General
-
Target
red.zip
-
Size
11.6MB
-
Sample
240510-svrzyafg56
-
MD5
6a94dc2b56d46cef13edab2aa435c7a7
-
SHA1
ec31265a6ed47d40b2918e30890a4bc039381d86
-
SHA256
2685b451d5bc5d1cd7c159a87efdfacd5a60c314491404e6e60e752ba3db90cf
-
SHA512
4a9666c92fcf984974c65892f3ff5af316a2a14e72d90c66bd9ca916768a6f54ccd8f6e7901a2f791bb1ad2b7b398af2d5bbf259bfa886c6f74033029d4bb75c
-
SSDEEP
196608:gbaEnldWo6DhxDepFuqrJWMBXRe+HRYN50dHvczL1ZZ7QXdnH31:6hn2ngoMBheaYGdHUflQpX1
Malware Config
Extracted
amadey
3.86
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
crazy
83.97.73.129:19068
-
auth_value
66bc4d9682ea090eef64a299ece12fdd
Extracted
redline
5345987420
https://pastebin.com/raw/KE5Mft0T
Extracted
redline
mihan
217.196.96.101:4132
-
auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520
Extracted
redline
dumud
217.196.96.101:4132
-
auth_value
3e18d4b90418aa3e78d8822e87c62f5c
Extracted
redline
lande
77.91.124.84:19071
-
auth_value
9fa41701c47df37786234f3373f21208
Extracted
amadey
3.87
http://77.91.68.18
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
-
url_paths
/nice/index.php
Extracted
redline
gena
77.91.124.82:19071
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
amadey
3.85
http://77.91.68.3
-
install_dir
3ec1f323b5
-
install_file
danke.exe
-
strings_key
827021be90f1e85ab27949ea7e9347e8
-
url_paths
/home/love/index.php
Extracted
redline
7001210066
https://pastebin.com/raw/KE5Mft0T
Extracted
redline
nasa
77.91.68.68:19071
-
auth_value
6da71218d8a9738ea3a9a78b5677589b
Extracted
redline
kira
77.91.68.48:19071
-
auth_value
1677a40fd8997eb89377e1681911e9c6
Extracted
redline
45.15.156.142:33597
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
krast
77.91.68.68:19071
-
auth_value
9059ea331e4599de3746df73ccb24514
Targets
-
-
Target
0b4bb67302386646ed679bf7dbfd9e44d9c5eb985f2c043ef415113edb2b2eca
-
Size
3.2MB
-
MD5
ebae2001c178349478be67bcab2f95e3
-
SHA1
53f98b5a0e55f4fea161e69ef617e6225270914b
-
SHA256
0b4bb67302386646ed679bf7dbfd9e44d9c5eb985f2c043ef415113edb2b2eca
-
SHA512
c8f48338abb5e7c95dc316cc25352286344fa297cfc507328379f23fc819c47490bbb529ba5854a6ccd99c8345c773d8800dfed48ce914754464d2ad13adc378
-
SSDEEP
98304:PeI0efBuRWQ88ctBoLsh/Q7G9ao7cwdizRS:PeIdBuT8bthSG0oc
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Executes dropped EXE
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Detected potential entity reuse from brand paypal.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837
-
Size
235KB
-
MD5
ee5e79d00a13fde9e96a1f9953f35fea
-
SHA1
788be8b6304f138f5c7bdf00fe98562de6f2790d
-
SHA256
10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837
-
SHA512
26b1209bb16d6e5ed3dabe6fc18e6ec425197ecfd26f2038d9d796cff93d25597c774ca01fec5d975457ef7e544b9d7f7d09372e391c1823b4a7e3bcf94d0c49
-
SSDEEP
6144:KCy+bnr+0p0yN90QEdHyEL9MR1SKgfYLNYs1Ul8C2N:6Mrcy90zgoYLWs6l8V
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
1208df413315575653953f79f71da4afa0f3816339cca881a3bd12be0cc7f0ab
-
Size
515KB
-
MD5
d9913d9f643c9aaedccb2c7e055ed031
-
SHA1
f9812f588b1a16b6d292bd553695404858dae7b6
-
SHA256
1208df413315575653953f79f71da4afa0f3816339cca881a3bd12be0cc7f0ab
-
SHA512
51ce523840bec8f71baaab82b7841abbb825276280142cb67a84276558bb640a5fee511c865862868cd1f15ecddaeaf6e4c0feacf826751d37229577384dae00
-
SSDEEP
12288:KMrxy907uK8EElOOinxnMP+vIPGBEARwMrXu72wuL:TyquPo/nZ4LPGBEAdrXu7bo
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
22c8884d0e33db7ed2cd497936f31b5efeaa43a037af2f4c61a1a768919a6334
-
Size
479KB
-
MD5
c08646927da5c5d8a10d00dc194d535c
-
SHA1
b5ebe052683cece0e76c3bc4b6ed3ea69135fd6d
-
SHA256
22c8884d0e33db7ed2cd497936f31b5efeaa43a037af2f4c61a1a768919a6334
-
SHA512
4adfcf01a79d1c51f2d59ee76e8f123b7b978aca5e9d6b25806a06c69c1fd35c929c95b9031f060b9bda894bb251d8d028a7d0f7cce56e2f9a8a1d126091e5db
-
SSDEEP
12288:6MrCy904vqxlqBUm/MdW5c1u31PTaEtfhacB+GDm:syL8qpMAXhTDaoDm
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
277f52adcffdae3b95ac4c1b928de6c4a507600023471054f5c9d34f3b852f94
-
Size
389KB
-
MD5
be20e8d108cf9e94319678c0f61393d4
-
SHA1
9ca7da9916d071095a2985ecb2408f24f9978453
-
SHA256
277f52adcffdae3b95ac4c1b928de6c4a507600023471054f5c9d34f3b852f94
-
SHA512
4a60a1bb61a320deabeeebb508685a024c2b6c1d065221bc5a2682a90193300899d49e355675b84293875486cd08e94d582c95df886ca3330bef74cb0921afca
-
SSDEEP
6144:KPy+bnr+Lp0yN90QE9dx9l253NzJGHDRezddZ5ULvrGEf51/HmbTME:FMr7y90P25uFEnwrGEr/YT5
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
3a484bb7d4882d8f4ab5dcb7c60a4d1397a642611888b68c5e13702926794729
-
Size
390KB
-
MD5
e5623dbb07c715bf40d82dd36df6cd45
-
SHA1
1e636843ca903406cf011d2359e300737cbc9176
-
SHA256
3a484bb7d4882d8f4ab5dcb7c60a4d1397a642611888b68c5e13702926794729
-
SHA512
3cb7f3805046123b7b6297783478c41f7a02a154fe49957e4a866b0ea29b1dd697ef0a1cdf4240603d4b4e08a26d4d1220d89e86cdcfecae350c1fe9512317c1
-
SSDEEP
6144:K6y+bnr+2p0yN90QELJRVtUdXkWcnZNTQR52pX5B9I9/VULECcHnlRHnnXUQtLQ9:6Mryy90VnbyWpDy9/ihcHnl9XXtLQ9
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
3bdb06aad8f213ba8c98a80c76648a19cb074038ed82c6e1c890c4181bbd59f3
-
Size
725KB
-
MD5
be424b59326042345df5cd6256365a3e
-
SHA1
3bd378a515541c0cbf6160e7b86a503fae60bbc6
-
SHA256
3bdb06aad8f213ba8c98a80c76648a19cb074038ed82c6e1c890c4181bbd59f3
-
SHA512
cffd36825844a4cbd10606940ade0458da9cc96cc38b0704b3e7e5d4d95a17976c96ae7c220d790b4aeaa3e02c23ce8213579bbd51ac8025567acaaf2f6f3806
-
SSDEEP
12288:fOIxycqgrCPu3vKifWEZoVDoTK/Tw6ilT0Kb4qoqjeGlA:fpAgrCaSifFhKrw6iDoq
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
-
-
Target
3d03f2fde9b9bf8b3069d0b3bdf2625973d4f23daa92673be4185d9c0d5f2500
-
Size
389KB
-
MD5
bf563439432ac3c78acc59067f958e56
-
SHA1
23ccf3dce712ac5e26a59aba66593b785b8f7463
-
SHA256
3d03f2fde9b9bf8b3069d0b3bdf2625973d4f23daa92673be4185d9c0d5f2500
-
SHA512
93983179bc5dd6bc8fb1cc75bf93553b427d2b84e4bbb3f2407e8c0b554280a259f89667007e12157a32ce99f379cfbfe67ad61015b6ef8e0298d686ff521505
-
SSDEEP
6144:KTy+bnr++p0yN90QEzo3Vcq21/X3pKBlMUepPXqKmCrjywubTdubmRVmjnVu6F34:dMr2y90sOq21/oalLvy3u42wWg97
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
40fbde6d35302d77db924d8a4db6569c23336d9205e82f12a82228cc100edb71
-
Size
359KB
-
MD5
eb475f3a8c4a25a19fa0abdc1e907952
-
SHA1
8988b40a69f6cb754a42bc5c7871ed839629b504
-
SHA256
40fbde6d35302d77db924d8a4db6569c23336d9205e82f12a82228cc100edb71
-
SHA512
3199b26a1ce8049c64556a2a9d0465c3ffa479594ca01d7ce052ba64fd128ab9da6302bf55baaaf59479e3a4c53f0569d93d7bb4d1566d1d65b4864b4a20af09
-
SSDEEP
6144:Kiy+bnr+Yp0yN90QE0u4z6ibeyRRmxXl7FiiOhCn2v2wTcpnC:2MrMy90N4z6iExV3OhCn2xt
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02
-
Size
302KB
-
MD5
c0e3f771bcbb789d734e7d3e1b1f4e65
-
SHA1
02e6e5e508188955181ac98bb1b9c414d2c1aa9e
-
SHA256
53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02
-
SHA512
c983b76772a50aece42107a39c828abfa768fc33c8865df73de57e1beca2919e8cc7b8afe1d5ae3e7556273519e311d5e49ed6d52eaf895c3c3d7c34608d2118
-
SSDEEP
6144:QWzRT5OXkMMnTDs7UNVS49kCNQSzrs5kLJhHVugiqtciLRcx:X1T5nD7NQSzrs5kLJhHVugiqtciLR
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of SetThreadContext
-
-
-
Target
6286d393c93044fd5b8363ccad5324fadfde3e3d9b340ec908941eab3fe90652
-
Size
315KB
-
MD5
bf89c72f6388b3884699e8081c8314c4
-
SHA1
587f7e952669cc84756181deff315132cba078d4
-
SHA256
6286d393c93044fd5b8363ccad5324fadfde3e3d9b340ec908941eab3fe90652
-
SHA512
fa90330bb2e3a16579de6ae76bda2371b7e18e246ebcaa7432d010f2743e944bbf5e494941bb2d3192cc4816fa97e64cefe31f61817cd6cf18b38e9cc81b02ce
-
SSDEEP
6144:pR99pI60nbM8uPZy3+8KIDP3uSEykJUxDyvPH3ef5AvnKXHS:pr9+60nbnuY3PEykJ2M3ehAsHS
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
66b71ef5ba881cda863dc50bab8ede20c8bdff7c699aa7b767f476f2b83eb421
-
Size
480KB
-
MD5
c02ec5e8fc2fe204743dec04b2cbccd6
-
SHA1
d717abef0062b1d3e57d98ccb9f85ccdc7b327bb
-
SHA256
66b71ef5ba881cda863dc50bab8ede20c8bdff7c699aa7b767f476f2b83eb421
-
SHA512
0e38a7a0c888c838c86e6fe0deb81670013eb115ead38c897234a092667b9b7ba5422929ac7a49d7d65abcd9980df20775561e56c78cc77c56d25c5a6db3b265
-
SSDEEP
12288:ZMrhy900QM7wc96iwcErPP03xzz97vGNbVSgUu:EyBuLiwcG4zzZvGFEgUu
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
7c73d83c0a0062c5cead0597dac9f90beac93ae125536330571cadd52acefe75
-
Size
480KB
-
MD5
ebf83062f40b343b023a1b0f6642e146
-
SHA1
ab96700bba473de2cf6aae2705628430b640a981
-
SHA256
7c73d83c0a0062c5cead0597dac9f90beac93ae125536330571cadd52acefe75
-
SHA512
7a60dddafa0f3690af046a64c608b2ca2d36fc6a79d3a381fef13bdb0bb059c92293db70af6a1f6fd4908c92de8ea4dc635eae68c064c49a518c8b1f81ce4549
-
SSDEEP
12288:0MrAy90IlVP6Jn5Xb8ubn85+G/Ndq4RfED9PgIP42:Uy7lVCTXoubI+G/NdRJ+9IIP42
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
bccb41d4cd07f22dc7128aa361e7b2b43320ef072e11627fd143b376cdee0817
-
Size
389KB
-
MD5
ecb22f79e71a59c4894d1e5d8c1e5fc9
-
SHA1
2207da5846db951af84b3bcc1cc8fb55ab05cb95
-
SHA256
bccb41d4cd07f22dc7128aa361e7b2b43320ef072e11627fd143b376cdee0817
-
SHA512
975684b217b7ccc5f5819b75de371efab9a70b2be15afef048b793159718d66bf8f78325747e8ee5c6fcf059aee692d00b640a697d9521768f912f7a9b32fc58
-
SSDEEP
12288:FMr9y901Cn+QmrzXRYcvB8gBYCsmbp4cy9:cy3+zjRYc5zXbpi9
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52
-
Size
476KB
-
MD5
e8caa8893f50e0966996c562c5eb98c6
-
SHA1
c40d0c633b13045071520280d46f4e46bb13585b
-
SHA256
c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52
-
SHA512
a046db8a5d6517a1666128eec70ccf1d1a7e43d3a82b1a611a0682098c13be1f2f4a95eda33b5a5458c963cac460d684e7fad34404b23fbc4243b37b788e55df
-
SSDEEP
12288:GMr+y90sHo/b58xomWqrWmDmuKRiEXYp7FMkCeHQYbuQCvZReT:kyXHk58xosWgmuKcEAFXHHQ2WG
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
c726b1e0ec6fea88dec580a790bb738a4976fe2f076a838067ec66bc403054ab
-
Size
390KB
-
MD5
ea4c8fd3c2d26a95dad5562a25fdfddd
-
SHA1
9c667037c530458e8d1487d63264d48ee61468c7
-
SHA256
c726b1e0ec6fea88dec580a790bb738a4976fe2f076a838067ec66bc403054ab
-
SHA512
bd344a8ed2c93baa2b1e5077d8e103f096c6a4e9d2bdd01578374f8e97eb28c5527dd9b0dec268b93995ce9133459d9db3aaa274cdd7fa48368b57795702909c
-
SSDEEP
6144:KXy+bnr+Qp0yN90QEnqqTiS9Kz/8ZVyVgfrxGW5VY5p5xyCVQe5P5XxGnnmJ0bGe:BMrEy90HdfrxGW5zCVQI5XxGnBGy2e
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
c8c3182273e1f34a2e9b4a2afb39aa5e5fa9ae93368dd9487b95f7ca43f17d54
-
Size
1.4MB
-
MD5
ee2b40ddaa498948143e583523b15aef
-
SHA1
b246f477308da6a2973d755c1cd023465049b234
-
SHA256
c8c3182273e1f34a2e9b4a2afb39aa5e5fa9ae93368dd9487b95f7ca43f17d54
-
SHA512
bf9a360e1f67e00a77eba27c9939a720bda97f5d6c51fd65401f496eff7289b1862f76aa67c44bdf8df66efcaaef488d1f855ef0059453c0c2ebee7d1ae5af94
-
SSDEEP
24576:Gyg7pPRAxomGgmAKDEfFDbHQkIrak7dzFh4gUnTpnoHruMyAl0lokb6lOjKVyX+v:VkpJAxwcKDEfRQkYa874gUnTp4WAl0lG
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
d1e8dbd66731cd0a95e444d0fda9ebdc32fdc49845c43907cd292619ac4e88dd
-
Size
307KB
-
MD5
be44ddb40e085d64a8405eb231963d84
-
SHA1
089450ca5957daa8a8a3a346c6e497000c25e5cc
-
SHA256
d1e8dbd66731cd0a95e444d0fda9ebdc32fdc49845c43907cd292619ac4e88dd
-
SHA512
aedd56e83d7927b377ff827536ef601ef40b119ac3eef701b91d02d8ef2f11df222469a08064121118413e161ae5fef8060bc71df7c5675583ac5f8e3bad3c63
-
SSDEEP
6144:KNy+bnr+op0yN90QEwwSAl5E1S3+/9+S/k0KB5Njk:HMrUy90JrwS2ZKbu
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
d4fbce6f6a714d781d28b578580461d8811477b0156700a58b25cdce361c4186
-
Size
332KB
-
MD5
bc7667c9a8b990da87c094cedd6eb6b3
-
SHA1
e47843e711378f3cf738eba4341f44d410ca8e17
-
SHA256
d4fbce6f6a714d781d28b578580461d8811477b0156700a58b25cdce361c4186
-
SHA512
b7319862ce5b0f1b17506da2c19d90b5def5e0d9313f789755d4e492c83926b185793850ba7fc756ebdaf00fafa39eb51b27a4d62ab7472ebc546751eb16c1c6
-
SSDEEP
6144:WlZwB/LgLB340nTaDpOU7riHRkyghfOQE6q53Ppu9VA/4X2WFU23+0Xp:WnhLB340nTP+ygFLE/xuU/iU0Xp
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
d7873c75af8bf0f44eedb5171fcab5b70d157578f4a43aff8aaadb23058cb1a3
-
Size
390KB
-
MD5
bcf3bf79ffad508d0c6614b13a236386
-
SHA1
b6123c6da65ce8c9f1d79f74e9b6f2da2a3db14c
-
SHA256
d7873c75af8bf0f44eedb5171fcab5b70d157578f4a43aff8aaadb23058cb1a3
-
SHA512
98b8f97c949e8a65ccdcf316c2f5f2fc5fe22618ea2a80ce4395ff66297fd03f324ba3825feaf2997d6dbc596a3527ed495795165ccf5621d1a5cc60f4fb5446
-
SSDEEP
6144:Kjy+bnr+fp0yN90QE7c7Yla5bG+YvzSs5TpZ+xGYXJfcCcHnlRHuhyGXBcW:JMr3y90BsYlGFAzSk07JVcHnl94XBl
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
-
-
Target
e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e
-
Size
857KB
-
MD5
e51f5ef0b3d5038c9e1b0b5516244e8c
-
SHA1
d1d5a940665d849f900e8a369c29f0fac7c1374f
-
SHA256
e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e
-
SHA512
b5f4eccb3c51b84c315b966ea819b338b0cb8b6970b8c85749f123f9a6c06b0b76e64b29c303afc816b4c338860388d6f3c47e2a10f99828a7bd004de001c19b
-
SSDEEP
12288:7MrFy90I/vsuqkr+jSMqxvObV/znJyyd34t6G6Gxzbj4kx2R2V/dBAo+HES2VN9T:myN/vXx+6GR/t37sJbj/fLAZ6Nlb9d
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
fa1fbbcbd6fb540be61aeb0eb89533d4e8d0fb64c2d0bcdd3f9263ff954a2acf
-
Size
479KB
-
MD5
d8ba35f7b821e33dd4e8dd1d4a1a1ff7
-
SHA1
68ba16618303a524fe0ccb08c6c8f9ec76b95083
-
SHA256
fa1fbbcbd6fb540be61aeb0eb89533d4e8d0fb64c2d0bcdd3f9263ff954a2acf
-
SHA512
503c083575e31ff8d018b803d68ff369ff60600bbe2c3b68e8e33f753e8b4bd6c8fb81d497f03c2d3d429c42cceb27db706e964724703948d882f2d34c435062
-
SSDEEP
12288:3Mrly909Cys0IXjepj9IOpG/yeS8Nksh+++WZxRe:SyCijnOEN3h++tvI
Score10/10-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1