Overview

overview

10

Static

static

dridex

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c1aca20de9c0776cd1b02b09b2c6fe27881900180b35bfdf4ae530aa1fe6c71d

  • Size

    273KB

  • Sample

    211204-yht7esbeer

  • MD5

    cd017fa9f794279cde7ad8e2b79bc604

  • SHA1

    4f2c523cf50c5c344c560a68eead7d8b09ddd12b

  • SHA256

    c1aca20de9c0776cd1b02b09b2c6fe27881900180b35bfdf4ae530aa1fe6c71d

  • SHA512

    7aa6d8a713802acb024fd43c71e0f6ffd8cdaf01c9fdefa65b6573392a13104ca390f15a528630e1fdfe9195a1fa9566dd897a00a6306ec87ff88adc1e80f29e

Score
10/10
arkeicryptbotlimeratraccoonredlinesmokeloaderb2ef6df07cefd70742a1d2de874b0494a6c0af23b620be4c85b4051a92040003edbc322be4eb082dc14e8219a761194140b8dfc2abce3a8292dd059adefaultbackdoorcollectiondiscoveryevasioninfostealerpersistenceransomwareratspywarestealersuricatatrojan

Malware Config

Extracted

Path

C:\read-me.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���67 41 45 7C E4 56 2B 4F 9C 41 18 44 B7 EC 86 3C 17 EE FF B1 CF 59 2D BF 7D 13 E4 D1 B8 31 E1 D8 74 5F 02 F8 48 BF D3 E4 5C F5 FF B9 B9 96 8C 38 81 45 38 0D F6 C5 55 33 54 27 3D 25 23 11 43 A7 53 69 36 2F 8E 78 74 6B 34 25 EC 95 3E C2 D0 E3 08 E1 85 1B 78 41 25 C2 0C 56 54 68 9B 1C 2A 24 82 15 85 B9 0C BC D7 F7 2F DA 93 44 FC 9C DB 57 48 CE D8 C0 E7 AF FE 9A ED 3B A2 88 D0 03 45 81 6E 8B C3 73 79 8D F2 16 6E 6B A8 36 31 52 33 9B 06 4B 60 AF 50 6C DD E8 68 3E 80 64 47 0D B1 F4 08 D8 FC 85 CF 5E 55 37 BE CB 68 07 18 2A 42 81 BC 04 3E B2 A3 6C 57 42 F0 B7 F0 5D 96 12 35 B2 BD A7 1C 01 78 54 92 09 57 4F 8B 71 BD 82 9D 2C 52 7C A2 7D 14 81 97 31 8E B9 D7 60 78 8A AF FC 46 36 0C 28 1A 8E 17 5A D4 7F 71 6C 36 37 1D 81 94 7B 45 82 FF AC 31 1B 28 20 94 04 4F E2 7C 03
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\Boot\bg-BG\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101UBDKRDEW 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101UBDKRDEW

https://yip.su/2QstD5

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

http://planilhasvba.com.br/wp-admin/js/k/index.php

http://rpk32ubon.ac.th/backup/k/index.php

http://4urhappiness.com/app/k/index.php

http://swedenkhabar.com/wp-admin/js/k/index.php

http://cio.lankapanel.net/wp-admin/js/k/index.php

http://fcmsites.com.br/canal/wp-admin/js/k/index.php

http://lacoibipitanga.com.br/maxart/k/index.php

http://lacoibipitanga.com.br/cgi-bin/k/index.php

http://video.nalahotel.com/k/index.php

http://diving-phocea.com/wp-admin/k/index.php
rc4.i32
rc4.i32
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

c14e8219a761194140b8dfc2abce3a8292dd059a

Attributes
  • url4cnc

    http://94.158.245.137/h_electricryptors2

    http://91.219.236.27/h_electricryptors2

    http://94.158.245.167/h_electricryptors2

    http://185.163.204.216/h_electricryptors2

    http://185.225.19.238/h_electricryptors2

    http://185.163.204.218/h_electricryptors2

    https://t.me/h_electricryptors2

rc4.plain
rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

b620be4c85b4051a92040003edbc322be4eb082d

Attributes
  • url4cnc

    http://91.219.236.207/capibar

    http://185.225.19.18/capibar

    http://91.219.237.227/capibar

    https://t.me/capibar

rc4.plain
rc4.plain

Extracted

Family

arkei

Botnet

Default

C2

http://153.92.210.92/lYWcN6H7B1.php

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

b2ef6df07cefd70742a1d2de874b0494a6c0af23

Attributes
  • url4cnc

    http://94.158.245.137/lesterri2

    http://91.219.236.27/lesterri2

    http://94.158.245.167/lesterri2

    http://185.163.204.216/lesterri2

    http://185.225.19.238/lesterri2

    http://185.163.204.218/lesterri2

    https://t.me/lesterri2

rc4.plain
rc4.plain

Targets

    • Target

      c1aca20de9c0776cd1b02b09b2c6fe27881900180b35bfdf4ae530aa1fe6c71d

    • Size

      273KB

    • MD5

      cd017fa9f794279cde7ad8e2b79bc604

    • SHA1

      4f2c523cf50c5c344c560a68eead7d8b09ddd12b

    • SHA256

      c1aca20de9c0776cd1b02b09b2c6fe27881900180b35bfdf4ae530aa1fe6c71d

    • SHA512

      7aa6d8a713802acb024fd43c71e0f6ffd8cdaf01c9fdefa65b6573392a13104ca390f15a528630e1fdfe9195a1fa9566dd897a00a6306ec87ff88adc1e80f29e

    Score
    10/10
    arkeicryptbotlimeratraccoonredlinesmokeloaderb2ef6df07cefd70742a1d2de874b0494a6c0af23b620be4c85b4051a92040003edbc322be4eb082dc14e8219a761194140b8dfc2abce3a8292dd059adefaultbackdoorcollectiondiscoveryevasioninfostealerpersistenceransomwareratspywarestealersuricatatrojan

    • Arkei

      Arkei is an infostealer written in C++.

      stealerarkei

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • suricata: ET MALWARE DCRAT Activity (GET)

      suricata: ET MALWARE DCRAT Activity (GET)

      suricata

    • suricata: ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)

      suricata: ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

      suricata

    • Arkei Stealer Payload

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks