Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fb4252931d238acd353be695360f6b6c1a2cc1289b730230842749e06d1d6605

  • Size

    13.9MB

  • Sample

    220217-nah43sccbm

  • MD5

    72a01582db3154bd8f955754c3629cce

  • SHA1

    b46112b47da52af0d239eef19bf0562b99616563

  • SHA256

    fb4252931d238acd353be695360f6b6c1a2cc1289b730230842749e06d1d6605

  • SHA512

    4784578a0256b703c176035284b0271f067f82ed8445f96a4f3d4b64fc93b5558fa331136fdabecf44b0072133b04b9e0c77b37aa09b00cee84109499945ba3c

Score
10/10
onlyloggerredlinesocelarsdiscoveryevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupx

Malware Config

Extracted

Family

socelars

C2

https://dhner.s3.ap-southeast-2.amazonaws.com/eyxjet/

Targets

    • Target

      fb4252931d238acd353be695360f6b6c1a2cc1289b730230842749e06d1d6605

    • Size

      13.9MB

    • MD5

      72a01582db3154bd8f955754c3629cce

    • SHA1

      b46112b47da52af0d239eef19bf0562b99616563

    • SHA256

      fb4252931d238acd353be695360f6b6c1a2cc1289b730230842749e06d1d6605

    • SHA512

      4784578a0256b703c176035284b0271f067f82ed8445f96a4f3d4b64fc93b5558fa331136fdabecf44b0072133b04b9e0c77b37aa09b00cee84109499945ba3c

    Score
    10/10
    onlyloggerredlinesocelarsdiscoveryevasioninfostealerloaderpersistencespywarestealersuricatathemidatrojanupx

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata

    • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata

    • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

      suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • OnlyLogger Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks