amadey

Sharing

General

Target

2dc65011521e7ad60108888f5371fb028a91e927b1073cb9289f80fd02ee1763
Size

10.6MB
Sample

240513-j4vmraeh62
MD5

387c73cb1f4e970fc0badc84a7a92146
SHA1

56cac9b8e358fe36dd32e8602f20c4fa1420ad17
SHA256

2dc65011521e7ad60108888f5371fb028a91e927b1073cb9289f80fd02ee1763
SHA512

b6dbf337a1fe5ef33ffd83d88ea46d7aff405f045423b11d0652fa848e85dc57e66b9465844223256d0d96bba6e572653874066425f262efa7f06d641b8bc639
SSDEEP

196608:0Y5C0hXFxHNR+z+2hf5ZYK28isQ3WYNb9npmcXjTIInqIBLcQF7zmNfVwhToyV7s:0Y5C0hRRqhhWK2DcYvAcHzX2Vwh8YanB

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

divan

217.196.96.102:4132

Attributes

auth_value
b414986bebd7f5a3ec9aee0341b8e769

Extracted

Family

amadey

Version

3.86

http://77.91.68.61

Attributes

install_dir
925e7e99c5
install_file
pdates.exe
strings_key
ada76b8b0e1f6892ee93c20ab8946117
url_paths
/rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

lande

77.91.124.84:19071

Attributes

auth_value
9fa41701c47df37786234f3373f21208

Extracted

Family

redline

Botnet

mufos

217.196.96.102:4132

Attributes

auth_value
136f202e6569ad5815c34377858a255c

Extracted

Family

redline

Botnet

masha

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Extracted

Family

amadey

Version

3.85

http://77.91.68.3

Attributes

install_dir
3ec1f323b5
install_file
danke.exe
strings_key
827021be90f1e85ab27949ea7e9347e8
url_paths
/home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Extracted

Family

redline

Botnet

5345987420

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

krast

77.91.68.68:19071

Attributes

auth_value
9059ea331e4599de3746df73ccb24514

Targets

- Target
  
  1668096fbfea278168a053bdb5fffa557e8bf8afd9b1ea6f4de43adb16c9cd95
- Size
  
  479KB
- MD5
  
  7f49fbad9deac685128f491544e5c1ce
- SHA1
  
  36cf42fed2202916054385cc7e211b72fc291bcc
- SHA256
  
  1668096fbfea278168a053bdb5fffa557e8bf8afd9b1ea6f4de43adb16c9cd95
- SHA512
  
  39be089403bd511409164f64ae11e994dcf767d295dddf7436603c49e6e5715d149e7b529b074b04caec7bdd223fd01a62aad7936e21c1689e1daf87059ddacc
- SSDEEP
  
  12288:TMrSy90laaW4gICwq90wpMWmgPLlzJkW4IRQRiXMZpZ:NyahW4gICPrTmshCWVhcZpZ
Score

10^/10

healer redline divan dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1
- Target
  
  2159151861e461f2ae831fef44ef4a519defe4741536ef19cc47163f7504ce2d
- Size
  
  479KB
- MD5
  
  6e781f1e4a262ee83b43f80fe97bd5c5
- SHA1
  
  41cb282926f44cf675588fc7a1786d507835faf2
- SHA256
  
  2159151861e461f2ae831fef44ef4a519defe4741536ef19cc47163f7504ce2d
- SHA512
  
  a98e68d010b7c0f77d6ace5d3162e3216f07022426d661211c077391d11d8dd09ebd4fecd37c696bc4574ab12ef4b9513ae2988479fd7200307f57a74fc01cec
- SSDEEP
  
  12288:UMruy90kvTNQ6sxa8OHz6Relk06eJrf3Gd6xDLu:6yFNUOHz6RelXr2aLu
Score

10^/10

healer redline mufos dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral2
- Target
  
  22c5bd0a3e3c03e512f45c0ebd81b9cf7695279360a1c40cec90cf3efea5f219
- Size
  
  390KB
- MD5
  
  719e6ea06a5fac6ac3a3730e45fd1b75
- SHA1
  
  fa45885b397266a12ceb20cd060f70fd0f2e4b1f
- SHA256
  
  22c5bd0a3e3c03e512f45c0ebd81b9cf7695279360a1c40cec90cf3efea5f219
- SHA512
  
  3c3e4348ad6d76094f65dd34ba3b659b405f058aff738b43a27c87264a3ee706443e484cb1221326bc0ffcc641008c3c7fa0f81a81fd1192d7527ada3eaa30d5
- SSDEEP
  
  12288:VMrqy90GeXkEY3eepM9CcrGdRcHnl9yUBQJ:Py9VEY3sC5mHs
Score

10^/10

amadey healer redline nasa dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral3
- Target
  
  2a0ae333a9b72768e8a05e7ebbfe4b15cf581f8c08129c0639aeed58eaf7901a
- Size
  
  333KB
- MD5
  
  70b649dc98496fdd95d3c31dd28c8a96
- SHA1
  
  8ac9a901047426fcaec73a4fa061b85ab28a378a
- SHA256
  
  2a0ae333a9b72768e8a05e7ebbfe4b15cf581f8c08129c0639aeed58eaf7901a
- SHA512
  
  5a3c19ceee7df6d988bb3ad15c6242820629da8c941f69773f30fc7491a63629f6b1cfc603b2167b04ddbb85d304c1938b3f0d6f1af89af468a6ab5fb0ad873a
- SSDEEP
  
  6144:R1RwZfFQDiioMvzATd5W0jbSXRYyghzqjjjjjjjfMNV4iJBcp+0Xp:R/zDiioMvzA+iyg9qjjjjjjjf+V4iJB+
Score

10^/10

redline 5345987420 discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral4 behavioral5
- Target
  
  4f86d48b3d0bdaa6f4d6e224cb3d78d45d0e5ff02992de35aad4053a747106df
- Size
  
  390KB
- MD5
  
  7b950b64ac08857b3deccaaa87a316a0
- SHA1
  
  9235f96b6b4b5c37b581556dadfa30dbce857034
- SHA256
  
  4f86d48b3d0bdaa6f4d6e224cb3d78d45d0e5ff02992de35aad4053a747106df
- SHA512
  
  41ffa8e9e51b67eff9f36c16cca9df10f7b2b71f6cee51fff1efed0e81b5a07c334c2616957258fa150192333cce87dd23459764e86e302d61325619c420766b
- SSDEEP
  
  6144:KMy+bnr+lp0yN90QEQ7y6KGyF4tgKY4Jrovv90vgBZ+t4UD9AT8sJeQ:0Mr9y90AyeVY46vv0gBYCU3sJZ
Score

10^/10

amadey healer redline lande dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral6
- Target
  
  53ecffef24ddea22780ff63e0224bd9c1bf9d8533760949fff138bd5c432ce36
- Size
  
  389KB
- MD5
  
  721cdf94a8e81b489d510d66052c869e
- SHA1
  
  57c76085e66f4dabbcd3a06f782688f323722642
- SHA256
  
  53ecffef24ddea22780ff63e0224bd9c1bf9d8533760949fff138bd5c432ce36
- SHA512
  
  1f2a7bb699d0b71a7b96d1fbe71209762c008372a5780e2eb944d45a0261b4f2f9053553b34f5682125a39e4118f11d78a63ad3ef95d95a0b589413206f6442f
- SSDEEP
  
  12288:nMr8y905KXq38E0oTFiMibgBYCU4tRuvk:fyUKO8Ku0zjfgk
Score

10^/10

amadey healer redline krast dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral7
- Target
  
  75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af
- Size
  
  769KB
- MD5
  
  7b850001f5713cbeaa0078d2b4a1f406
- SHA1
  
  e68fde0f08bd2353d118de3cefcbf2e6aca2ce7b
- SHA256
  
  75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af
- SHA512
  
  e1f35bd08f29bb6452ef58f318f7e911826b6f57e4418069a07e26d46599837acb2ed238da7179b253fbe57626d3f4886cf819cdf85b76de1bb5e42fa0ae6e9e
- SSDEEP
  
  12288:9Mroy90eCrZAz38uIrbDgTncDTLc97yZe6r5H+LcPyK:lyUaz38rrvgQfLc1ylwoPh
Score

10^/10

redline lamp infostealer persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral8
- Target
  
  77ba6e93030c34c0c9c7b7ce05174d89515be6f64d93ad8fd6c5a7efd813f4c2
- Size
  
  479KB
- MD5
  
  7747534e219072927bd32135135ae16e
- SHA1
  
  09d12fe65a0042fd7f9a78d161a4c1193bf61c42
- SHA256
  
  77ba6e93030c34c0c9c7b7ce05174d89515be6f64d93ad8fd6c5a7efd813f4c2
- SHA512
  
  05976911d28cfb4c68217e152f6896b74a0d541429052454899c062131a04948a9ba48b3ac84823482c8a69695ad08e7e73c20e9df51859d9bebf3bf4b861cc9
- SSDEEP
  
  12288:RMr+y90ywjI0R2o/+h6H7yB9VCqUr6ObeGTlq:DyvMRZ+0H7m7xUe+LA
Score

10^/10

redline divan infostealer persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral9
- Target
  
  798aee8abbe13acdcba7ded2507144abfb3a7bdb36dfad1f88ebd752af5e0c5b
- Size
  
  390KB
- MD5
  
  77871a3c4e9d08f0bc052ba62e12af12
- SHA1
  
  3ef6e6678685530de4df5af5fd5b9d60787c3b8d
- SHA256
  
  798aee8abbe13acdcba7ded2507144abfb3a7bdb36dfad1f88ebd752af5e0c5b
- SHA512
  
  89eeeb2049d79b7ad1c4858c5f06c126780e2e0e13023ce18835930f6c9d127a1054fafbb1f25045483e741a5adf45ce7f60056b37f8f0ef913719b7f614c60f
- SSDEEP
  
  12288:AMrXy90QaSqo3yXhVTXgBYCMwDg8vz2zI:HyeSL3uhezjs8rII
Score

10^/10

amadey healer redline lande dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral10
- Target
  
  79eaddd1dc15f0cdf5e503c8eff40a9cabfc9aca470a302c9e868d65a3670c70
- Size
  
  478KB
- MD5
  
  7f14be90da456e71fecfd8ac89d2cd2b
- SHA1
  
  87e9180ae88e72d5f10549bed0ab35814771fac6
- SHA256
  
  79eaddd1dc15f0cdf5e503c8eff40a9cabfc9aca470a302c9e868d65a3670c70
- SHA512
  
  e42e3a3ef28fcae134e58e3f308c678bc3ee9fdc3e4b8b1235f6ef0de67abd0a6ea20a8cbf31b6087e6f8e7f83c5742959153e453e675f4494162625044835d4
- SSDEEP
  
  12288:kMrQy90LlnmDAGXyy1TBdamxmuEW9YWJyclYT:UyilnmDAF4T/+uf9YMtYT
Score

10^/10

healer redline mufos dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral11
- Target
  
  80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452
- Size
  
  1.0MB
- MD5
  
  774a173c2d0a5266b73ba5527e606bbe
- SHA1
  
  13173b00db1bff7e45c00be7327ae24bbb6e2ca6
- SHA256
  
  80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452
- SHA512
  
  076a9ad2a5d639f932936bc5d614fe0b2bdbfe162134eecbd706ef3ff979930e3efa7a2561935b445ee3f5e6e837c3e1fea8cd4b280d2f73f412106df05f8639
- SSDEEP
  
  12288:dMrly90aVXB6zrLW/kRNgMwsBpdTgep1Ez7O92GtV4zCpGr1DUzAWXZnQ2P++3qG:kylXB6XOALgepYO4GcFrQXZnBP+uqSh
Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral12
- Target
  
  9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0
- Size
  
  1.1MB
- MD5
  
  74528821220b4f1ffd8a0c91852abd0f
- SHA1
  
  2e9219f3fdb0e6341840bf9c58cfc4fca352338b
- SHA256
  
  9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0
- SHA512
  
  27769622b4c8807c63c8ebee8e166f1fd46fa5cb606f0b54df9fa3f6364ea684011e0e5f749546ffc4c530959deb784c99e52aef2e93228889d9e3225a35577e
- SSDEEP
  
  12288:9AxJ1c9psKtwW7IhuOXUPJuI85i8gTohuVohatk6j0O/H9lm0:9i1c9psKtwW7m3iM5i8VKtvj0GH9l
Score

10^/10

redline breha infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  a5bd0160df71694767fdadc369e0582970a1182d88c7fea774ca4d3bdb503e49
- Size
  
  1.6MB
- MD5
  
  7d32073410b319d087fce19d1e06e567
- SHA1
  
  db8fc2679ad185f7593223c7c9b1bd24dc9f9c14
- SHA256
  
  a5bd0160df71694767fdadc369e0582970a1182d88c7fea774ca4d3bdb503e49
- SHA512
  
  7f488b6974d89acb19da09df9784df631203f4ef1693c72092d0eb0cc3ed663332381ae3f052d479942acbf271466f2a8160009ebe0dceddc450a3b5818c6af3
- SSDEEP
  
  24576:3y9qneMGcM4DVQJBTkCn/H6tfxjl/zq9exWtOf2K1UkGmTXDqKbv4d3:C4neMZMJBT7n/+JjRq9ex0K2yDei
Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral15
- Target
  
  aee53fccee33b73dab9491356e6eb50d71b3b380ca589b649b6ec63ff792c3da
- Size
  
  479KB
- MD5
  
  7903417a4425e5f819fdca4ddb5a4ae0
- SHA1
  
  42be90bb5600574abb0b37113b65b32d6388b7ff
- SHA256
  
  aee53fccee33b73dab9491356e6eb50d71b3b380ca589b649b6ec63ff792c3da
- SHA512
  
  11fff0808094ce693e9af5c1f3544f8efad57f5014959329a41d5d76ff92f9be45a3963b9307cfa829694d743f86b1c56f342b38f4f52d5f602339e5bca05fbf
- SSDEEP
  
  12288:qMrSy90q5EwvocAm820Gfl6pleAG/R/7hhVecnO:syMuocdMy8Hel/R/7hJO
Score

10^/10

healer redline divan dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral16
- Target
  
  af9c5ff480fec8f9f7f8c274ed08c18a4e5a894eec2eb3577031e60657b87b30
- Size
  
  493KB
- MD5
  
  751240a12c22d583c8bd9a764351f4d3
- SHA1
  
  12634abd225dceda347cb5b16bf036d5a247340b
- SHA256
  
  af9c5ff480fec8f9f7f8c274ed08c18a4e5a894eec2eb3577031e60657b87b30
- SHA512
  
  7c3eb6e4c3b4cdd14f30d2bce08852e007443494b9fe1314efba77d0b40b0604f6108ace8483cd14f6125cc5fa32b8e10b331744771bf91ff056286fda20f975
- SSDEEP
  
  12288:tvDTGTc8/jVKygRliE66auiqpvZXhu7aVuVmi9l1IPa0Xp:tvDB8/l0a/SZhHVuYO0T
Score

10^/10

redline zgrat discovery infostealer rat spyware stealer
- Detect ZGRat V1
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  bfe644d3bd33f0f28361b0b64f6fba6444cbce7ffc0fb0746a6226305bffb229
- Size
  
  390KB
- MD5
  
  797a5feff99655f0d85ce2a57b7db03c
- SHA1
  
  4e6faef04eb706282a621b44f12ab9f1d46c2922
- SHA256
  
  bfe644d3bd33f0f28361b0b64f6fba6444cbce7ffc0fb0746a6226305bffb229
- SHA512
  
  33d1c0e066306f4d67d1db2aef636e142c515c2fdc4c471c7d0abfb8643181196e752715b44cb6fcf8a7188c93244e109c6e7c02b6c412d2b82293103dc19251
- SSDEEP
  
  6144:Kty+bnr+1p0yN90QETEySSJAvVcQlhRAbR4SZZ1QMmHYYgtVNaAL0C/:fMrxy90xEyFkXARPqkNTYC/
Score

10^/10

amadey healer redline lande dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral19
- Target
  
  ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4
- Size
  
  771KB
- MD5
  
  7ffad6f51f9598958204eca8679690b0
- SHA1
  
  aac9ca0423c177d041dcb22832f581d8c39bc184
- SHA256
  
  ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4
- SHA512
  
  6a0feb1278e1bc5742a4b8909a6818743841e0d16b935d659fe6a60cd9837563ea5ea7ef9973afa1cc64c41681e140d5e7c85300346c875d1b17571aaff41430
- SSDEEP
  
  12288:uMrLy90EtWzfh9lViybaDJcyMYLk4hC+D+SjbIyWAcDSGb1cqSU0Rzyqj:xyfWFARJcyjJhBNmdcqL0wqj
Score

10^/10

redline lamp infostealer persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral20
- Target
  
  dda511575fe2d4e8cc7e7dfbf500a529cbd2a5acc24299b8217d603401322c2f
- Size
  
  1.5MB
- MD5
  
  6ba00ad9a91f15dd444ad429ac2c2247
- SHA1
  
  23f67b9d77ed808f1a3b22a7a48a70bf931ee11f
- SHA256
  
  dda511575fe2d4e8cc7e7dfbf500a529cbd2a5acc24299b8217d603401322c2f
- SHA512
  
  2bc5fa1df9db17837c37d37773447c485676f0deb06600b6d9d5b82e7a6cb605d175a7121a1688ce875337bd76d0cc18b3e90398a050f451acad22844f7a5261
- SSDEEP
  
  49152:xuMNfHwZ5+uSS08H6gD5CoqkmaBshMG6yVn:Z+5+ulaQ5hcaBTG
Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral21
- Target
  
  ff541e0752957750759a393b41c2885b8177a2e7daf8234bf11068c537e215bb
- Size
  
  479KB
- MD5
  
  75455a1d7efce484f8b3d7814af0e5ff
- SHA1
  
  d0fd6f9781558482370265a22b8378c569c5ce97
- SHA256
  
  ff541e0752957750759a393b41c2885b8177a2e7daf8234bf11068c537e215bb
- SHA512
  
  d2e7b2008cbdfde8f15eaf6f4fe6767f1b1325079b2ab3ca9e0c4344e4a4bdc94d1f6d34f02a5311dec3472654ed541ad35c3cc32faa4d5c0eea0472e14a8e6d
- SSDEEP
  
  12288:8Mr8y90kFoPbEy+EEG8HUF8OANI9lhCsnr:oyv6Pw7g80OqhNr
Score

10^/10

redline divan infostealer persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral22

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

RedLine

RedLine payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Amadey

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings