Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    03-05-2022 20:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exe

  • Size

    279KB

  • MD5

    feb4828a3899927cefbe713d09ce4602

  • SHA1

    c45bfefa95d41f8f919f661183693fbd9f4f1571

  • SHA256

    b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5

  • SHA512

    cbfe9a74dbb4371de2be1b04e872fb5650dfd7eabba96534f60b4519a7f9b8e7c1d5fecaa0f01583bbeafe7f4c3d862cfd6afa54b9329c4cc470f14f5bf09392

Score
10/10
redlinesmokeloadervidar937mario01_04slovarik2backdoorcollectiondiscoveryinfostealerspywarestealersuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://monsutiur4.com/

http://nusurionuy5ff.at/

http://moroitomo4.net/

http://susuerulianita1.net/

http://cucumbetuturel4.com/

http://nunuslushau.com/

http://linislominyt11.at/

http://luxulixionus.net/

http://lilisjjoer44.com/

http://nikogminut88.at/

http://limo00ruling.org/

http://mini55tunul.com/

http://samnutu11nuli.com/

http://nikogkojam.org/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

MARIO01_04

C2

176.122.23.55:32478

Attributes
  • auth_value

    ed0902db14986ce5710c8e3a2307dc2f

Extracted

Family

vidar

Version

52

Botnet

937

C2

https://t.me/hollandracing

https://busshi.moe/@ronxik321
Attributes
  • profile_id

    937

Extracted

Family

redline

Botnet

slovarik2

C2

185.215.113.115:39325

Attributes
  • auth_value

    6521f196e626a6e5adbea705ca0f48e2

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved

    suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved

    suricata
  • suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

    suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

    suricata
  • Vidar Stealer 3 IoCs
    stealer
  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exe
    "C:\Users\Admin\AppData\Local\Temp\b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1316
  • C:\Users\Admin\AppData\Local\Temp\7A60.exe
    C:\Users\Admin\AppData\Local\Temp\7A60.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1432
  • C:\Users\Admin\AppData\Local\Temp\9144.exe
    C:\Users\Admin\AppData\Local\Temp\9144.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks processor information in registry
    PID:4024
  • C:\Users\Admin\AppData\Local\Temp\A858.exe
    C:\Users\Admin\AppData\Local\Temp\A858.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2216
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
    • Accesses Microsoft Outlook profiles
    • outlook_office_path
    • outlook_win_path
    PID:3688
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    1⤵
      PID:1876

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    Query Registry

    3
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7A60.exe
      Filesize

      1.8MB

      MD5

      4649dea8ee0c894f392cfcaf17f08bfa

      SHA1

      0a80de419c98b9e030c129b728f04a12c3e1208c

      SHA256

      6d6933527e78c31cc8a5cdd322cd2a026c11a60cfeab58512f7fec5d6d0687ea

      SHA512

      7fac1d4b9d1d2a1aa78676d4391aa6ecbf2cf68def5769f6774f5aa5c7a628de8ed4a48b1a603b3d5a9357f15afa7d6343e1b985229f52ada572187cdc61ec83

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\7A60.exe
      Filesize

      1.8MB

      MD5

      4649dea8ee0c894f392cfcaf17f08bfa

      SHA1

      0a80de419c98b9e030c129b728f04a12c3e1208c

      SHA256

      6d6933527e78c31cc8a5cdd322cd2a026c11a60cfeab58512f7fec5d6d0687ea

      SHA512

      7fac1d4b9d1d2a1aa78676d4391aa6ecbf2cf68def5769f6774f5aa5c7a628de8ed4a48b1a603b3d5a9357f15afa7d6343e1b985229f52ada572187cdc61ec83

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\9144.exe
      Filesize

      392KB

      MD5

      091f0b3b502b52eadd71066bc0c05a9a

      SHA1

      a22a05ece18f39934dde60b24d9bee24230aa97f

      SHA256

      b772709904d1a0b67f6ed73bbfd1ea72ebad527ada5b00f24c4d200f49f94704

      SHA512

      a38102527b3549a4bcc44acb8348d057e33df952dfa0a70513866df7b43b286daa952fd2e2bd3e6882ddafc3483ee3e750f586412475b75da1f6260fb7718f4f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\9144.exe
      Filesize

      392KB

      MD5

      091f0b3b502b52eadd71066bc0c05a9a

      SHA1

      a22a05ece18f39934dde60b24d9bee24230aa97f

      SHA256

      b772709904d1a0b67f6ed73bbfd1ea72ebad527ada5b00f24c4d200f49f94704

      SHA512

      a38102527b3549a4bcc44acb8348d057e33df952dfa0a70513866df7b43b286daa952fd2e2bd3e6882ddafc3483ee3e750f586412475b75da1f6260fb7718f4f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\A858.exe
      Filesize

      389KB

      MD5

      4ca1cf25a59fa1c58d4dab26f1e513b9

      SHA1

      3b129db016c483b20cf887f898f6ce52be1da5f5

      SHA256

      02f1627f1a3e2f8531e2217ed28e420b717355ef15ca42bd9734b356f2bb2285

      SHA512

      5b1f5a91a253c2f1baf2f5e3a9d55bf6d7fe16c71c7c5d97e7ce697901f2ac6e8a1ccb0e9ad0f07aa85ad8400d0460ee4a4158b88d392c354a75b7228149a012

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\A858.exe
      Filesize

      389KB

      MD5

      4ca1cf25a59fa1c58d4dab26f1e513b9

      SHA1

      3b129db016c483b20cf887f898f6ce52be1da5f5

      SHA256

      02f1627f1a3e2f8531e2217ed28e420b717355ef15ca42bd9734b356f2bb2285

      SHA512

      5b1f5a91a253c2f1baf2f5e3a9d55bf6d7fe16c71c7c5d97e7ce697901f2ac6e8a1ccb0e9ad0f07aa85ad8400d0460ee4a4158b88d392c354a75b7228149a012

      Download Submit
    • \ProgramData\mozglue.dll
      Filesize

      133KB

      MD5

      8f73c08a9660691143661bf7332c3c27

      SHA1

      37fa65dd737c50fda710fdbde89e51374d0c204a

      SHA256

      3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

      SHA512

      0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

      Download Submit
    • \ProgramData\nss3.dll
      Filesize

      1.2MB

      MD5

      bfac4e3c5908856ba17d41edcd455a51

      SHA1

      8eec7e888767aa9e4cca8ff246eb2aacb9170428

      SHA256

      e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

      SHA512

      2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

      Download Submit
    • memory/388-120-0x0000000000000000-mapping.dmp
      Download
    • memory/1316-117-0x00000000001F0000-0x00000000001F9000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1316-118-0x0000000000400000-0x0000000000486000-memory.dmp
      Filesize

      536KB

      Download
    • memory/1316-116-0x0000000000633000-0x0000000000644000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1432-148-0x000000000A680000-0x000000000AB7E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/1432-128-0x000000000041BC5E-mapping.dmp
      Download
    • memory/1432-123-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1432-135-0x0000000009690000-0x00000000096CE000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1432-134-0x0000000009740000-0x000000000984A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1432-406-0x000000000B880000-0x000000000BDAC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1432-136-0x00000000096D0000-0x000000000971B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/1432-132-0x0000000009B70000-0x000000000A176000-memory.dmp
      Filesize

      6.0MB

      Download
    • memory/1432-133-0x0000000009610000-0x0000000009622000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1432-151-0x00000000099D0000-0x0000000009A46000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1432-152-0x000000000A180000-0x000000000A212000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1432-153-0x0000000009AF0000-0x0000000009B0E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1432-154-0x000000000A600000-0x000000000A666000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1432-405-0x000000000B180000-0x000000000B342000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1876-505-0x0000000000000000-mapping.dmp
      Download
    • memory/2216-451-0x0000000004A30000-0x0000000004A64000-memory.dmp
      Filesize

      208KB

      Download
    • memory/2216-411-0x0000000000000000-mapping.dmp
      Download
    • memory/2216-444-0x0000000002200000-0x0000000002236000-memory.dmp
      Filesize

      216KB

      Download
    • memory/2216-487-0x0000000000520000-0x000000000066A000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2216-489-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/2216-488-0x0000000000800000-0x000000000083A000-memory.dmp
      Filesize

      232KB

      Download
    • memory/3020-119-0x0000000000F80000-0x0000000000F96000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3688-504-0x0000000000000000-mapping.dmp
      Download
    • memory/4024-147-0x0000000000400000-0x00000000004A3000-memory.dmp
      Filesize

      652KB

      Download
    • memory/4024-146-0x0000000000530000-0x00000000005DE000-memory.dmp
      Filesize

      696KB

      Download
    • memory/4024-145-0x0000000000530000-0x000000000067A000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/4024-506-0x0000000060900000-0x0000000060992000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4024-141-0x0000000000000000-mapping.dmp
      Download