Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ef79abeb4b5f5de7be5944c547f8c696dab084369a40fbf3f2bc6491833e574c

  • Size

    264KB

  • Sample

    221208-d6plmagh68

  • MD5

    c7f522a269895ba7cff4e694ad4f4cca

  • SHA1

    5e8621fe1d219aa7fb6d120c29933b4d8f84d75d

  • SHA256

    ef79abeb4b5f5de7be5944c547f8c696dab084369a40fbf3f2bc6491833e574c

  • SHA512

    0d1ecf195cad0a700a23721c0dd7ed2acfc6b11ad8aa6b24988720cd6d4de658a7ae195d03c9f8a94aadf6344ecdd968421d2288cac04fa57ade4f47fbd3a1f5

  • SSDEEP

    3072:8MT8QUjxBcZhuDi585ouA5A6XOmoJZoM17TBQgnTLh1sNxehv:8xGh0quA5AZmoMM1SGmxm

Score
10/10
redlineytinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

YT

C2

65.21.5.58:48811

Attributes
  • auth_value

    fb878dde7f3b4ad1e1bc26d24db36d28

Targets

    • Target

      ef79abeb4b5f5de7be5944c547f8c696dab084369a40fbf3f2bc6491833e574c

    • Size

      264KB

    • MD5

      c7f522a269895ba7cff4e694ad4f4cca

    • SHA1

      5e8621fe1d219aa7fb6d120c29933b4d8f84d75d

    • SHA256

      ef79abeb4b5f5de7be5944c547f8c696dab084369a40fbf3f2bc6491833e574c

    • SHA512

      0d1ecf195cad0a700a23721c0dd7ed2acfc6b11ad8aa6b24988720cd6d4de658a7ae195d03c9f8a94aadf6344ecdd968421d2288cac04fa57ade4f47fbd3a1f5

    • SSDEEP

      3072:8MT8QUjxBcZhuDi585ouA5A6XOmoJZoM17TBQgnTLh1sNxehv:8xGh0quA5AZmoMM1SGmxm

    Score
    10/10
    redlineytinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks