Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3d935c5250ea511804279cdb199bb3200239eeaa514d8d8c6554370d835014fe

  • Size

    223KB

  • Sample

    221022-tw3y9seccq

  • MD5

    5a4ee1cb4de2423c7d026a2bd912580c

  • SHA1

    2b609df88ca33117d245cc2a385b37f2d8262757

  • SHA256

    3d935c5250ea511804279cdb199bb3200239eeaa514d8d8c6554370d835014fe

  • SHA512

    f9c747217c268a2a258f8e460dea6d0a51f1ce62af5b9c122176ae4406abe92fdc0478369e646509317a62aef6ecc5a2a829de572e482fed72c6a1b39d6e6204

  • SSDEEP

    3072:hXa0KtLcMhJvRTA5mmmOgYjB/LpGfH6YOs4+X0aZCf9lFWdR75Z0w3J:F7KtLDJNPYjB/FG/6LZiU1lFWj75Z

Score
10/10
dcraterbiumredlinegoogle2nam7neweslovarikinstallsdiscoveryevasioninfostealerratspywarestealer

Malware Config

Extracted

Family

redline

Botnet

nam7

C2

103.89.90.61:34589

Attributes
  • auth_value

    533c8fbdab4382453812c73ea2cee5b8

Extracted

Family

redline

Botnet

Google2

C2

167.235.71.14:20469

Attributes
  • auth_value

    fb274d9691235ba015830da570a13578

Extracted

Family

redline

Botnet

slovarikinstalls

C2

78.153.144.3:2510

Attributes
  • auth_value

    5f80b2ec82e3bd02a08a3a55d3180551

Extracted

Family

redline

Botnet

Newe

C2

89.208.106.66:4691

Attributes
  • auth_value

    e7141b98243e53ec71dadf6344aff038

Extracted

Family

erbium

C2

http://77.73.133.53/cloud/index.php

Targets

    • Target

      3d935c5250ea511804279cdb199bb3200239eeaa514d8d8c6554370d835014fe

    • Size

      223KB

    • MD5

      5a4ee1cb4de2423c7d026a2bd912580c

    • SHA1

      2b609df88ca33117d245cc2a385b37f2d8262757

    • SHA256

      3d935c5250ea511804279cdb199bb3200239eeaa514d8d8c6554370d835014fe

    • SHA512

      f9c747217c268a2a258f8e460dea6d0a51f1ce62af5b9c122176ae4406abe92fdc0478369e646509317a62aef6ecc5a2a829de572e482fed72c6a1b39d6e6204

    • SSDEEP

      3072:hXa0KtLcMhJvRTA5mmmOgYjB/LpGfH6YOs4+X0aZCf9lFWdR75Z0w3J:F7KtLDJNPYjB/FG/6LZiU1lFWj75Z

    Score
    10/10
    dcraterbiumredlinegoogle2nam7neweslovarikinstallsdiscoveryevasioninfostealerratspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Erbium

      Erbium is an infostealer written in C++ and first seen in July 2022.

      stealererbium

    • Modifies security service

      evasion

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Stops running service(s)

      evasion

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks