Overview

overview

10

Static

static

dridex

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    04ac2797876efcca8542caf5613cf1fb0940c1e927b2294ec88b4c14c667aadf

  • Size

    249KB

  • Sample

    211204-ly8zasdeg8

  • MD5

    82d35af6f65bb308ffae2d1660873a9c

  • SHA1

    a692f95be7e1879a12c7b0a288ee18c52b06e834

  • SHA256

    04ac2797876efcca8542caf5613cf1fb0940c1e927b2294ec88b4c14c667aadf

  • SHA512

    0c4be7e2a2be8fed1defd49d734e2ab8b8cad58110776c98a6fbe1f7fddfcb43e30079941daf65f090667e22e2c3a6976ad39c66cf66220635b7276722a53e2c

Score
10/10
cryptbotredlinesmokeloader1backdoorcollectiondiscoveryevasioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

https://cinems.club/search.php

https://clothes.surf/search.php
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

C2

195.133.47.114:38620

Extracted

Family

redline

Botnet

1

C2

45.9.20.59:46287

Targets

    • Target

      04ac2797876efcca8542caf5613cf1fb0940c1e927b2294ec88b4c14c667aadf

    • Size

      249KB

    • MD5

      82d35af6f65bb308ffae2d1660873a9c

    • SHA1

      a692f95be7e1879a12c7b0a288ee18c52b06e834

    • SHA256

      04ac2797876efcca8542caf5613cf1fb0940c1e927b2294ec88b4c14c667aadf

    • SHA512

      0c4be7e2a2be8fed1defd49d734e2ab8b8cad58110776c98a6fbe1f7fddfcb43e30079941daf65f090667e22e2c3a6976ad39c66cf66220635b7276722a53e2c

    Score
    10/10
    cryptbotredlinesmokeloader1backdoorcollectiondiscoveryevasioninfostealerspywarestealertrojan

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Deletes itself

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1

MITRE ATT&CK Enterprise v6

Tasks