Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    05bb07f3dfae2584a5f6382f23ba58bbea9feeea01509c446a1c75e47a9dfa13

  • Size

    206KB

  • Sample

    220909-vxm5wagfh2

  • MD5

    dbf6e8a3dd083a0145d14f47ed1f89a1

  • SHA1

    5bb368eb964a477bf29d58bb5f456b811fea19f1

  • SHA256

    05bb07f3dfae2584a5f6382f23ba58bbea9feeea01509c446a1c75e47a9dfa13

  • SHA512

    f3d9332c4b24c98650b6296d36acff0f927b2d409a6767ab60a8fd1cdf12e49de35072f3de32477bd5b46855cfdad28b2e32b6c23821861e166a5a1e2010961c

  • SSDEEP

    3072:9aA+f6AOJ+6WdmEk6wW35lqOfiRPa7PWiM9uVJiFE7m9SYuAtM2Uq:9iXQsNkP4hMgkFECYDk

Score
10/10
netsupportraccoonredlinesmokeloader1337567d5bff28c2a18132d2f88511f07435nam5backdoordiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

raccoon

Botnet

567d5bff28c2a18132d2f88511f07435

C2

http://116.203.167.5/

http://195.201.248.58/
rc4.plain

Extracted

Family

redline

Botnet

nam5

C2

103.89.90.61:34589

Attributes
  • auth_value

    f23be8e9063fe5d0c6fc3ee8e7d565bd

Extracted

Family

redline

Botnet

1337

C2

78.153.144.6:2510

Attributes
  • auth_value

    b0447922bcbc2eda83260a9e7a638f45

Targets

    • Target

      05bb07f3dfae2584a5f6382f23ba58bbea9feeea01509c446a1c75e47a9dfa13

    • Size

      206KB

    • MD5

      dbf6e8a3dd083a0145d14f47ed1f89a1

    • SHA1

      5bb368eb964a477bf29d58bb5f456b811fea19f1

    • SHA256

      05bb07f3dfae2584a5f6382f23ba58bbea9feeea01509c446a1c75e47a9dfa13

    • SHA512

      f3d9332c4b24c98650b6296d36acff0f927b2d409a6767ab60a8fd1cdf12e49de35072f3de32477bd5b46855cfdad28b2e32b6c23821861e166a5a1e2010961c

    • SSDEEP

      3072:9aA+f6AOJ+6WdmEk6wW35lqOfiRPa7PWiM9uVJiFE7m9SYuAtM2Uq:9iXQsNkP4hMgkFECYDk

    Score
    10/10
    netsupportraccoonredlinesmokeloader1337567d5bff28c2a18132d2f88511f07435nam5backdoordiscoveryinfostealerratspywarestealertrojan

    • Detects Smokeloader packer

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks