Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8204bce8fd8bc3f634b995eb974c31971950014b47dedd928c80bd92869519ac

  • Size

    201KB

  • Sample

    221003-k7ddbahchk

  • MD5

    91364a893cdb7a591053d6a0ebb71098

  • SHA1

    7cd0fcb6fe4032e669c77e9f05ac38bddf71f93a

  • SHA256

    8204bce8fd8bc3f634b995eb974c31971950014b47dedd928c80bd92869519ac

  • SHA512

    b143aa99250e1ec47b59c07373c877fa86186c1147d7000d35e48bec3a121f74d267669bd96e87b60cf77a845477a8e0d064e473cb154f39d82d992c2093cae8

  • SSDEEP

    1536:1I47GyTGCwiSnmQUt0LB1kAjs5gpyY6cfsW:1vGyYiSDnt1T45nxEsW

Score
10/10
redlinesmokeloaderbuk2backdoordiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

Buk2

C2

tyastazirowi.xyz:80

yaterirennin.xyz:80
Attributes
  • auth_value

    813662de00b041e18fa868da733fca07

Targets

    • Target

      8204bce8fd8bc3f634b995eb974c31971950014b47dedd928c80bd92869519ac

    • Size

      201KB

    • MD5

      91364a893cdb7a591053d6a0ebb71098

    • SHA1

      7cd0fcb6fe4032e669c77e9f05ac38bddf71f93a

    • SHA256

      8204bce8fd8bc3f634b995eb974c31971950014b47dedd928c80bd92869519ac

    • SHA512

      b143aa99250e1ec47b59c07373c877fa86186c1147d7000d35e48bec3a121f74d267669bd96e87b60cf77a845477a8e0d064e473cb154f39d82d992c2093cae8

    • SSDEEP

      1536:1I47GyTGCwiSnmQUt0LB1kAjs5gpyY6cfsW:1vGyYiSDnt1T45nxEsW

    Score
    10/10
    redlinesmokeloaderbuk2backdoordiscoveryinfostealerpersistencespywarestealertrojan

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks