Overview

overview

10

Static

static

dridex

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7a89fca1f47fc0362c37c24e22679e8711b46d90a13d14d76f78a55c3afd3220

  • Size

    223KB

  • Sample

    210906-h1p3esdgfl

  • MD5

    6510dcfe8de4a0c93235e1408accd14d

  • SHA1

    a9eec258630662fec2b9795e31e52849e87cbcaa

  • SHA256

    7a89fca1f47fc0362c37c24e22679e8711b46d90a13d14d76f78a55c3afd3220

  • SHA512

    b4193659c9e58fd707cdee1d77641171c8b3bac49f30331f1cb0289140f96f15420bc1cff1129ba5add11d32789173b3962b7331c5b6f66c10acfe69a4953e22

Score
10/10
redlinesmokeloadervidar200937948973big_tastyyybinancebackdoorevasioninfostealerstealerthemidatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://fioajfoiarjfoi1.xyz/

http://rdukhnihioh2.xyz/

http://sdfghjklemm3.xyz/

http://eruiopijhgnn4.xyz/

http://igbyugfwbwb5.xyz/

http://shfuhfuwhhc6.xyz/

http://ersyglhjkuij7.xyz/

http://ygyguguuju8.store/

http://resbkjpokfct9.store/

http://sdfygfygu10.store/

http://hbibhibihnj11.store/

http://vfwlkjhbghg12.store/

http://poiuytrcvb13.store/

http://xsedfgtbh14.store/

http://iknhyghggh15.store/

http://wnlonevkiju16.site/

http://gfyufuhhihioh17.site/

http://nsgiuwrevi18.site/

http://oiureveiuv19.site/

http://ovrnevnriuen20.site/
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

40.4

Botnet

973

C2

https://romkaxarit.tumblr.com/

Attributes
  • profile_id

    973

Extracted

Family

redline

Botnet

200

C2

45.14.49.28:56898

Extracted

Family

vidar

Version

40.4

Botnet

948

C2

https://romkaxarit.tumblr.com/

Attributes
  • profile_id

    948

Extracted

Family

redline

Botnet

big_tastyyy

C2

87.251.71.44:80

Extracted

Family

vidar

Version

40.4

Botnet

937

C2

https://romkaxarit.tumblr.com/

Attributes
  • profile_id

    937

Extracted

Family

redline

Botnet

binance

C2

212.86.102.139:32600

Targets

    • Target

      7a89fca1f47fc0362c37c24e22679e8711b46d90a13d14d76f78a55c3afd3220

    • Size

      223KB

    • MD5

      6510dcfe8de4a0c93235e1408accd14d

    • SHA1

      a9eec258630662fec2b9795e31e52849e87cbcaa

    • SHA256

      7a89fca1f47fc0362c37c24e22679e8711b46d90a13d14d76f78a55c3afd3220

    • SHA512

      b4193659c9e58fd707cdee1d77641171c8b3bac49f30331f1cb0289140f96f15420bc1cff1129ba5add11d32789173b3962b7331c5b6f66c10acfe69a4953e22

    Score
    10/10
    redlinesmokeloadervidar200937948973big_tastyyybinancebackdoorevasioninfostealerstealerthemidatrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks