Overview

overview

10

Static

static

3

000643ece0...88.exe

windows10-2004-x64

10

0e413fa969...3c.exe

windows10-2004-x64

10

123830f5ad...0f.exe

windows10-2004-x64

10

189bf8b11d...e3.exe

windows10-2004-x64

10

30781e91d6...0c.exe

windows7-x64

3

30781e91d6...0c.exe

windows10-2004-x64

10

4312b77e60...ce.exe

windows10-2004-x64

10

55a2613b91...ce.exe

windows10-2004-x64

10

57e17d171c...0b.exe

windows10-2004-x64

10

604b676155...8c.exe

windows10-2004-x64

10

617783538b...1f.exe

windows10-2004-x64

10

729187837b...ea.exe

windows10-2004-x64

10

747238b5bd...97.exe

windows10-2004-x64

10

7ec0dcfd62...a1.exe

windows7-x64

3

7ec0dcfd62...a1.exe

windows10-2004-x64

10

8468f46bfb...d1.exe

windows10-2004-x64

10

8e6dae5587...22.exe

windows10-2004-x64

10

9966ddcefb...d8.exe

windows10-2004-x64

10

b7dd4fa2a0...d9.exe

windows7-x64

3

b7dd4fa2a0...d9.exe

windows10-2004-x64

10

dd86e508d3...d9.exe

windows10-2004-x64

7

e500bee084...71.exe

windows10-2004-x64

10

ff54e8ca62...50.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    r1.zip

  • Size

    64.9MB

  • Sample

    240510-rwb5faag5v

  • MD5

    27a3d5cae2e8bd83328fc915c4b1b55c

  • SHA1

    c75f646a74bec684b3c65d532b63f73342e7ab7e

  • SHA256

    19ffc101f7c4457a5adb66b38ce5823d52f596b323578de48d3585b1b57d24c6

  • SHA512

    50605b254e737c36d2334133ccca232fdc2b5659454d5bebf13209424481e3526eeeb1b1589f9fbe27f6ca908d7a9a39a599076a2d23d9de6484c7ea02dd7d0a

  • SSDEEP

    1572864:UVpRCJnhhUa+zzhNQmqQwF+HwARUKMtwLksVSJF1de:LJhSFzf2YUj3e

Score
10/10
amadeyhealerredlinesmokeloader51955525295637482599708370717crazydumudkirakrastlamplandemashamihanmuhanasanewsbackdoordiscoverydropperevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

crazy

C2

83.97.73.129:19068

Attributes
  • auth_value

    66bc4d9682ea090eef64a299ece12fdd

Extracted

Family

redline

Botnet

muha

C2

83.97.73.129:19068

Attributes
  • auth_value

    3c237e5fecb41481b7af249e79828a46

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

708370717

C2

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

mihan

C2

217.196.96.101:4132

Attributes
  • auth_value

    9a6a8fdae02ed7caa0a49a6ddc6d4520

Extracted

Family

redline

Botnet

5637482599

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Targets

    • Target

      000643ece079f96ed416c42e9dec2e3a647599f99950c60349c52e36cb724e88

    • Size

      607KB

    • MD5

      33ff5c1b7ad2169df36e814a2d691161

    • SHA1

      e80f0be76be35b9997ecfa24a8efc30748552cbe

    • SHA256

      000643ece079f96ed416c42e9dec2e3a647599f99950c60349c52e36cb724e88

    • SHA512

      216ceb4f2a265aae0b413964c91da9f4f4f45baabe4ed952da89dc8089932472aeecb7ae2fb42408dfcfc8ae575d3d0b99cd89f55620946b155a41dee6019bd3

    • SSDEEP

      12288:+MrRy905hb1FNGixxWjL0VQt0M4sslypYzPIJ4XBNvCfap:Tyihb3EAckqt0HyezQJCBNvCfap

    Score
    10/10
    healerredlinecrazymuhadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      0e413fa9690c02a45dc95f1ea020874ed2745670117fed803aea439be9b8683c

    • Size

      390KB

    • MD5

      339502ab6e803bb14f41192ad1a5f0d9

    • SHA1

      a4b66d62757242efc3b730e8a408c6c97682de3e

    • SHA256

      0e413fa9690c02a45dc95f1ea020874ed2745670117fed803aea439be9b8683c

    • SHA512

      4415566c40ee2e46b94c96e4034bdb3bf8328fb7bb34e5536e0e53e653124519a19e018479423c215aaf34494c88c0229b28b0eaa2b01f8d5b7e21d27f5f1a4f

    • SSDEEP

      6144:Kjy+bnr+Ep0yN90QELzQhhPWbRIi6yiCcQ/sRZYE9Df8HrENGiM:tMrYy90GPuGOMTGrEpM

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      123830f5adc2114333a361b752e02a6ae770080082ba2b79c984aaf2debf810f

    • Size

      856KB

    • MD5

      35762cd3ccc1574a12f103066ecba520

    • SHA1

      c7f02aeefc74ddb4d4134ac09418bbdcb250d192

    • SHA256

      123830f5adc2114333a361b752e02a6ae770080082ba2b79c984aaf2debf810f

    • SHA512

      fbb0ef7fd42bf2d5d8629921528fc69e880b90173fe3e57746bc08bf84033ac6331104678a24a67146e7cd738aa06cca421a0cb6af37d2c06be3729ad4b967d9

    • SSDEEP

      12288:1MrRy90zgvdGHHhfom5cyZF5RRvoIlBQpE73i3qnj5/vYkZrSsf1bBvzfS4R:4yDvdMFtZF5xPQmDiMdvYkQU1xSY

    Score
    10/10
    redlinekirainfostealerpersistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      189bf8b11dee99ed7e1e469dc473e6a36cc501c81db6093fdae6c031c37139e3

    • Size

      309KB

    • MD5

      342b1816c9b8d3e94affca15effaa80e

    • SHA1

      d335bae1ffead340c29b008bb61e3c353520eb8b

    • SHA256

      189bf8b11dee99ed7e1e469dc473e6a36cc501c81db6093fdae6c031c37139e3

    • SHA512

      c119ef28e0b35fb48c36e3cf24855056eb0d2ab4cd94af312e33f7ca2bef26563ba46b12783177ff9dbb4e0c9a8982527163ee73e5ac35b4388d02dc673b3269

    • SSDEEP

      6144:Kry+bnr+gp0yN90QEV5F5OYc1u31g4TBy0LfkL3+GeOIq7bB4bz:xMr0y90Nxc1u31TTE0LcL3lZ7bB4

    Score
    10/10
    healerredlinemihandropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      30781e91d68861344f162ee5566cedc2c3c10246b4ec0c14b8f23cffe8bc9c0c

    • Size

      332KB

    • MD5

      37072a159221b66a2cc7d3b032802748

    • SHA1

      5da67b6cd3a05288da7ebe3d7eb8c4a095b3afdf

    • SHA256

      30781e91d68861344f162ee5566cedc2c3c10246b4ec0c14b8f23cffe8bc9c0c

    • SHA512

      b427d69f91934fb0623116e54dbe7fa5e036021aa5cb17e7a8de01b34e74212f4065716dd93161899714dcd1a519bf7e1857aba12e6aec55cf634e134add29cc

    • SSDEEP

      6144:73Lw7HV0BtJoa1L+ZBYo5+fR+yghyjWIXoJWVegjv72D+0Xp:7bBBtJoa1LfSyg0ToJuj50Xp

    Score
    10/10
    redline5637482599discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      4312b77e6031b30312b6c5c30180fca1895d4c065914103fa2e4ca9e8da9a0ce

    • Size

      389KB

    • MD5

      33e3fc4709fde1e78a4d43cf4315b6e8

    • SHA1

      8df55f1252561a441d7069e4b09c8d5e429151e2

    • SHA256

      4312b77e6031b30312b6c5c30180fca1895d4c065914103fa2e4ca9e8da9a0ce

    • SHA512

      aa3f749244aef8c64d3e610ccd97fd5eb4d663af450340a627237165006b07a6b3bebe68534b765a0785ff22d5155322d4075671d26bd55b783d9a554f1c1446

    • SSDEEP

      12288:6Mr7y90Ha9/KXa3xvoQrOhOKgBYCmjWwojO:Jy7XvodhO5z9O

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      55a2613b9117beb668b5eda94de72151952cc566a09c80460e6169cfe1e7edce

    • Size

      514KB

    • MD5

      3596d2031894bae219111af96da907c0

    • SHA1

      21c0f19aa3d9e05ee8d8c6433acce202f0e60ab6

    • SHA256

      55a2613b9117beb668b5eda94de72151952cc566a09c80460e6169cfe1e7edce

    • SHA512

      057ddc2bd1f41cb1a07078de858578a79ec3a3f8601741c671c20400d14658a0ba0f34fc455b35c6b6ed8f5887cd7d524bf43d25b41d90b7ea5a44c8f00be966

    • SSDEEP

      6144:KHy+bnr+zp0yN90QESKrrG+f2s1De9WhDPxn7r6DM59U1UHSllzk7dX632XG8FWU:5MrLy90BOJW55n7rDdHIlzF36xooH

    Score
    10/10
    amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      57e17d171cef6609925870e83612ab3f4cb883b2bac745d2a500d5e839fada0b

    • Size

      919KB

    • MD5

      355a3e838e20ebfddb67e880ffd84eb4

    • SHA1

      ec544c366ec75c9072f5aaba66e80d04b59f70e9

    • SHA256

      57e17d171cef6609925870e83612ab3f4cb883b2bac745d2a500d5e839fada0b

    • SHA512

      8a276fe0dce212cd0b4f6646d469be82d9f3ca2728d83f7583a11400158b71175df6749c2a47365f5e797f03984cd46720001de50542178f21080863ed5e3a84

    • SSDEEP

      24576:wy1vtFUxX9ePZlAVZDRr/jXZOnQ0/RlSUP:31vtajegVzLkQSlSU

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      604b676155ad58fa6826907866dfba9510268d91c3cbfa0df8706492c47c0f8c

    • Size

      921KB

    • MD5

      35d65edcad0eb94203a77b37f369a214

    • SHA1

      a9a64846ed8c44b0969da1b8c912181b971c9cdc

    • SHA256

      604b676155ad58fa6826907866dfba9510268d91c3cbfa0df8706492c47c0f8c

    • SHA512

      eea9c8d65f52e27e98c3249409338052547695ce3670e7388367f42ef625b9b8e4fa336c5f9dd6b674bf051484ee80f0171407eed108484227d6f331b6c5fd29

    • SSDEEP

      24576:iy3YGYGYjHIA33LkLpteVbKpX4SVkrh3:J3dYGYrI7p+G5Jk

    Score
    10/10
    healerredlinelampdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      617783538bdab4bd7c8fbacae9e8749b50cd02e596dc328612ea1d600c11dc1f

    • Size

      514KB

    • MD5

      33aca759fc7ddd2c0ba87b20d2cf8986

    • SHA1

      f4e5f0de1188385931c81c61229f03c508e29fc7

    • SHA256

      617783538bdab4bd7c8fbacae9e8749b50cd02e596dc328612ea1d600c11dc1f

    • SHA512

      3da9c1afa7ac424395afc2e2f512ca900218a7b4f353ff2708b9760fbceee45a37ff7d34fd1332c63e9570b0ba90131f18235c7ff0f76b5f6ab5a0484a9720af

    • SSDEEP

      12288:EMrYy90ZQGHay0dMZCvYOiGRD/qYR+J8gDSMuUCyjylEsCmjt:EykHaHdMZmYwIlJ13uUCyjylEhit

    Score
    10/10
    amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      729187837b6282872fd853df135ab03458edda808d089983498f29a635b978ea

    • Size

      514KB

    • MD5

      34224bafba80ee4c2ef4d7cc26e983c5

    • SHA1

      978f969321bdad8a20b343cbba8d22370589d48f

    • SHA256

      729187837b6282872fd853df135ab03458edda808d089983498f29a635b978ea

    • SHA512

      890361ddd6d7cb18c85190609d988b754dac9b82a2806acba148102d952d5f73fd3d05ddebe6de7918aba217b9759e634518f2552efe3d8db453930181d67592

    • SSDEEP

      12288:1MrLy90fDRO1eZcHs6uy3WvAXdjI4hR0Hp9LV9R/XIqUkLC:Oy2+8cbuy3WvqNhCHXVDIrYC

    Score
    10/10
    amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      747238b5bd007fbf264cbd66b42a3fa3d6c54ccb6a1d0ce2c79715650a55d097

    • Size

      389KB

    • MD5

      34958013ed93e8c8cb4a7fa5c4d303fe

    • SHA1

      2c55415545f09295480119363473cc7ab41549c2

    • SHA256

      747238b5bd007fbf264cbd66b42a3fa3d6c54ccb6a1d0ce2c79715650a55d097

    • SHA512

      fd638a25dc2f97d44a90a551f78487e9d6ecf24b6fd82d737cccb452c9aadd092f8b0d213cfbfac9808305d9bd579b3f89a1cd0385a461e14bd4d46430ca951b

    • SSDEEP

      6144:K9y+bnr+Bp0yN90QEv8k6y00raaOJ3XJzKw9mRy+elgBZ+t4oDYff+agCM:fMrxy90t8vn0lO/Kw6yJlgBYCokfJgX

    Score
    10/10
    amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      7ec0dcfd6246ae153473783715a6fcdc5d5b76379404002057ad04b8746c7aa1

    • Size

      315KB

    • MD5

      352cc252a5f812e13691309de4712448

    • SHA1

      a7778141853324e6e03f16136e645e7e88d4b15d

    • SHA256

      7ec0dcfd6246ae153473783715a6fcdc5d5b76379404002057ad04b8746c7aa1

    • SHA512

      3749f746da36576029ec7f417f1f7e00e373d5059da48967975a56d8f50c6f9df27940f6e01a0f8ab289288895bb6e5cffbd4f1c4c87f051925a7e89a5e06b78

    • SSDEEP

      6144:pe9pI60nbM8uPZy3+8KIDa2uke9NbjWHvhqB9GX3d/cZOXHS:49+60nbnul2QNee9GX3dEaHS

    Score
    10/10
    redline708370717discoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral14behavioral15

    • Target

      8468f46bfbde3077ec27b4d06b0b5617a8dec77c7537ca26f5b248d5def7dad1

    • Size

      1.5MB

    • MD5

      36fa89b475e79e837726f2fd2ab3284c

    • SHA1

      c459d9682b135e30861b3bc20c6df18145ba3a4b

    • SHA256

      8468f46bfbde3077ec27b4d06b0b5617a8dec77c7537ca26f5b248d5def7dad1

    • SHA512

      e996603bd1f2ab8d8fec19cf4fb7b7675d9663da5d86fce9c0951e63126c88dcc48eb45828e66754707e2d85167da9e102b111af376e216abce1ecdbc0455a46

    • SSDEEP

      24576:vyu+yiEOJyXCBXtjpLyrM7+k1nKhFSx21BpOPqdDhUv7gUk+dUt3Pqpt:66OJ1jpGrg12Sx2rwPKDhUvYP

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      8e6dae5587d0150e1fa568f6ff42d2f6790750c017c08f86cff2c14b18de7422

    • Size

      389KB

    • MD5

      34c92f1b6b922ed423132a72c41e14c0

    • SHA1

      0d10bccb8a7c64727139a12b32553e3568f00a51

    • SHA256

      8e6dae5587d0150e1fa568f6ff42d2f6790750c017c08f86cff2c14b18de7422

    • SHA512

      1720ba3a80b94631413dc8de5a44220d9cfbabf9ef189bd454c2646aa0ecfd9b0f0554a6d9c1936fd3d86b5e5f5dc8d3d23209d07356f54befcd55434c736049

    • SSDEEP

      6144:KQy+bnr+Pp0yN90QEbAP9s5pCJAKzG2t1+0oExIIJf/SgTP:AMrHy90t69sTC6wHoE3SgT

    Score
    10/10
    amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      9966ddcefba77b1337606836fd7507a61fc0f6488163d75c6c426d9c488139d8

    • Size

      4.2MB

    • MD5

      35610a0893af03997f22475ddfefd41d

    • SHA1

      42fd96d5d157dc27f6a181cad9e014a26ec43a29

    • SHA256

      9966ddcefba77b1337606836fd7507a61fc0f6488163d75c6c426d9c488139d8

    • SHA512

      478ccec867ecbc1f78fc0b4b436cf9edda43f14542c17ae028b9f9bfba66ef32d0d91d7a8f17cc3af8f0fb5f60bbe49575d1f0b65bbbfe2036b77377d9ff107a

    • SSDEEP

      98304:Zlck2pgTvADDboPjS9eS+JlkmKlRVlwIVP5mexNHw+1b0D3AP:Zl12p2AD/oPjS9efkmKlRVlwIDmevHws

    Score
    10/10
    evasionpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Drops startup file

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral18

    • Target

      b7dd4fa2a0deaf6b70cea7aaf1292a2e835aef45edb5a190cc515d98cf60a8d9

    • Size

      293KB

    • MD5

      3503d07ffdcbf58c0991a126f62e2c5c

    • SHA1

      3ed929e6f39d6088a58f34f960a7c990b390675a

    • SHA256

      b7dd4fa2a0deaf6b70cea7aaf1292a2e835aef45edb5a190cc515d98cf60a8d9

    • SHA512

      12dd40424a7b70721f7a631220862126a12f5812f95e121eeff76b23b147020a98100cb152082dffb7a68cae5015c5392775264a754b3e6931099beb26c52157

    • SSDEEP

      6144:27wlKAtETWV0M582YRT/9pWIYjkSbGwRm/CN+wbsdSaaO0:iAtETWV7uXpRYjk4BRFNzwdAO0

    Score
    10/10
    redline5195552529discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9

    • Size

      51.0MB

    • MD5

      334d3992d07061c6b20d08d200811aff

    • SHA1

      c896f1f24fd0af2d523946217fb556fadfac3304

    • SHA256

      dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9

    • SHA512

      6d10bc11d0792c2ef63ae0564df650ec1c7e3a776bf3df3df7097cb5fd3477a173b8dc2bd36628f67a312b766bf684626ec6221be9d259425dad65309f791b4a

    • SSDEEP

      786432:n14+ls/Zo30hnFnAZZhGJHJaIKYlPLkkAt9lMe/HMrGQgQGmLIqFGkCRFrmT:14++iEVFnAxGJfljDeQgQGLqNCjmT

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      e500bee084b2757ef23283d465255eeb1eed61d9ed67171a24f814de66cf3b71

    • Size

      1.5MB

    • MD5

      32d48c8cdbfd96746a7f1c55f20a4947

    • SHA1

      7c8dc77a635685a78606165716662958487c72a3

    • SHA256

      e500bee084b2757ef23283d465255eeb1eed61d9ed67171a24f814de66cf3b71

    • SHA512

      e5ac29b64ac187f5cffc8a4a96fe617b138f847076a3bcd35a4c68eab59f103a0fdba0fca685592270942c08c2e7785521fe416bce4057f748ffcce89159c19d

    • SSDEEP

      24576:7yPZKhpcvJxHm4U5sa6uyHWkAN+dX0xecCgTOffPGzedaNycCe0XM7fl1h6MlzY:uyGvJxG4Cc7J7gqffP/tcCtXmflnP

    Score
    10/10
    healerredlinemashadropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral22

    • Target

      ff54e8ca62b5d37f515d9883b629f0761bba9e583cfd91abda232bc4e5b5cd50

    • Size

      307KB

    • MD5

      367ff3cd17fe97143cd8cb5f9e323046

    • SHA1

      0a213bcb8d4e658992d1e083b0b206ac3650ba69

    • SHA256

      ff54e8ca62b5d37f515d9883b629f0761bba9e583cfd91abda232bc4e5b5cd50

    • SHA512

      9c2fd4077ecd277d91e83160a5c2a0a3bcc2c8774dda670dad8566a789fef7be158a87397cf2fa7360fda1916fac8331b61c55add4d4018ae2dfacbba6a32894

    • SSDEEP

      6144:KYy+bnr+gp0yN90QE85F5OYc1u31g4TByrF8wtc54DgJ:EMrsy90exc1u31TTETt/EJ

    Score
    10/10
    healerredlinedumuddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral23

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

8
T1053

Persistence

Create or Modify System Process

15
T1543

Windows Service

15
T1543.003

Boot or Logon Autostart Execution

17
T1547

Registry Run Keys / Startup Folder

17
T1547.001

Scheduled Task/Job

8
T1053

Privilege Escalation

Create or Modify System Process

15
T1543

Windows Service

15
T1543.003

Boot or Logon Autostart Execution

17
T1547

Registry Run Keys / Startup Folder

17
T1547.001

Scheduled Task/Job

8
T1053

Defense Evasion

Modify Registry

46
T1112

Impair Defenses

29
T1562

Disable or Modify Tools

29
T1562.001

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

14
T1012

System Information Discovery

19
T1082

Peripheral Device Discovery

3
T1120

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Web Service

3
T1102

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

healerredlinecrazymuhadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral2

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral3

redlinekirainfostealerpersistence
Score
10/10

behavioral4

healerredlinemihandropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral5

Score
3/10

behavioral6

redline5637482599discoveryinfostealerspywarestealer
Score
10/10

behavioral7

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral8

amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral9

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral10

healerredlinelampdropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral11

amadeyhealerredlinesmokeloaderkrastbackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral12

amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral13

amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral14

Score
3/10

behavioral15

redline708370717discoveryinfostealer
Score
10/10

behavioral16

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral17

amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral18

evasionpersistencetrojan
Score
10/10

behavioral19

Score
3/10

behavioral20

redline5195552529discoveryinfostealerspywarestealer
Score
10/10

behavioral21

persistence
Score
7/10

behavioral22

healerredlinemashadropperevasioninfostealerpersistencetrojan
Score
10/10

behavioral23

healerredlinedumuddropperevasioninfostealerpersistencetrojan
Score
10/10