Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-05-2022 08:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    849f9f7c3482fc7e5da7b9cf809dfb9c93310bedd26138082932945fb66479c1.exe

  • Size

    217KB

  • MD5

    3534cc8899e06062d5776176b223f1ca

  • SHA1

    18b15c35a74e244b516b9a4ecff8b0b890c5bd1e

  • SHA256

    849f9f7c3482fc7e5da7b9cf809dfb9c93310bedd26138082932945fb66479c1

  • SHA512

    5ad006ceab3d7af06cd18a1c66952850e22ce65910de648401edcb26ea0cc08ce72855dd33721ac1c07bf2009d53b7ee3b12ae9b5470bc3b5b1d987a0a4ae0a1

Score
10/10
redlinesmokeloadervidar937mario01_04backdoordiscoveryinfostealerspywarestealersuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://monsutiur4.com/

http://nusurionuy5ff.at/

http://moroitomo4.net/

http://susuerulianita1.net/

http://cucumbetuturel4.com/

http://nunuslushau.com/

http://linislominyt11.at/

http://luxulixionus.net/

http://lilisjjoer44.com/

http://nikogminut88.at/

http://limo00ruling.org/

http://mini55tunul.com/

http://samnutu11nuli.com/

http://nikogkojam.org/
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

51.9

Botnet

937

C2

https://t.me/btc20220425

https://ieji.de/@ronxik213
Attributes
  • profile_id

    937

Extracted

Family

redline

Botnet

MARIO01_04

C2

176.122.23.55:32478

Attributes
  • auth_value

    ed0902db14986ce5710c8e3a2307dc2f

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved

    suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved

    suricata
  • suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

    suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

    suricata
  • Vidar Stealer 2 IoCs
    stealer
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\849f9f7c3482fc7e5da7b9cf809dfb9c93310bedd26138082932945fb66479c1.exe
    "C:\Users\Admin\AppData\Local\Temp\849f9f7c3482fc7e5da7b9cf809dfb9c93310bedd26138082932945fb66479c1.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2064
  • C:\Users\Admin\AppData\Local\Temp\7947.exe
    C:\Users\Admin\AppData\Local\Temp\7947.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks processor information in registry
    PID:4572
  • C:\Users\Admin\AppData\Local\Temp\93D5.exe
    C:\Users\Admin\AppData\Local\Temp\93D5.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4084
  • C:\Users\Admin\AppData\Local\Temp\AE62.exe
    C:\Users\Admin\AppData\Local\Temp\AE62.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3672
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1656
      2⤵
      • Program crash
      PID:2324
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
      PID:3088
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 872
        2⤵
        • Program crash
        PID:1964
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3088 -ip 3088
      1⤵
        PID:2904
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe
        1⤵
          PID:2412
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3672 -ip 3672
          1⤵
            PID:3572

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Credentials in Files

          3
          T1081

          Discovery

          Query Registry

          3
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Data from Local System

          3
          T1005

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\mozglue.dll
            Filesize

            133KB

            MD5

            8f73c08a9660691143661bf7332c3c27

            SHA1

            37fa65dd737c50fda710fdbde89e51374d0c204a

            SHA256

            3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

            SHA512

            0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

            Download Submit
          • C:\ProgramData\nss3.dll
            Filesize

            1.2MB

            MD5

            bfac4e3c5908856ba17d41edcd455a51

            SHA1

            8eec7e888767aa9e4cca8ff246eb2aacb9170428

            SHA256

            e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

            SHA512

            2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\7947.exe
            Filesize

            389KB

            MD5

            038f78aa0bd7238d8e5063f73927a3b5

            SHA1

            174f71f3a3ca18d6fa8fb507306105c2037cb7c2

            SHA256

            a22027d7c27a7088ccd64d828fe90644070462f374ce9bbde8616328781b6698

            SHA512

            1cb3d09a8f8cd1e835d36d754c67b7e4a413c765f0dfd6e23b3265ab571783fb4c4db083030a6e9da4dd84a5440da5014d5c7e372a767fc6dd51390df2412483

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\7947.exe
            Filesize

            389KB

            MD5

            038f78aa0bd7238d8e5063f73927a3b5

            SHA1

            174f71f3a3ca18d6fa8fb507306105c2037cb7c2

            SHA256

            a22027d7c27a7088ccd64d828fe90644070462f374ce9bbde8616328781b6698

            SHA512

            1cb3d09a8f8cd1e835d36d754c67b7e4a413c765f0dfd6e23b3265ab571783fb4c4db083030a6e9da4dd84a5440da5014d5c7e372a767fc6dd51390df2412483

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\93D5.exe
            Filesize

            1.8MB

            MD5

            18c4f08ade129858736e78eaa58e5e6a

            SHA1

            4e19af08cb531d4c533e73689a7e441a94a595cd

            SHA256

            a2e2b9885f4ceaf963c2c29d6ad151a75fc6ce8f4d1d2a76dfcd4f4d7b9cd024

            SHA512

            7d3cc69dd67bd94965b53a5b635def5f70248ea67a53d6bfdcbbbcda1903de0593217f385a68359823e060d03aa2ed2bce21e3b770f29279da483553d78ae036

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\93D5.exe
            Filesize

            1.8MB

            MD5

            18c4f08ade129858736e78eaa58e5e6a

            SHA1

            4e19af08cb531d4c533e73689a7e441a94a595cd

            SHA256

            a2e2b9885f4ceaf963c2c29d6ad151a75fc6ce8f4d1d2a76dfcd4f4d7b9cd024

            SHA512

            7d3cc69dd67bd94965b53a5b635def5f70248ea67a53d6bfdcbbbcda1903de0593217f385a68359823e060d03aa2ed2bce21e3b770f29279da483553d78ae036

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\AE62.exe
            Filesize

            370KB

            MD5

            7ce19bfe8fa39f2942a7c9783ed39261

            SHA1

            efa3216d202cabd0bd2c225eaa01834b770ac14a

            SHA256

            1d252013b707bacc7f5dcf7b8e402b5563ab1bcda43850a9f365a9010fde7b8f

            SHA512

            45e95ca2e6fef16efd98f75649dc1fba92ca6cf7c94585cbb31590c92686d76769c65da8e213135b04cade45f4e8c59fc3520e0b98d2c7ef0975fafb7ca4c0f1

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\AE62.exe
            Filesize

            370KB

            MD5

            7ce19bfe8fa39f2942a7c9783ed39261

            SHA1

            efa3216d202cabd0bd2c225eaa01834b770ac14a

            SHA256

            1d252013b707bacc7f5dcf7b8e402b5563ab1bcda43850a9f365a9010fde7b8f

            SHA512

            45e95ca2e6fef16efd98f75649dc1fba92ca6cf7c94585cbb31590c92686d76769c65da8e213135b04cade45f4e8c59fc3520e0b98d2c7ef0975fafb7ca4c0f1

            Download Submit
          • memory/796-133-0x0000000000C30000-0x0000000000C46000-memory.dmp
            Filesize

            88KB

            Download
          • memory/2064-130-0x00000000006CD000-0x00000000006D6000-memory.dmp
            Filesize

            36KB

            Download
          • memory/2064-132-0x0000000000400000-0x0000000000487000-memory.dmp
            Filesize

            540KB

            Download
          • memory/2064-131-0x00000000006A0000-0x00000000006A9000-memory.dmp
            Filesize

            36KB

            Download
          • memory/2412-178-0x0000000000000000-mapping.dmp
            Download
          • memory/3088-177-0x0000000000000000-mapping.dmp
            Download
          • memory/3672-187-0x0000000000400000-0x00000000004AC000-memory.dmp
            Filesize

            688KB

            Download
          • memory/3672-174-0x0000000000000000-mapping.dmp
            Download
          • memory/3672-185-0x00000000004B0000-0x00000000005B0000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/3672-186-0x0000000001FA0000-0x0000000001FDA000-memory.dmp
            Filesize

            232KB

            Download
          • memory/4084-179-0x0000000005BE0000-0x0000000005C46000-memory.dmp
            Filesize

            408KB

            Download
          • memory/4084-184-0x0000000006A70000-0x0000000006A8E000-memory.dmp
            Filesize

            120KB

            Download
          • memory/4084-152-0x00000000058F0000-0x000000000592C000-memory.dmp
            Filesize

            240KB

            Download
          • memory/4084-151-0x00000000059C0000-0x0000000005ACA000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/4084-150-0x0000000003360000-0x0000000003372000-memory.dmp
            Filesize

            72KB

            Download
          • memory/4084-149-0x0000000005ED0000-0x00000000064E8000-memory.dmp
            Filesize

            6.1MB

            Download
          • memory/4084-144-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

            Download
          • memory/4084-143-0x0000000000000000-mapping.dmp
            Download
          • memory/4084-189-0x0000000007D60000-0x000000000828C000-memory.dmp
            Filesize

            5.2MB

            Download
          • memory/4084-188-0x0000000007660000-0x0000000007822000-memory.dmp
            Filesize

            1.8MB

            Download
          • memory/4084-180-0x0000000006770000-0x00000000067E6000-memory.dmp
            Filesize

            472KB

            Download
          • memory/4084-181-0x0000000006890000-0x0000000006922000-memory.dmp
            Filesize

            584KB

            Download
          • memory/4084-183-0x0000000006EE0000-0x0000000007484000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/4572-153-0x0000000060900000-0x0000000060992000-memory.dmp
            Filesize

            584KB

            Download
          • memory/4572-138-0x0000000001FA0000-0x0000000001FED000-memory.dmp
            Filesize

            308KB

            Download
          • memory/4572-137-0x000000000050D000-0x000000000053B000-memory.dmp
            Filesize

            184KB

            Download
          • memory/4572-134-0x0000000000000000-mapping.dmp
            Download
          • memory/4572-139-0x0000000000400000-0x00000000004B0000-memory.dmp
            Filesize

            704KB

            Download
          • memory/4784-140-0x0000000000000000-mapping.dmp
            Download