Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c685e8ba1cf78f850327006bd61e1aa6d8a3cbab7d67b8acb05b25e0f0c7fde4

  • Size

    280KB

  • Sample

    220922-1ae4msccf8

  • MD5

    4ae34c82169c259eca08f15555283fcb

  • SHA1

    bfe0fcb0cfc75be6906de84ed0733dac0fa2bc0d

  • SHA256

    c685e8ba1cf78f850327006bd61e1aa6d8a3cbab7d67b8acb05b25e0f0c7fde4

  • SHA512

    0a77108f4931cf26dad2f0364146b115f82a713588a62d00e24e9b70c59a3eb5cd142d72d34904d30dd68e38ef116f5c316e29d56ea86912024976c58d555c24

  • SSDEEP

    6144:m1/j0u2A8SLeQr+KK8UrXXqBZzdpuWgH0jQbGaigavwVfwzC:m1Lk6Zr+KKBqT1sYt+

Score
10/10
erbiumredlinesmokeloadertofseelogsdiller cloud (sup: @mr_golds)backdoorevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Sup: @mr_golds)

C2

77.73.134.27:8163

Attributes
  • auth_value

    56c6f7b9024c076f0a96931453da7e56

Extracted

Family

erbium

C2

http://77.73.133.53/cloud/index.php

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      c685e8ba1cf78f850327006bd61e1aa6d8a3cbab7d67b8acb05b25e0f0c7fde4

    • Size

      280KB

    • MD5

      4ae34c82169c259eca08f15555283fcb

    • SHA1

      bfe0fcb0cfc75be6906de84ed0733dac0fa2bc0d

    • SHA256

      c685e8ba1cf78f850327006bd61e1aa6d8a3cbab7d67b8acb05b25e0f0c7fde4

    • SHA512

      0a77108f4931cf26dad2f0364146b115f82a713588a62d00e24e9b70c59a3eb5cd142d72d34904d30dd68e38ef116f5c316e29d56ea86912024976c58d555c24

    • SSDEEP

      6144:m1/j0u2A8SLeQr+KK8UrXXqBZzdpuWgH0jQbGaigavwVfwzC:m1Lk6Zr+KKBqT1sYt+

    Score
    10/10
    erbiumredlinesmokeloadertofseelogsdiller cloud (sup: @mr_golds)backdoorevasioninfostealerpersistencespywarestealertrojan

    • Detects Smokeloader packer

    • Erbium

      Erbium is an infostealer written in C++ and first seen in July 2022.

      stealererbium

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks