Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7a0268be5fbffbe146338591959ffe772ca26a3b78bda1479db38791952aa4e2

  • Size

    316KB

  • Sample

    220927-pz1absefbj

  • MD5

    b020d423131a7b019ae75d4d70b93c42

  • SHA1

    ad8c4a06858964a918c01bd4e9b66b37a94743c6

  • SHA256

    7a0268be5fbffbe146338591959ffe772ca26a3b78bda1479db38791952aa4e2

  • SHA512

    e9daf96cdc7d09c05d33fb3b6f4efab38a91be4f243a9a3a317a4542a1d2ca0634a918a6e713dd917d38cef4200449caddd140933d8c0952316d01997e6bbfeb

  • SSDEEP

    3072:Me4X1ah9NN9g+X25h3c4DR82hKajyrTeLQo0KpYRXqeM/h3BsxkgaBChU/pZa9uk:MeM2i+kcqhBPQo0LXhnigabwVf

Score
10/10
raccoonredline11aeea23901ace2687ada0edd1d2615c7finslab26discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

inslab26

C2

185.182.194.25:8251

Attributes
  • auth_value

    7c9cbd0e489a3c7fd31006406cb96f5b

Extracted

Family

redline

Botnet

11

C2

77.73.134.27:7161

Attributes
  • auth_value

    e6aadafed1fda7723d7655a5894828d2

Extracted

Family

raccoon

Botnet

aeea23901ace2687ada0edd1d2615c7f

C2

http://77.73.134.31/

rc4.plain

Targets

    • Target

      7a0268be5fbffbe146338591959ffe772ca26a3b78bda1479db38791952aa4e2

    • Size

      316KB

    • MD5

      b020d423131a7b019ae75d4d70b93c42

    • SHA1

      ad8c4a06858964a918c01bd4e9b66b37a94743c6

    • SHA256

      7a0268be5fbffbe146338591959ffe772ca26a3b78bda1479db38791952aa4e2

    • SHA512

      e9daf96cdc7d09c05d33fb3b6f4efab38a91be4f243a9a3a317a4542a1d2ca0634a918a6e713dd917d38cef4200449caddd140933d8c0952316d01997e6bbfeb

    • SSDEEP

      3072:Me4X1ah9NN9g+X25h3c4DR82hKajyrTeLQo0KpYRXqeM/h3BsxkgaBChU/pZa9uk:MeM2i+kcqhBPQo0LXhnigabwVf

    Score
    10/10
    raccoonredline11aeea23901ace2687ada0edd1d2615c7finslab26discoveryinfostealerspywarestealer

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks