DHR/VO+/YDknlCtf6ZaV7Q6iM

    Score
    10/10
    amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      677afbc18346258efc780d794cf589d9e949ec77c0f68fc663b38c6f663cf7fd

    • Size

      467KB

    • MD5

      3ef1aae1590eb138e6444db02fd3c1c1

    • SHA1

      d8906538be380eecb256132a5a87682d8b14e254

    • SHA256

      677afbc18346258efc780d794cf589d9e949ec77c0f68fc663b38c6f663cf7fd

    • SHA512

      9146ebe581ffa7bae67a8bf74969e8144c4d059c3409d75a20b40771b8d6511f9ec5c49a2a0664646798d6b21094d3b8b5cb8ae4992d3a03e5c6bfa34c27d694

    • SSDEEP

      12288:iZZE67b6ybYwz3EtKooU0EpPSnGkOaPVDOQSFv3uMyL98F:6G6/bYvt10EpPSGkOaPoMRZu

    Score
    10/10
    redlinezgratdiscoveryinfostealerratspywarestealer

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral8behavioral9

    • Target

      71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80

    • Size

      390KB

    • MD5

      0f6e9123147c19f2467905401e618e1b

    • SHA1

      917abbb6f211d4a7662c8f05947e799452691601

    • SHA256

      71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80

    • SHA512

      151241129262e3de028e744556aa0ae408c5b469996892abd32ddd41dc86bc2a0e496e4bf2ed07c6a8cadff7643e3f0bc9b501eff36dd2b4a90b7ffef1e67e1f

    • SSDEEP

      6144:Kvy+bnr+Kp0yN90QEH1EEZn+h2FJ3GVHY+M0NoAsjLSTJHAcihT9/2U8sC2dQ:RMruy90cETW4YdJHnihTcU9BdQ

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b

    • Size

      514KB

    • MD5

      0fa62ebed394e0d1ca75a047dfcd8883

    • SHA1

      c320dd1803bf38cd5822882b9c3aed0c0d2df000

    • SHA256

      7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b

    • SHA512

      d36d9c9ce7042ca5942ec1a762e109c21a717057b6895b8d1b74892c6b08ff7b017c7142012685eb2112ac6800344910e8f2086980887641717db5a20fb437da

    • SSDEEP

      12288:VMrNy90LyyzBA8YCgPxn4VxjSadSX9zheZnSW:cykXgPaSadSX9tmnSW

    Score
    10/10
    amadeyhealerredlinesmokeloaderromabackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      8c7a2623ea0bfbad72a17add57243068958fa7289cd1319d5cbc3af84eeac07d

    • Size

      925KB

    • MD5

      3e90b5f8e46ec833c865faa7b4d1bc60

    • SHA1

      28f893f8c74afb560f3d58113176a6417d561fbe

    • SHA256

      8c7a2623ea0bfbad72a17add57243068958fa7289cd1319d5cbc3af84eeac07d

    • SHA512

      caeea27ce211e797c65de526a4a1d597f00117f0f6a64755a433142f9425e85672ae86cac7d71fb7f8c2ee9b38af3766b669c513e54ab279508e9f8f212f78ad

    • SSDEEP

      24576:zySEW8KZohbEF0cN+j+EQJBBenV9CSEsVTrPhc:G1WLZohi+jvQJBULCPsZrP

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      c64d3873d4dbf74d0c6e28f27a09adb2a8c897e218d1a4a4f5822391bf80c92e

    • Size

      390KB

    • MD5

      3e0e0e6d1b148a974f44ed81e76b4daa

    • SHA1

      6e500bf32412d5f02b5994e016a1c3ee577a1f9b

    • SHA256

      c64d3873d4dbf74d0c6e28f27a09adb2a8c897e218d1a4a4f5822391bf80c92e

    • SHA512

      2cd132b1d0adabf219069588447a1ba17492b0b362b47e6668fd09543f71a9d18a974497dcc077af549d243984ace87b4cafa74c9feb55cae31a8dac7964533d

    • SSDEEP

      6144:KNy+bnr+Yp0yN90QEtdzHtFJ+5AnfcYNRAdFnD8AVDQ1NWXy//Sm7kk5nrKA/t:zMrAy90ZHLmGEFI3+y//sk5nrKAl

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48

    • Size

      983KB

    • MD5

      0f5dcf244539e44929a29fdc2bee6cf0

    • SHA1

      d12c4a1527a6910e0f45e5d61c3f0f027cd65892

    • SHA256

      cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48

    • SHA512

      34b382df4ab8246c87c8a49acf7f37b33ed252c75b94fe47db7699ad20906abbd42b58ce953a5547da064b5fe93c38eab8d64299f85f99706cb8154af039a0fa

    • SSDEEP

      12288:dN53wXdk+4w8ea9YVhYu48bkEXjTvrVbJWekouloWnxfKuXl/DeeQA:dN5edk+4wv+YVhYu4rCTvhFanR3XlCm

    Score
    10/10
    redline5195552529discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral14behavioral15

    • Target

      ec20c355119abdb18d4433dc95969146db3a558e4e316a175b184ea42d45f89b

    • Size

      481KB

    • MD5

      3fb94d2cd967f1b24a98a7793682109d

    • SHA1

      084c6ae94fd17bf205f394cc3c868bbae8bded84

    • SHA256

      ec20c355119abdb18d4433dc95969146db3a558e4e316a175b184ea42d45f89b

    • SHA512

      92b3e81fa7440c493fe681ac4e60f9a0756eede0400b9bc003f7f89222f4b8106ac71ac938fa4b75616d0b8b11169b1a037205e89a1c1f1031046227da26db72

    • SSDEEP

      12288:FMrHy90xhkX5GOiNlHVPPZXaudS9iKus:Cyqs4vRNaud8ids

    Score
    10/10
    healerredlinemihandropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      eca60134d922b4bca2cb5060841b6d45581f33e04f763a9c118fc9f22e289e3f

    • Size

      856KB

    • MD5

      102cc57cf59a9b99f5615c58ba8ae4a2

    • SHA1

      0e92c89813cae891a354a5feea121b2aad6d77ab

    • SHA256

      eca60134d922b4bca2cb5060841b6d45581f33e04f763a9c118fc9f22e289e3f

    • SHA512

      7d1cab053e2b8aa3b66f866f3beff4241c85fc9d17ee6b1f7b8b1c6964b7aca133cf2ae080feb91e0b82f304d45f2556d88e072274bf17bb7cc479d3744c2409

    • SSDEEP

      12288:6MrMy90GsPfX7+uwEvNGQdJ6HpKFKeVNxsZMQDkbQFUoSCfd07Cw:+yqL+ubvUQyHkFKaxsZZugRw

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      ecc005f21f15aefcf4a4280bfeddf37e7a9066e1fede069eb10a19bfaf62dade

    • Size

      1.2MB

    • MD5

      108da43ca546ecda525fb9192e48bbab

    • SHA1

      89e854990351e39312d835f972d5dd26c83e90cf

    • SHA256

      ecc005f21f15aefcf4a4280bfeddf37e7a9066e1fede069eb10a19bfaf62dade

    • SHA512

      47927611bcecf322864a8e6c62e43c284d7cfffe67b07096db04d3933ebd08484b4b8e25586721ed5313f24f0bfe3ff872cf7a76b6a7c98efd3db0f240a14dcf

    • SSDEEP

      24576:6ysB4DrCYYGq1BnTNaz6/usrdYu2GGriw+qx2u+ZXp9eS8Nts3TM:Bs4CjBnTNazeu8dT2nRx1+n8Nts3Y

    Score
    1/10
    behavioral18

    • Target

      f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203

    • Size

      389KB

    • MD5

      10d90091ef4d583803f960e642111708

    • SHA1

      9a36e16049aca4f664c3802003afa15637326ccc

    • SHA256

      f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203

    • SHA512

      01891a9da02ab953a654f96bc927df089e11c28dff9983277621cffe463da5ff3a888992daea3f1f82d68fa1ec21ea6502c6ea4ceeb0495b3a13d813b438bd2c

    • SSDEEP

      6144:K/y+bnr+5p0yN90QEwBYGFRxbEZcRaEHIpj1XH8bbvymQmiaKq9REG8dq2:pMrpy90LUIZ1EHEBisG8dF

    Score
    10/10
    healerredlinenasadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71

    • Size

      857KB

    • MD5

      10d9e523ef3fa325767733e9b06a5183

    • SHA1

      ce932310c4e2ff5db5c2c78b90f69ad2270c08b2

    • SHA256

      f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71

    • SHA512

      9c319dacf140286345b160ca481dfe68466db1f028fa3f823d5ad8c7aacce5ed2d1218bbb226a103870004bfe7c845d7396fe851e4142f2cdc877e47fed2cf8e

    • SSDEEP

      12288:uMr5y90hl0vLfgTNcWAs5+X7YQaeB42ilLYj18fbo+efG40s+6OuUFLV3sBempko:Hy+0zqxA3LvmSj6jo+A0GUFh3Rm6aj

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      ffa14d4c0be8bc789970a81ab0d1c4ceb689e261224f173a8dbd9609a9b45102

    • Size

      359KB

    • MD5

      3e6c4929a82b142d398d5b1a60a93857

    • SHA1

      478ba0a29fcab3a9674f20c5b28f66a0fcc53795

    • SHA256

      ffa14d4c0be8bc789970a81ab0d1c4ceb689e261224f173a8dbd9609a9b45102

    • SHA512

      3e292fdc2d2f52d9942fc732e66c4dbc50656a22b758c7e67377077d8461d0c18170cb50634d07d199957bb5cb5e728c7fa5ed9c5c71018b17945e184e5714e4

    • SSDEEP

      6144:K1y+bnr+op0yN90QEdx1i6EoKZ8J+gY4OUsKOK/Apfn6l+ZMFIPXewY:XMrIy90nMUzOUsKOK4p9PpY

    Score
    10/10
    amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral21

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

9
T1053

Persistence

Create or Modify System Process

13
T1543

Windows Service

13
T1543.003

Boot or Logon Autostart Execution

16
T1547

Registry Run Keys / Startup Folder

16
T1547.001

Scheduled Task/Job

9
T1053

Privilege Escalation

Create or Modify System Process

13
T1543

Windows Service

13
T1543.003

Boot or Logon Autostart Execution

16
T1547

Registry Run Keys / Startup Folder

16
T1547.001

Scheduled Task/Job

9
T1053

Defense Evasion

Modify Registry

42
T1112

Impair Defenses

26
T1562

Disable or Modify Tools

26
T1562.001

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

16
T1012

System Information Discovery

23
T1082

Peripheral Device Discovery

5
T1120

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

healerredlinedumuddropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

amadeyhealerredlinekrastdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral4

redlinekirainfostealerpersistence
Score
10/10

behavioral5

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10

behavioral6

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral7

amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

Score
3/10

behavioral9

redlinezgratdiscoveryinfostealerratspywarestealer
Score
10/10

behavioral10

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

amadeyhealerredlinesmokeloaderromabackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

Score
3/10

behavioral15

redline5195552529discoveryinfostealerspywarestealer
Score
10/10

behavioral16

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

redlinekirainfostealerpersistence
Score
10/10

behavioral18

Score
1/10

behavioral19

healerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral20

redlinekirainfostealerpersistence
Score
10/10

behavioral21

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan
Score
10/10