Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3f330a14246bb07dfb4e3e5db8ce29c558afa755528bf40cc7563fac6c7c55e8

  • Size

    14.6MB

  • Sample

    220218-s69dcsdeej

  • MD5

    145e06aef33c1956341a3dbb2344331e

  • SHA1

    5d43f5df54ceffd15697d962eb261998428986c9

  • SHA256

    3f330a14246bb07dfb4e3e5db8ce29c558afa755528bf40cc7563fac6c7c55e8

  • SHA512

    da9fe58ca83e1d5940e8252c59b02ceadd1920c538851bd5c37a48cd2fc58e17dcdde6657f6bdfe9145bc7d059b631447672cfdee483d7bc1bfb25117bb7d266

Score
10/10
onlyloggerredlinesocelarsevasioninfostealerloaderspywarestealersuricatathemidatrojanupx

Malware Config

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/sagdys/

Targets

    • Target

      3f330a14246bb07dfb4e3e5db8ce29c558afa755528bf40cc7563fac6c7c55e8

    • Size

      14.6MB

    • MD5

      145e06aef33c1956341a3dbb2344331e

    • SHA1

      5d43f5df54ceffd15697d962eb261998428986c9

    • SHA256

      3f330a14246bb07dfb4e3e5db8ce29c558afa755528bf40cc7563fac6c7c55e8

    • SHA512

      da9fe58ca83e1d5940e8252c59b02ceadd1920c538851bd5c37a48cd2fc58e17dcdde6657f6bdfe9145bc7d059b631447672cfdee483d7bc1bfb25117bb7d266

    Score
    10/10
    onlyloggerredlinesocelarsevasioninfostealerloaderspywarestealersuricatathemidatrojanupx

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata

    • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata

    • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

      suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • OnlyLogger Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks