Overview

overview

10

Static

static

dridex

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    14e958e8f2ecd20ebe1a3bb32394d55d710f31a354f66c31a896fb48788b701e

  • Size

    171KB

  • Sample

    211215-pd81cahea3

  • MD5

    c0c7acf8d97daee036c98c8f6f9ec516

  • SHA1

    eeb59fc2f44b3365196f82fb91b347fa9ac65b46

  • SHA256

    14e958e8f2ecd20ebe1a3bb32394d55d710f31a354f66c31a896fb48788b701e

  • SHA512

    20ddfd298b16e6f90107215a6c4c700fb65715403059d280e0c3cc71f74319c9638173fe7e98c2b7b467403c88209bbdd7eb49e8a5d4a420e3df3571b9fa1032

Score
10/10
icedidredlinesmokeloader3372020928backdoorbankercollectioninfostealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

icedid

Campaign

3372020928

C2

jeliskvosh.com

Targets

    • Target

      14e958e8f2ecd20ebe1a3bb32394d55d710f31a354f66c31a896fb48788b701e

    • Size

      171KB

    • MD5

      c0c7acf8d97daee036c98c8f6f9ec516

    • SHA1

      eeb59fc2f44b3365196f82fb91b347fa9ac65b46

    • SHA256

      14e958e8f2ecd20ebe1a3bb32394d55d710f31a354f66c31a896fb48788b701e

    • SHA512

      20ddfd298b16e6f90107215a6c4c700fb65715403059d280e0c3cc71f74319c9638173fe7e98c2b7b467403c88209bbdd7eb49e8a5d4a420e3df3571b9fa1032

    Score
    10/10
    icedidredlinesmokeloader3372020928backdoorbankercollectioninfostealertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks