Resubmissions

10-11-2020 12:55

201110-tjrd82d9ee 10

07-11-2020 10:12

201107-lxpdbv9h4n 10

General

  • Target

    04psi.zip

  • Size

    100KB

  • Sample

    201107-lxpdbv9h4n

  • MD5

    ea211b888d483e9d624e7927aa6487bb

  • SHA1

    e7cec3c59fb6055ad5c62e1178a96a84e01d2a93

  • SHA256

    a10400d1b68c46db52f94a07b4e2714bbcf319778ee9eda05f6aab0e9f545c09

  • SHA512

    5c4a0eebc6910a39503d80d7cdcdb2a977576a7fccba7319bfd6434df58ce2e54de2bc4bcc64f0e5141d98f46eba465c79ece11e83d857bb8f9e28fb70817f68

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://rexstat35xm.xyz/statweb577/

http://dexspot2cx.club/statweb577/

http://atxspot20cx.best/statweb577/

http://rexspot7xm.xyz/statweb577/

http://datasectex.com/statweb577/

http://servicem977xm.xyz/statweb577/

http://advertxman7cx.xyz/statweb577/

http://starxpush7xm.xyz/statweb577/

rc4.i32
rc4.i32

Extracted

Family

dridex

Botnet

10111

C2

194.150.118.7:443

49.212.179.180:3889

69.64.62.4:4443

rc4.plain
rc4.plain

Targets

    • Target

      04psi.exe

    • Size

      237KB

    • MD5

      4bc2708122b1e43131888d1beee6c560

    • SHA1

      8a82caf8b8f908898145e953ef8f1e665e8058db

    • SHA256

      3fc06d1926ada759903e4ebc197f9da5baa80fb8f729f34395dd7c67e2d58a8c

    • SHA512

      fcf714de9ae1d23ebe054f601938653f9643dbbf288319b4c3b2872544dbb2c82c5db8a4abc64a146648da9f5b71760ce485c1b5935473d214736438dffc2749

    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Dridex Loader

      Detects Dridex both x86 and x64 loader in memory.

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Checks whether UAC is enabled

    • JavaScript code in executable

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks