Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    ca32c029656dd824594ec86411ac9a0575abb960833790d09e858685fcdde59a

  • Size

    226KB

  • Sample

    221013-srjjdsbbf7

  • MD5

    ab1733c9f5850d56958c0ddc3c1950de

  • SHA1

    888eb6363630e41e12bf84178785a4bb88b3db34

  • SHA256

    ca32c029656dd824594ec86411ac9a0575abb960833790d09e858685fcdde59a

  • SHA512

    03b9cd06c1dfea7c3ab6f66a4431c1110ae17eba1a7f4c197ea96e5647a8b95b1bbec344e833cc716fdf0c72956364eab2fbcd896447e79bbdc5ee44d16d5c7f

  • SSDEEP

    3072:QVayrGulYA0fvH4L+ik4E/q9P3wz7keFqNBUGh5aZNoX1Nd3VgaO:QvqugHYLjk4E2wnUrnjlNd3b

Score
10/10
dcraterbiumredlinesmokeloadero1backdoordiscoveryevasioninfostealerratspywarestealertrojan

Malware Config

Extracted

Family

redline

C2

45.15.156.37:110

Attributes
  • auth_value

    5b663effac3b92fe687f0181631eeff2

Extracted

Family

redline

Botnet

O1

C2

95.217.65.169:11995

Attributes
  • auth_value

    57933f6c418f949af1885c0a5456a1e5

Extracted

Family

erbium

C2

http://77.73.133.53/cloud/index.php

Targets

    • Target

      ca32c029656dd824594ec86411ac9a0575abb960833790d09e858685fcdde59a

    • Size

      226KB

    • MD5

      ab1733c9f5850d56958c0ddc3c1950de

    • SHA1

      888eb6363630e41e12bf84178785a4bb88b3db34

    • SHA256

      ca32c029656dd824594ec86411ac9a0575abb960833790d09e858685fcdde59a

    • SHA512

      03b9cd06c1dfea7c3ab6f66a4431c1110ae17eba1a7f4c197ea96e5647a8b95b1bbec344e833cc716fdf0c72956364eab2fbcd896447e79bbdc5ee44d16d5c7f

    • SSDEEP

      3072:QVayrGulYA0fvH4L+ik4E/q9P3wz7keFqNBUGh5aZNoX1Nd3VgaO:QvqugHYLjk4E2wnUrnjlNd3b

    Score
    10/10
    dcraterbiumredlinesmokeloadero1backdoordiscoveryevasioninfostealerratspywarestealertrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detects Smokeloader packer

    • Erbium

      Erbium is an infostealer written in C++ and first seen in July 2022.

      stealererbium

    • Modifies security service

      evasion

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Stops running service(s)

      evasion

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks