Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a525f983338f20fb35e1fc7e2bc2995d8beddb85dba93587fa3e3cf83d5cea09

  • Size

    35KB

  • Sample

    230105-l697bsfb3w

  • MD5

    6f3b869f0d95d04f04cbdba253f965c9

  • SHA1

    9ac833db812dd9c9d2f1fafd2f30375d035e7a8b

  • SHA256

    a525f983338f20fb35e1fc7e2bc2995d8beddb85dba93587fa3e3cf83d5cea09

  • SHA512

    fa4df655129b3d8b90f0d12454724383e1b09240592075276512dff1869aa6f1c9e9144de87681a62b235b0f6f347ba8b14fd153038cc636af162ebac264b990

  • SSDEEP

    768:wQp/5JqoF5aCt8jBsgHlXx9py4r/wOPpdwMNhghy0qa:wcRvF5aCtyHl04kmTghy0f

Score
10/10
redlinexmrig$infostealerminerpersistencespyware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.194/go.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://62.204.41.194/me.png

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://62.204.41.194/F1.exe

Extracted

Family

redline

Botnet

$

C2

31.41.244.135:19850

Attributes
  • auth_value

    66623f79e2af33286760f5dd6c4262dc

Targets

    • Target

      a525f983338f20fb35e1fc7e2bc2995d8beddb85dba93587fa3e3cf83d5cea09

    • Size

      35KB

    • MD5

      6f3b869f0d95d04f04cbdba253f965c9

    • SHA1

      9ac833db812dd9c9d2f1fafd2f30375d035e7a8b

    • SHA256

      a525f983338f20fb35e1fc7e2bc2995d8beddb85dba93587fa3e3cf83d5cea09

    • SHA512

      fa4df655129b3d8b90f0d12454724383e1b09240592075276512dff1869aa6f1c9e9144de87681a62b235b0f6f347ba8b14fd153038cc636af162ebac264b990

    • SSDEEP

      768:wQp/5JqoF5aCt8jBsgHlXx9py4r/wOPpdwMNhghy0qa:wcRvF5aCtyHl04kmTghy0f

    Score
    10/10
    redlinexmrig$infostealerminerpersistencespyware

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks