Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9d23a234dbe5c77bdb7ef8c15e72dc31de7cce7a296ba4c6021fa38c860b6aa6

  • Size

    132KB

  • Sample

    221002-svflxadhgp

  • MD5

    2f60adf824efee1301aaa145123a23bf

  • SHA1

    573326542db26f12243058b53f121bf4c24f4f78

  • SHA256

    9d23a234dbe5c77bdb7ef8c15e72dc31de7cce7a296ba4c6021fa38c860b6aa6

  • SHA512

    e3ea3419723e31100f3aad32603b4627c3eab20e8ea8121a611aa402ce6bc00c067ae46b7f566bf7a1d3c6d9857f1edafe85f7857ff6a8af972ed8de93e8f90e

  • SSDEEP

    3072:1dnzOomRcnJZ7vhty2zRzxy5S83P7ZaRqln09PD6T:OknJZLhN185LP7ZkG0A

Score
10/10
dcratredlinesmokeloaderbackdoorinfostealerpyinstallerrattrojan

Malware Config

Extracted

Family

redline

C2

80.66.87.22:80

80.66.87.13:80
Attributes
  • auth_value

    5b663effac3b92fe687f0181631eeff2

Targets

    • Target

      9d23a234dbe5c77bdb7ef8c15e72dc31de7cce7a296ba4c6021fa38c860b6aa6

    • Size

      132KB

    • MD5

      2f60adf824efee1301aaa145123a23bf

    • SHA1

      573326542db26f12243058b53f121bf4c24f4f78

    • SHA256

      9d23a234dbe5c77bdb7ef8c15e72dc31de7cce7a296ba4c6021fa38c860b6aa6

    • SHA512

      e3ea3419723e31100f3aad32603b4627c3eab20e8ea8121a611aa402ce6bc00c067ae46b7f566bf7a1d3c6d9857f1edafe85f7857ff6a8af972ed8de93e8f90e

    • SSDEEP

      3072:1dnzOomRcnJZ7vhty2zRzxy5S83P7ZaRqln09PD6T:OknJZLhN185LP7ZkG0A

    Score
    10/10
    dcratredlinesmokeloaderbackdoorinfostealerpyinstallerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detects Smokeloader packer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks