General

  • Target

    Inv_26726_06464.xlsm

  • Size

    54KB

  • Sample

    201123-hewhgqgc46

  • MD5

    b403bcb2e1902f9851753976c5e6c3a7

  • SHA1

    845932e0c3c0b743f5fb5eb56d3e056706ab91d6

  • SHA256

    7ce03706ca499ae052de8bdaf9181f4f059cae19fd22fd52a902e2fcdb27f32e

  • SHA512

    30367dc639491a990ea5c7e9ec2adbbb19f305fe6157c35a0b4a0f974cb8151fabdf3ff3f1a99603f73191fbe4676cf9f29e132558aac881a776ba3d796a7436

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://penodux.com/xsmkld/index.php

http://tommusikirtyur.com/xsmkld/index.php

http://ploaernysannyer.com/xsmkld/index.php

http://dersmasfannyer.com/xsmkld/index.php

http://derdsgdannyer.com/xsmkld/index.php

rc4.i32
rc4.i32

Extracted

Family

dridex

Botnet

10444

C2

175.126.167.148:443

173.249.20.233:8043

162.241.204.233:4443

138.122.143.40:8043

rc4.plain
rc4.plain

Targets

    • Target

      Inv_26726_06464.xlsm

    • Size

      54KB

    • MD5

      b403bcb2e1902f9851753976c5e6c3a7

    • SHA1

      845932e0c3c0b743f5fb5eb56d3e056706ab91d6

    • SHA256

      7ce03706ca499ae052de8bdaf9181f4f059cae19fd22fd52a902e2fcdb27f32e

    • SHA512

      30367dc639491a990ea5c7e9ec2adbbb19f305fe6157c35a0b4a0f974cb8151fabdf3ff3f1a99603f73191fbe4676cf9f29e132558aac881a776ba3d796a7436

    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Dridex Loader

      Detects Dridex both x86 and x64 loader in memory.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Tasks