Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    70942e631d575ff2ca70a995147a94eeb813eb6b2394e474d09a295759bbeff0

  • Size

    147KB

  • Sample

    221126-1t7m1age59

  • MD5

    0a4ecef563dd2052acc1ba9b60e3387c

  • SHA1

    05bf9a8c35ece56e78a3da06a1d31561fbdf2f3b

  • SHA256

    70942e631d575ff2ca70a995147a94eeb813eb6b2394e474d09a295759bbeff0

  • SHA512

    86d7052f18444dfdb7207d98c2f442d9eb2c45d4b5b596f8280b7ed7ce01438547a9962a163949636cf5a78eb349807a558eb74d881c4e3da00088807ffd0b0d

  • SSDEEP

    3072:ohEP75PCokia5JFkXqGaRcEQZsoVHIadP/:1TookbF8qGSQS4

Score
10/10
laplasredlineremcoskriptmainnewlogsinfostealerpersistenceratspywarestealer

Malware Config

Extracted

Family

redline

Botnet

newlogs

C2

77.73.133.70:38819

Attributes
  • auth_value

    05a73a1692c3aebb2a26f1a593237a77

Extracted

Family

redline

Botnet

KRIPT

C2

212.8.246.157:32348

Attributes
  • auth_value

    80ebe4bab7a98a7ce9c75989ff9f40b4

Extracted

Family

redline

Botnet

Main

C2

109.206.243.58:81

Attributes
  • auth_value

    8d4fa15b87cebd556cbb5208a3db0fdc

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    c25400a81a220bbbc3cb779c59ab8b74c7b58ae3a99f465520cbd86c53bd630b

Extracted

Family

remcos

Botnet

Main

C2

109.206.243.58:4541

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    15

  • connect_interval

    3

  • copy_file

    jdk.exe

  • copy_folder

    Java

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %UserProfile%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Main-ABIEBJ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Java Updater

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      70942e631d575ff2ca70a995147a94eeb813eb6b2394e474d09a295759bbeff0

    • Size

      147KB

    • MD5

      0a4ecef563dd2052acc1ba9b60e3387c

    • SHA1

      05bf9a8c35ece56e78a3da06a1d31561fbdf2f3b

    • SHA256

      70942e631d575ff2ca70a995147a94eeb813eb6b2394e474d09a295759bbeff0

    • SHA512

      86d7052f18444dfdb7207d98c2f442d9eb2c45d4b5b596f8280b7ed7ce01438547a9962a163949636cf5a78eb349807a558eb74d881c4e3da00088807ffd0b0d

    • SSDEEP

      3072:ohEP75PCokia5JFkXqGaRcEQZsoVHIadP/:1TookbF8qGSQS4

    Score
    10/10
    laplasredlineremcoskriptmainnewlogsinfostealerpersistenceratspywarestealer

    • Laplas Clipper

      Laplas is a crypto wallet stealer with two variants written in Golang and C#.

      stealerlaplas

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks