Overview

overview

10

Static

static

dridex

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1ba8788b7c4ec0f0fa306f9ba44b4dfc867896db7010d1f57fe689f026c85931

  • Size

    336KB

  • Sample

    211029-vzw6kadga3

  • MD5

    bcef12eeaa237d8f5b15f5b31abd1481

  • SHA1

    125e6c8c90861eac86d5455633d82165c087b9e7

  • SHA256

    1ba8788b7c4ec0f0fa306f9ba44b4dfc867896db7010d1f57fe689f026c85931

  • SHA512

    0d5bbdec08c4109e85f1d4b8874cd15345a371bd19278d4c002126f33990d6be8623ae50bf119ec79a386a122c929b742248d717a7bfb10d1abb79b80a674339

Score
10/10
amadeydjvuraccoonredlinesmokeloadervidar51768e2d75238f7c69859792d206401b6bde2b2515c7067549369b47742e621d3b0f1b0b79db6ed26e2c33328c05b176c5fe76fc027de7ad67f52792266419904252money-2021z0rm1onagilenetbackdoorcollectiondiscoveryevasioninfostealerpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://xacokuo8.top/

http://hajezey1.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

http://193.56.146.214/

https://193.56.146.214/
rc4.i32
rc4.i32
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

C2

45.147.231.161:38637

Extracted

Family

amadey

Version

2.70

C2

185.215.113.45/g4MbvE/index.php

Extracted

Family

vidar

Version

41.6

Botnet

754

C2

https://mas.to/@lilocc

Attributes
  • profile_id

    754

Extracted

Family

raccoon

Botnet

68e2d75238f7c69859792d206401b6bde2b2515c

Attributes
  • url4cnc

    http://telegalive.top/agrybirdsgamerept

    http://toptelete.top/agrybirdsgamerept

    http://telegraf.top/agrybirdsgamerept

    https://t.me/agrybirdsgamerept

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

b176c5fe76fc027de7ad67f52792266419904252

Attributes
  • url4cnc

    http://telegalive.top/hoverpattern31

    http://toptelete.top/hoverpattern31

    http://telegraf.top/hoverpattern31

    https://t.me/hoverpattern31

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

z0rm1on

C2

185.215.113.94:15564

Extracted

Family

djvu

C2

http://rlrz.org/lancer/get.php

Attributes
  • extension

    .rivd

  • offline_id

    WbO7bkwHxaepEmevfYYUBNgcxNJGpd7hoNKokRt1

  • payload_url

    http://znpst.top/dl/build2.exe

    http://rlrz.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-CcXGxzXf71 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@mailtemp.ch Reserve e-mail address to contact us: supporthelp@airmail.cc Your personal ID: 0342gSd743d

rsa_pubkey.plain

Extracted

Family

redline

Botnet

MONEY-2021

C2

2.56.214.190:59628

Extracted

Family

raccoon

Botnet

9b47742e621d3b0f1b0b79db6ed26e2c33328c05

Attributes
  • url4cnc

    http://telegalive.top/ustavshiy1

    http://toptelete.top/ustavshiy1

    http://telegraf.top/ustavshiy1

    https://t.me/ustavshiy1

rc4.plain
rc4.plain

Extracted

Family

vidar

Version

41.6

Botnet

936

C2

https://mas.to/@lilocc

Attributes
  • profile_id

    936

Extracted

Family

vidar

Version

41.6

Botnet

706

C2

https://mas.to/@lilocc

Attributes
  • profile_id

    706

Extracted

Family

vidar

Version

41.5

Botnet

517

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    517

Targets

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Disabling Security Tools

3
T1089

Modify Registry

5
T1112

File Permissions Modification

1
T1222

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks