Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    105s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    25-05-2022 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1af27fb1a1ce8aa956f685a80ad8c65d4d9d3b0f54a693a5c3dfd896e3c60034.exe

  • Size

    277KB

  • MD5

    85622fa9087654c497da7a64ff745994

  • SHA1

    4c7f9294aa2826cb6109560718883e03e5fbd793

  • SHA256

    1af27fb1a1ce8aa956f685a80ad8c65d4d9d3b0f54a693a5c3dfd896e3c60034

  • SHA512

    8be1879c51989808968887cc1bf4c62d4e21039d60b6137656bfb51dc49174646a5246782a00a6f20cf89c8f8408ac50113a5b443101a8d587ef54f65512f969

Score
10/10
redlinesmokeloader4backdoorcollectioninfostealerspywaretrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://monsutiur4.com/

http://nusurionuy5ff.at/

http://moroitomo4.net/

http://susuerulianita1.net/

http://cucumbetuturel4.com/

http://nunuslushau.com/

http://linislominyt11.at/

http://luxulixionus.net/

http://lilisjjoer44.com/

http://nikogminut88.at/

http://limo00ruling.org/

http://mini55tunul.com/

http://samnutu11nuli.com/

http://nikogkojam.org/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

4

C2

45.10.43.167:26696

Attributes
  • auth_value

    907b4009a916888062785688f81bc6b3

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1af27fb1a1ce8aa956f685a80ad8c65d4d9d3b0f54a693a5c3dfd896e3c60034.exe
    "C:\Users\Admin\AppData\Local\Temp\1af27fb1a1ce8aa956f685a80ad8c65d4d9d3b0f54a693a5c3dfd896e3c60034.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2356
  • C:\Users\Admin\AppData\Local\Temp\3F89.exe
    C:\Users\Admin\AppData\Local\Temp\3F89.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 10
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4036
      • C:\Windows\SysWOW64\timeout.exe
        timeout 10
        3⤵
        • Delays execution with timeout.exe
        PID:4848
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
        PID:4228
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1568
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      1⤵
      • Accesses Microsoft Outlook profiles
      • outlook_office_path
      • outlook_win_path
      PID:4448
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      1⤵
        PID:1416

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Email Collection

      1
      T1114

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\3F89.exe
        Filesize

        342KB

        MD5

        5081f141de74d785dacfe8254097d29f

        SHA1

        bd8f230e9c79d66718871c0b2a770988e021aa21

        SHA256

        dac6ad2b96313e9fed6a84abc829204b40effc0f89fc602889377b589c28fe4a

        SHA512

        09d507af2faece517c5bdc69ab37d468a9cc9dc177e3737d4e31beffcb38037827c1d3f95a7de5321c914a85e69e1b4fb1c9f5d93ef08457bef57109cca0b6dc

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\3F89.exe
        Filesize

        342KB

        MD5

        5081f141de74d785dacfe8254097d29f

        SHA1

        bd8f230e9c79d66718871c0b2a770988e021aa21

        SHA256

        dac6ad2b96313e9fed6a84abc829204b40effc0f89fc602889377b589c28fe4a

        SHA512

        09d507af2faece517c5bdc69ab37d468a9cc9dc177e3737d4e31beffcb38037827c1d3f95a7de5321c914a85e69e1b4fb1c9f5d93ef08457bef57109cca0b6dc

        Download Submit
      • memory/1416-214-0x0000000000000000-mapping.dmp
        Download
      • memory/1568-391-0x0000000005490000-0x00000000054A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1568-369-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

        Download
      • memory/1568-390-0x0000000005A00000-0x0000000006006000-memory.dmp
        Filesize

        6.0MB

        Download
      • memory/1568-420-0x0000000006E90000-0x0000000006EE0000-memory.dmp
        Filesize

        320KB

        Download
      • memory/1568-392-0x00000000055C0000-0x00000000056CA000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1568-395-0x0000000005500000-0x000000000553E000-memory.dmp
        Filesize

        248KB

        Download
      • memory/1568-397-0x0000000005540000-0x000000000558B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/1568-401-0x0000000005850000-0x00000000058C6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1568-405-0x0000000005990000-0x00000000059AE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/1568-415-0x0000000007AC0000-0x0000000007C82000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/1568-416-0x00000000081C0000-0x00000000086EC000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/1568-336-0x000000000041AD9E-mapping.dmp
        Download
      • memory/2356-132-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-153-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-136-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-137-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-138-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-139-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-141-0x0000000000490000-0x00000000005DA000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2356-142-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-144-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-145-0x0000000000400000-0x000000000048A000-memory.dmp
        Filesize

        552KB

        Download
      • memory/2356-143-0x00000000001E0000-0x00000000001E9000-memory.dmp
        Filesize

        36KB

        Download
      • memory/2356-140-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-146-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-147-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-148-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-149-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-150-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-151-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-152-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-135-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-154-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-119-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-134-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-133-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-118-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-131-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-130-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-129-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-128-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-127-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-126-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-124-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-123-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-122-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-121-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-120-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2836-155-0x0000000000C30000-0x0000000000C46000-memory.dmp
        Filesize

        88KB

        Download
      • memory/4036-295-0x0000000000000000-mapping.dmp
        Download
      • memory/4448-181-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4448-184-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4448-174-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4448-170-0x0000000000000000-mapping.dmp
        Download
      • memory/4448-178-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4448-180-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4448-179-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4448-182-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4448-176-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4448-185-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4448-186-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4448-187-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4448-189-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4448-190-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4448-188-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-260-0x0000000005700000-0x0000000005752000-memory.dmp
        Filesize

        328KB

        Download
      • memory/4688-334-0x0000000025900000-0x0000000025DFE000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/4688-183-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-173-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-177-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-249-0x0000000000EF0000-0x0000000000F4C000-memory.dmp
        Filesize

        368KB

        Download
      • memory/4688-175-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-277-0x0000000005790000-0x00000000057E4000-memory.dmp
        Filesize

        336KB

        Download
      • memory/4688-278-0x0000000005930000-0x000000000597C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/4688-171-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-156-0x0000000000000000-mapping.dmp
        Download
      • memory/4688-325-0x00000000058A0000-0x0000000005906000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4688-333-0x0000000025360000-0x00000000253F2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4688-172-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-169-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-168-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-167-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-165-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-164-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-162-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-163-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-161-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-160-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-159-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4688-158-0x0000000077CE0000-0x0000000077E6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4848-301-0x0000000000000000-mapping.dmp
        Download