amadey

Sharing

Copy URL

Twitter E-mail

General

Target

r1.zip
Size

12.9MB
Sample

240510-sl48xafc82
MD5

fd5667b6204863a114c75e65a339dc0c
SHA1

23c3d7f27ef07752f3613cd1cd4e1cce1ea64637
SHA256

dd49e60a45e3962b98b32d0ae9a1256ae1e60ba2b696a005fe221e32f96d996b
SHA512

52e2ef1422dfa33905f40163ede23db9783a9d328622bc7e7f175b9ecfd641216d657399e70c666e75aef233dda86e0c8987c04af9093e621282ba82aa08e50d
SSDEEP

196608:3NKz+POggIUpfQ6Z8BLj7wjJ8kpKxy3qVRnQVlw0CPAvaHQWioQeB4O03+74T0Ji:dK6POhIGLo7wjjKaOSlw0WQWQ0sjGWNH

Malware Config

Extracted

Family

amadey

Version

3.86

http://5.42.92.67

http://77.91.68.61

Attributes

install_dir
ebb444342c
install_file
legola.exe
strings_key
5680b049188ecacbfa57b1b29c2f35a7
url_paths
/norm/index.php

rc4.plain

Extracted

Family

redline

Botnet

krast

77.91.68.68:19071

Attributes

auth_value
9059ea331e4599de3746df73ccb24514

Extracted

Family

redline

Botnet

mihan

217.196.96.101:4132

Attributes

auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520

Extracted

Family

redline

Botnet

masha

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

amadey

Version

3.85

http://77.91.68.3

Attributes

install_dir
3ec1f323b5
install_file
danke.exe
strings_key
827021be90f1e85ab27949ea7e9347e8
url_paths
/home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

lande

77.91.124.84:19071

Attributes

auth_value
9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

dumud

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Extracted

Family

redline

Botnet

kira

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

redline

Botnet

581694481

https://pastebin.com/raw/NgsUAPya

Extracted

Family

risepro

194.49.94.152

Extracted

Family

redline

Botnet

5345987420

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

5637482599

https://pastebin.com/raw/NgsUAPya

Targets

- Target
  
  00dc3a43dda255a61bd370ebbf0fc0431112da3c176a205489b4a2113c396878
- Size
  
  390KB
- MD5
  
  b98729272c6d4df3a64402281ace8eb9
- SHA1
  
  e7085276b6444b67bafa946b8dc7d97cb9724481
- SHA256
  
  00dc3a43dda255a61bd370ebbf0fc0431112da3c176a205489b4a2113c396878
- SHA512
  
  51119438a29cea3ec18fc0196016d1eb4e61a9c97b198704251cb5ce762cced3257a6fb62d7c7be76f0eb60ae0cb551d31bc946f3bef89f4f3242be910b39229
- SSDEEP
  
  6144:Kiy+bnr+4p0yN90QEgIDkih24KNWnnVOYvWUo/+K1DEn0q9qkzlM4uM:SMrIy90+IJKNcOb/+K2nzokzlMM
Score

10^/10

amadey healer redline krast dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1
- Target
  
  061669c83be149e85a977dfd41981b6115bf335e8f5bf4a2c696247dbf3999c0
- Size
  
  479KB
- MD5
  
  da9628d206200541f94439093a97094e
- SHA1
  
  c5638efc45b8695458802fd3ad98e55715762ca2
- SHA256
  
  061669c83be149e85a977dfd41981b6115bf335e8f5bf4a2c696247dbf3999c0
- SHA512
  
  65f4e60de936967c989350a7fe4402ef868092013f5af39391cce52c2fae631937b851403c4cf0b087ae7b75109de8bcb454d0f0046a0de3ef1e56537e028c2b
- SSDEEP
  
  12288:LMrZy90PoaNuTNVYHTIQNJSngK3ITlWiy8KMn:Oy03NuZCzINYxWiN
Score

10^/10

redline dumud infostealer persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral2
- Target
  
  0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535
- Size
  
  1.6MB
- MD5
  
  db49775df584d04028c83082753a41e4
- SHA1
  
  4c5e66c25845497bbc4181dd5e601cf49ae54830
- SHA256
  
  0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535
- SHA512
  
  93ddb8d4f97263fc55df13832695ba63692016c840db1bdd629aa0f463e46c97bbf88cdc471423875c87956ffa2b66d6653474970123822e4515f182ff586eaf
- SSDEEP
  
  49152:9MsyWtfsl+3i5O5xzr6W/RFze49CMU1b:Os7m030k1lz//2
Score

10^/10

privateloader risepro loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral3
- Target
  
  1b26ae68f4d9a6a0bfd1a8c92489c6dcdb1a4e6ca483442c2b307329cdfb9345
- Size
  
  390KB
- MD5
  
  bb0753dc0f21ba5b88f9efdfd5760f86
- SHA1
  
  ed86f97a30aa9d415af373a150da9ed444cc93aa
- SHA256
  
  1b26ae68f4d9a6a0bfd1a8c92489c6dcdb1a4e6ca483442c2b307329cdfb9345
- SHA512
  
  eb37c103e0d993f7021887a7447f4d158a90f1316d24d82041f4576996ea819ecbe7f03c382407e3a64e1bb0ad9c33c77f18f4fefe76dc8c74298a76a965b7b0
- SSDEEP
  
  12288:/Mrvy905HLz6SlnopjauhTjgBYCDSViHApFnQA:UycrPlnop2upczGViHAp1z
Score

10^/10

amadey healer redline lande dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral4
- Target
  
  3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90
- Size
  
  333KB
- MD5
  
  db031db0c2f83c7dc31f6a33ea4fb0e8
- SHA1
  
  e036ce1e5f3cbd4bba8f75252d22035f76d28ed8
- SHA256
  
  3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90
- SHA512
  
  abeebc4e59a691ca22c9eefb03c732bb66803a1a540cd7c8e35fdfadd7bee3495b168599e04524e0e7f814b058664eb1dc62859d398c78156991f0ac9efde1b3
- SSDEEP
  
  6144:i1RwZfFQDOioMvzATd5W0jbSXRYyghIqjjjjjjjCTGKR5/yjNNThd9g+0Xp:i/zDOioMvzA+iygiqjjjjjjjCTJkThto
Score

10^/10

redline 5345987420 discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  3ddd80ba692516ca1977cdf6eb25ad59de7b9e87f447a412e2468a77ad1bbd8c
- Size
  
  332KB
- MD5
  
  cc374f6af71bc0a4356047a5632665f7
- SHA1
  
  0aad0c3600a0b007bef4847c257ccaeef1ef0955
- SHA256
  
  3ddd80ba692516ca1977cdf6eb25ad59de7b9e87f447a412e2468a77ad1bbd8c
- SHA512
  
  94b400ae0de8b33f8804e7be2c2c304e26f6b28b523398966160078f97bf996cb3f3ed2539085c2460eca9589134c2d0399c0f8152af9c7b09549600020f9761
- SSDEEP
  
  6144:S3zwDH1EpC8wM4ydBrEBniBBu0RSyghWvX/ZDsOJ5G+/GVy4+0Xp:SjZpGM4ydBm/ygQZDsOfGjVyV0Xp
Score

10^/10

redline 5637482599 discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  3ff55c48fddf370349ae0853c3e33d313791cbfb7239e43b70ad977035a132c7
- Size
  
  479KB
- MD5
  
  b6d80dc8a9a38d1fd2ec4b293e64f072
- SHA1
  
  8816ea065ce4a0f76d480738c67542b9de1f60ef
- SHA256
  
  3ff55c48fddf370349ae0853c3e33d313791cbfb7239e43b70ad977035a132c7
- SHA512
  
  267e990d20bde3d5d83d17d8338455a1faafe55b027528b0da1bfa07786f0f738e43fa02a42fc9b7cda2ee0022adc3993b24b215ba1d320c7570826e79d3f6ca
- SSDEEP
  
  12288:fMr6y903YPrN02PEYCGsqSXthvojSK7TBJJRa:pyScNdVkLv+JY
Score

10^/10

redline dumud infostealer persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral9
- Target
  
  50be51fdd59dbf4ac078600bca6c8481f0e5baf0010085e6e0ce8d763e87da4b
- Size
  
  390KB
- MD5
  
  b98765fd9fa676950200180126ca55fa
- SHA1
  
  b90c5fb7694835cf0d411b0573a6e5ccfc87029e
- SHA256
  
  50be51fdd59dbf4ac078600bca6c8481f0e5baf0010085e6e0ce8d763e87da4b
- SHA512
  
  72fc0386dc80c3fcd3306be8cac7b85435adc9c61f2834f0c660023e6e8ae16a67d95600ed251d3999cc1e4b33be0f678ede05ae8c805641217f10782bb386f8
- SSDEEP
  
  6144:KJy+bnr+Fp0yN90QEtKC6Z223SgfSsBjvDfu/xLGC9wxrRf9x3S5V+ekRsR9TNKI:TMrpy90bL+i+7YF1wt59R5eOsTTkypL
Score

10^/10

amadey healer redline krast dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral10
- Target
  
  565e580e2113d8503456c9416021bb7200f7fedadd8020c6d19340c32be7e1f4
- Size
  
  309KB
- MD5
  
  cb6e6dd23036d3e9c3fd6fcc4e12690f
- SHA1
  
  4a5ef41dca4f37163bec679914d69cf895069c51
- SHA256
  
  565e580e2113d8503456c9416021bb7200f7fedadd8020c6d19340c32be7e1f4
- SHA512
  
  cd8004da2fe9d31748171b180aab8d2d650f08ab57e8f08d748db120dbd10730a6ad2bba28618501cc1dad2f175084df0f44db0f0a002d9124832c8ae45031aa
- SSDEEP
  
  6144:P6hm2uPpiUxyd2eVps3AzNsNkZ8+cxdj91FtG0UyfvVR7/I:Sm2uPpit6eNsN08+oz/FUy3VR7I
Score

1^/10
behavioral11 behavioral12
- Target
  
  5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980
- Size
  
  480KB
- MD5
  
  da1a7836295f867660a4ef08cbd034ad
- SHA1
  
  ba6d8cc6092de77df9c6dbbd70b3344739d2f7b6
- SHA256
  
  5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980
- SHA512
  
  b992f960dbee603138e2d251048ce9448e2762cb7fae486f6fe3fbe9c739af5094a3d6f7dc6da38172c3b6a23ccc9b02a01edaeb73fee305c2dc0cdbb814973b
- SSDEEP
  
  12288:aMrYy90jit+Ui52alg5MAxa3xV6x3ANJ0+kwPvIKw8F0:iys1n2AHee0O0+/PvIJ8u
Score

10^/10

healer redline mihan dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral13
- Target
  
  6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119
- Size
  
  1.5MB
- MD5
  
  b6bd0fe9e2f14162d22a601e59a1740b
- SHA1
  
  5a60ae626817e3638caca0fc80ad9a8200357e52
- SHA256
  
  6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119
- SHA512
  
  af2f072c83766dc801720af1f3a94dca12035b46b3a038a4df7afecfb85021020f25b2f4827bcba7d6109176631730e0527772b37946564a40d6dc9ea92ae8d0
- SSDEEP
  
  24576:GygAJsoOr2n6P8VRrbjJJ+XODPh25hMojCFMQsEtJoFs/dboavD3ZCzY2:VgABQ+6kpcoh2MntHdbJvD3ZCz
Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral14
- Target
  
  8355a17b5fec607c779bf1f01bc6596fc82dd876042977ec7aba895db3f1faac
- Size
  
  309KB
- MD5
  
  b9b102e068106e1bb5ee1ec690f7e363
- SHA1
  
  0f162bff994a065fb08f224be4b5dc4eca2b73f9
- SHA256
  
  8355a17b5fec607c779bf1f01bc6596fc82dd876042977ec7aba895db3f1faac
- SHA512
  
  88aa7fb366e047aa081f60e457f39233e805459025119bc3e9826449fd7db155bba0db3c560272104342cd52ed8d5b8a79de589b4acbe9e99727df23a54c1870
- SSDEEP
  
  6144:KDy+bnr+tp0yN90QE75F5OYc1u31g4TByMPCKIRuOJIk/:xMrZy90jxc1u31TTEPKqDb
Score

10^/10

healer redline mihan dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral15
- Target
  
  9a3f5d3f84858840f8bdd8879b66a6c1ccb772e507f7f09dfe1c5a88e2d33db2
- Size
  
  390KB
- MD5
  
  b93f1a3f111ee22a2f3823ba610df83f
- SHA1
  
  baec460007c3386a3ae433bd896bfb94a70bdc3e
- SHA256
  
  9a3f5d3f84858840f8bdd8879b66a6c1ccb772e507f7f09dfe1c5a88e2d33db2
- SHA512
  
  b1c3a057f81e7bcab8910e9c0d10c9be0e0c1121703036c0f5a92bb8ad2f39689109a88f8b00554cf78899f8903cdd7b56ad9ff65238ae3a27dd61fac738560d
- SSDEEP
  
  6144:KVy+bnr+Mp0yN90QEtnrqjIgNYmaprhm7Wy1NEgVNxfCcHnlRH9sCPRmPZGn2RM:rMrMy90PrYNYmaprhYMcHnl9i9RG26
Score

10^/10

amadey healer redline nasa dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral16
- Target
  
  ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707
- Size
  
  390KB
- MD5
  
  bb002c60488c5ef7e62f582fbc73646f
- SHA1
  
  0e67525e9d135927871ab92f6db6dd936b7e1b92
- SHA256
  
  ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707
- SHA512
  
  73d5f57444de77b0e4d52d9bb18dc58c3e715a69669412ada51dc7e978a1890db92f8257e014f3b774c2e25b9bb41bb175ed992e807a4c1afea6aa5944bebc74
- SSDEEP
  
  6144:KNy+bnr+zp0yN90QE79p5+F4wAg0rKWKc5Fu048imlYLPrB:rMr3y90NQ4KCHKPolYLPrB
Score

10^/10

amadey healer redline lande dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral17
- Target
  
  b0fef95ff5abebcb9510c61f55646bd6731822877d3e350e98dcbd957727547c
- Size
  
  479KB
- MD5
  
  db47b4c37825cb2fd9c877a3b03020d7
- SHA1
  
  7fad71f30334c02815023d7006be1949db1cdc23
- SHA256
  
  b0fef95ff5abebcb9510c61f55646bd6731822877d3e350e98dcbd957727547c
- SHA512
  
  a8186f91990faa44876f21263fedf43701ee1228c3e04bc5306f1c141b33a47fe255a319fa1d2685ba7942d746914c5267c583f41cba2433a0ae1c7212e8287a
- SSDEEP
  
  6144:KTy+bnr+2p0yN90QEU/eH4MDtIA/3Dh/GbLz2jJ2HDI7qNV9uaYyDjjBkI4KUrZu:hMrmy90iWYeZxc+ac7qZuIzB5CrgnMK
Score

10^/10

redline dumud infostealer persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral18
- Target
  
  b11b1b57a3bb5f7ea58bd5b191ab3813432fcc41e7f4e321fa61b848d8c86606
- Size
  
  864KB
- MD5
  
  ba371037effb3bc1fb01bb593a705272
- SHA1
  
  a557ecb6ba798abf36b6c691d19e50e03e2285df
- SHA256
  
  b11b1b57a3bb5f7ea58bd5b191ab3813432fcc41e7f4e321fa61b848d8c86606
- SHA512
  
  373624c6d599275cd090fe584cb5ce26f3acabd2ed070623470764e5a43d875a6c0220bd36b056299773f3b8ff12cf19ce261ab7edd80661ad8d5c3b535a7556
- SSDEEP
  
  12288:yMrjy90R4n/HwA+x/tRDFjep/9fX7ZqpYM3b3GOfGsBuku78cKIyVUYFYZT5zd+O:Zy4k/HwVZWZqScasI778FIyTYZNsiF
Score

10^/10

healer redline kira dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral19
- Target
  
  cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604
- Size
  
  491KB
- MD5
  
  dd10174f7fa3d017558c8310bf07d851
- SHA1
  
  08d795a3d2334906da989e46a7e57d4ba9aa9f41
- SHA256
  
  cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604
- SHA512
  
  a714e8babdc8d8a0a9f8e6ef6430d4f1cde70d3d80a902a1e247eb93bdf76e91fa89c4132708e0c632469b725c625ae65e30a908f02018f10b23460a02ec9d05
- SSDEEP
  
  6144:byblvlO3FlxJyFVsxRc4jdcE2rnfUT2pMBUdwrKkUfzK4V19X8GnYkCDWFElr:bOlvlGIsThKrnfnMBBSzK4VwGYF6FYr
Score

10^/10

redline lamp infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
behavioral20 behavioral21
- Target
  
  db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3
- Size
  
  481KB
- MD5
  
  b983bbfa2e93dade84538209720f5e08
- SHA1
  
  6aa74f2b866844d1b5fe626d72e29ff27ffe095f
- SHA256
  
  db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3
- SHA512
  
  11e6207c8144315a15dfd8c7e486a2fff3d0d77a9c860e775ef8f5c50f4f61b12ab57fc5e61a3d821676857e701ff2c221aa11832987fca344a2ed861d58158a
- SSDEEP
  
  12288:pMrPy90u/cEIpe3ZHY+YtBEn1C3xvimDfHWu2BI95:uyD/mepfK2WvdLH6m5
Score

10^/10

healer redline mihan dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral22
- Target
  
  dce60a71ca88a61a579b58be67a969e9f1f6620feaff4c7102883b680d0162cc
- Size
  
  3.8MB
- MD5
  
  dcbb8546ac03e3ee841683345965b5aa
- SHA1
  
  f1200632683ac24499e819d076d999759b6e8c24
- SHA256
  
  dce60a71ca88a61a579b58be67a969e9f1f6620feaff4c7102883b680d0162cc
- SHA512
  
  964cd4c3c1afcc069c59383e6de2f1d3f1f7fb873bb11c1552dd095529bcf6e6dd2b482a3b9f1862408dc6df15a5beb7d9a5f7bd1cd1e8a787e246fc6da76ed3
- SSDEEP
  
  49152:DtLCPo0lVRu6n4Vb/QNM0LZb5H5lK4tM5pRLoPPunS9NYnmJtE82FwIsUCGPdvmI:xSdlVRtngb/kM0LZbpCpi5GnsCw8dV5
Score

1^/10
behavioral23
- Target
  
  f5bf4176434a177447cba0b0c44a2aa84c6964ac958276a5f3d28429824e6a17
- Size
  
  274KB
- MD5
  
  db728cbf359c37fe47ef07fef8648cdf
- SHA1
  
  6bbde5a35fb494a1b3ba4bdefce2e813e04f6853
- SHA256
  
  f5bf4176434a177447cba0b0c44a2aa84c6964ac958276a5f3d28429824e6a17
- SHA512
  
  79daac25200bd5b39c6ee63ff11d00dc684650e5abb1bbef1c459c2167906cb33d821e4fb838c591393f7f2258337e10d8018aa0cb35103e2a64be492c341e9b
- SSDEEP
  
  6144:/BeaoQWhlmgEkiJUS+1zTi7IhVFzHoCuuiwpH:peaZ0wYZhjI4pH
Score

10^/10

redline 581694481 discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral24 behavioral25

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

PrivateLoader

RisePro

Drops startup file

Executes dropped EXE

Adds Run key to start application

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

RedLine

RedLine payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

RedLine

RedLine payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload