Overview

overview

10

Static

static

dridex

windows10_x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    079edf1175877722f2aaf46802059ef23b7e6d399bde5a77803910e8f13324d4

  • Size

    270KB

  • Sample

    210920-yw2hnafch6

  • MD5

    f3ea21000f563de2626b2cdc15ce7f83

  • SHA1

    4e46eba13d77fd012d54dbf49a0c32803bd6d715

  • SHA256

    079edf1175877722f2aaf46802059ef23b7e6d399bde5a77803910e8f13324d4

  • SHA512

    6c3cccbb44cea151b6981d1960bb8d1b88e285f130e1f81c85f9b86ab0a04039a581d99b17fd35f8a4e46ca55be871680841dfe00ce4a7078e722106ac5ddcfb

Score
10/10
medusalockerraccoonredlinesmokeloaderkhrip1kbackdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://venerynnet1.top/

http://kevonahira2.top/

http://vegangelist3.top/

http://kingriffaele4.top/

http://arakeishant5.top/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

khrip1k

C2

91.142.77.155:5469

Targets

    • Target

      079edf1175877722f2aaf46802059ef23b7e6d399bde5a77803910e8f13324d4

    • Size

      270KB

    • MD5

      f3ea21000f563de2626b2cdc15ce7f83

    • SHA1

      4e46eba13d77fd012d54dbf49a0c32803bd6d715

    • SHA256

      079edf1175877722f2aaf46802059ef23b7e6d399bde5a77803910e8f13324d4

    • SHA512

      6c3cccbb44cea151b6981d1960bb8d1b88e285f130e1f81c85f9b86ab0a04039a581d99b17fd35f8a4e46ca55be871680841dfe00ce4a7078e722106ac5ddcfb

    Score
    10/10
    medusalockerraccoonredlinesmokeloaderkhrip1kbackdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealertrojan

    • MedusaLocker

      Ransomware with several variants first seen in September 2019.

      ransomwaremedusalocker

    • MedusaLocker Payload

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks