Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f5b987cedc36ad0095ad11330bee082cafeb1fe60caba34c089021f4ffbb16b0

  • Size

    186KB

  • Sample

    221123-kb93eacc2z

  • MD5

    a318980ea14f27777c366804d2ef9a5d

  • SHA1

    4ec4701c118b0783ea54674657bbc97abd28c7c0

  • SHA256

    f5b987cedc36ad0095ad11330bee082cafeb1fe60caba34c089021f4ffbb16b0

  • SHA512

    95392578596cfdbba19d172b5b758220343be3ea53f3d38f21c9cd60d44932ce29bcabfda3738c0ea214d6ff48a657aa32f7ab7df44946bd4abfa67e72ebb845

  • SSDEEP

    3072:xBIENGVfuKLht1WG/D5TJzhmSbHZtH45/GsOm4LUP8e:YEorLht1hBJzhNb3W/GxmlP8e

Score
10/10
redlinesmokeloaderkriptnanoid2022backdoordiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

KRIPT

C2

212.8.246.157:32348

Attributes
  • auth_value

    80ebe4bab7a98a7ce9c75989ff9f40b4

Extracted

Family

redline

C2

185.215.113.83:60722

Attributes
  • auth_value

    674feb1d15af397f9322eb62587035b3

Extracted

Family

redline

Botnet

NanoID2022

C2

185.106.92.111:2510

Attributes
  • auth_value

    d5913c276c6c8b5735246051bef9a412

Targets

    • Target

      f5b987cedc36ad0095ad11330bee082cafeb1fe60caba34c089021f4ffbb16b0

    • Size

      186KB

    • MD5

      a318980ea14f27777c366804d2ef9a5d

    • SHA1

      4ec4701c118b0783ea54674657bbc97abd28c7c0

    • SHA256

      f5b987cedc36ad0095ad11330bee082cafeb1fe60caba34c089021f4ffbb16b0

    • SHA512

      95392578596cfdbba19d172b5b758220343be3ea53f3d38f21c9cd60d44932ce29bcabfda3738c0ea214d6ff48a657aa32f7ab7df44946bd4abfa67e72ebb845

    • SSDEEP

      3072:xBIENGVfuKLht1WG/D5TJzhmSbHZtH45/GsOm4LUP8e:YEorLht1hBJzhNb3W/GxmlP8e

    Score
    10/10
    redlinesmokeloaderkriptnanoid2022backdoordiscoveryinfostealerspywarestealertrojan

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks