Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545

  • Size

    224KB

  • Sample

    221022-tkr3maeaa5

  • MD5

    0d7ef768e438cca7715e0613bc339dc9

  • SHA1

    ddb08e01fe98df1e0d319f88c529b9f59ccab22d

  • SHA256

    fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545

  • SHA512

    2938185c6ed1b7c640ac8115c7e2d12bca826097eefab41c4ce797f72d5eb81d549b45138256f764e43705511b399d17c6b263957a64ca3778887a6b779b7b66

  • SSDEEP

    3072:1XL6L1ZL98gb5lOqCKZzrCfpMuGyWIcIpPKuRuTmQJrUCH:x+L3N7BCEHCnRBcgPKQuqurZ

Score
10/10
erbiumredlinesmokeloadergoogle2nam7neweslovarikinstallsbackdoordiscoveryevasioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

nam7

C2

103.89.90.61:34589

Attributes
  • auth_value

    533c8fbdab4382453812c73ea2cee5b8

Extracted

Family

redline

Botnet

slovarikinstalls

C2

78.153.144.3:2510

Attributes
  • auth_value

    5f80b2ec82e3bd02a08a3a55d3180551

Extracted

Family

redline

Botnet

Google2

C2

167.235.71.14:20469

Attributes
  • auth_value

    fb274d9691235ba015830da570a13578

Extracted

Family

redline

Botnet

Newe

C2

89.208.106.66:4691

Attributes
  • auth_value

    e7141b98243e53ec71dadf6344aff038

Extracted

Family

erbium

C2

http://77.73.133.53/cloud/index.php

Targets

    • Target

      fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545

    • Size

      224KB

    • MD5

      0d7ef768e438cca7715e0613bc339dc9

    • SHA1

      ddb08e01fe98df1e0d319f88c529b9f59ccab22d

    • SHA256

      fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545

    • SHA512

      2938185c6ed1b7c640ac8115c7e2d12bca826097eefab41c4ce797f72d5eb81d549b45138256f764e43705511b399d17c6b263957a64ca3778887a6b779b7b66

    • SSDEEP

      3072:1XL6L1ZL98gb5lOqCKZzrCfpMuGyWIcIpPKuRuTmQJrUCH:x+L3N7BCEHCnRBcgPKQuqurZ

    Score
    10/10
    erbiumredlinesmokeloadergoogle2nam7neweslovarikinstallsbackdoordiscoveryevasioninfostealerspywarestealertrojan

    • Detects Smokeloader packer

    • Erbium

      Erbium is an infostealer written in C++ and first seen in July 2022.

      stealererbium

    • Modifies security service

      evasion

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Stops running service(s)

      evasion

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks