Overview

overview

10

Static

static

dridex

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    70c50e05034f260edeb486862fa7e1f0f47d555bb2c14e83df33715648a053ef

  • Size

    180KB

  • Sample

    220604-rb5k9aacb8

  • MD5

    6e95f05f0f3e976dfd571374eadba57f

  • SHA1

    f20b68ecbb025c0c5b5c223d7f5272226e7d0487

  • SHA256

    70c50e05034f260edeb486862fa7e1f0f47d555bb2c14e83df33715648a053ef

  • SHA512

    aab737451fe18e4f78b2853d1eb4ac84d5ff346c4dc0cee2f3129795a18e3c26a698756d0da3899d284b320ff394b1796403a6bec578f4514f5bb467b887bf60

Score
10/10
redlinetofseexmrigmario10_05_50kcollectionevasioninfostealerminerpersistencespywaresuricatatrojanvmprotect

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Extracted

Family

redline

Botnet

mario10_05_50k

C2

176.122.23.55:32478

Attributes
  • auth_value

    8a0f0d4d76987def30f88d91e2c0388d

Targets

    • Target

      70c50e05034f260edeb486862fa7e1f0f47d555bb2c14e83df33715648a053ef

    • Size

      180KB

    • MD5

      6e95f05f0f3e976dfd571374eadba57f

    • SHA1

      f20b68ecbb025c0c5b5c223d7f5272226e7d0487

    • SHA256

      70c50e05034f260edeb486862fa7e1f0f47d555bb2c14e83df33715648a053ef

    • SHA512

      aab737451fe18e4f78b2853d1eb4ac84d5ff346c4dc0cee2f3129795a18e3c26a698756d0da3899d284b320ff394b1796403a6bec578f4514f5bb467b887bf60

    Score
    10/10
    redlinetofseexmrigmario10_05_50kcollectionevasioninfostealerminerpersistencespywaresuricatatrojanvmprotect

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner Payload

      miner

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Deletes itself

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks