Overview

overview

10

Static

static

dridex

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    012c15dcf9fc98fb63f83d2fac91b9cbe4abb471d520c9bb9702e82993cc23be

  • Size

    268KB

  • Sample

    210920-vcb7waefa6

  • MD5

    7de8faec0ff116172850dc9d68351b2e

  • SHA1

    44d42f6e247ed4cf5a5513b17e22e9e127e1c041

  • SHA256

    012c15dcf9fc98fb63f83d2fac91b9cbe4abb471d520c9bb9702e82993cc23be

  • SHA512

    30d4326cffe580ad08657dc3ff5331d77e87682ee0c00aa785f6f90036ed7ca8771284fb0929c161b6271714ea5d6181660c725cce96747f66871071826c543c

Score
10/10
medusalockersmokeloaderbackdoorevasionpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://venerynnet1.top/

http://kevonahira2.top/

http://vegangelist3.top/

http://kingriffaele4.top/

http://arakeishant5.top/
rc4.i32
rc4.i32

Targets

    • Target

      012c15dcf9fc98fb63f83d2fac91b9cbe4abb471d520c9bb9702e82993cc23be

    • Size

      268KB

    • MD5

      7de8faec0ff116172850dc9d68351b2e

    • SHA1

      44d42f6e247ed4cf5a5513b17e22e9e127e1c041

    • SHA256

      012c15dcf9fc98fb63f83d2fac91b9cbe4abb471d520c9bb9702e82993cc23be

    • SHA512

      30d4326cffe580ad08657dc3ff5331d77e87682ee0c00aa785f6f90036ed7ca8771284fb0929c161b6271714ea5d6181660c725cce96747f66871071826c543c

    Score
    10/10
    medusalockersmokeloaderbackdoorevasionpersistenceransomwarespywarestealertrojan

    • MedusaLocker

      Ransomware with several variants first seen in September 2019.

      ransomwaremedusalocker

    • MedusaLocker Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks