Overview

overview

10

Static

static

8

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    715455aef5e60b76962c64b6a1f1507d07566abc220c624c03b47b90e3cb4921

  • Size

    539KB

  • Sample

    230131-j3evxafe98

  • MD5

    1137589aa44bf2facb839b4a4abcb941

  • SHA1

    7f86e36f26d36a2a9e4adac82a29668f8a4aab5c

  • SHA256

    715455aef5e60b76962c64b6a1f1507d07566abc220c624c03b47b90e3cb4921

  • SHA512

    60b9490cbddb1ea965a25ccb2996cde646605b1e05558426f7426cd980710638b690bfe18d5f589c67f881a6ac670b77a57a5dbfc89698cf01ad5711cbbf32ac

  • SSDEEP

    12288:IdXvDWopdu11GNJGUOXOoDscvVqILhtgNUJh9UhJwYL:Mv6oLM2GvXOoHdqIdgUJeTL

Score
10/10
asyncratredlinedefendersmartscrenffsecurityhealthservicewhostprojesswindoosdguardwindowsdefendersmarttscreeninfostealerpersistenceratupx

Malware Config

Extracted

Family

redline

Botnet

ff

C2

51.103.208.104:53200

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WHostProjess

C2

95.70.151.185:8805

Mutex

WHostProjess

Attributes
  • delay

    3

  • install

    false

  • install_file

    WHostProjess

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SecurityHealthService

C2

20.4.6.16:43521

Mutex

SecurityHealthService

Attributes
  • delay

    3

  • install

    false

  • install_file

    SecurityHealthService

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WindoosDGuard

C2

20.4.6.16:43521

Mutex

WindoosDGuard

Attributes
  • delay

    3

  • install

    false

  • install_file

    WindoosDGuard

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

WindowsDefenderSmarttScreen

C2

217.64.31.3:9742

Mutex

WindowsDefenderSmarttScreen

Attributes
  • delay

    1

  • install

    false

  • install_file

    WindowsDefenderSmarttScreen.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

C2

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes
  • delay

    3

  • install

    false

  • install_file

    SecurityHealtheurvice.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      715455aef5e60b76962c64b6a1f1507d07566abc220c624c03b47b90e3cb4921

    • Size

      539KB

    • MD5

      1137589aa44bf2facb839b4a4abcb941

    • SHA1

      7f86e36f26d36a2a9e4adac82a29668f8a4aab5c

    • SHA256

      715455aef5e60b76962c64b6a1f1507d07566abc220c624c03b47b90e3cb4921

    • SHA512

      60b9490cbddb1ea965a25ccb2996cde646605b1e05558426f7426cd980710638b690bfe18d5f589c67f881a6ac670b77a57a5dbfc89698cf01ad5711cbbf32ac

    • SSDEEP

      12288:IdXvDWopdu11GNJGUOXOoDscvVqILhtgNUJh9UhJwYL:Mv6oLM2GvXOoHdqIdgUJeTL

    Score
    10/10
    asyncratredlinedefendersmartscrenffsecurityhealthservicewhostprojesswindoosdguardwindowsdefendersmarttscreeninfostealerpersistenceratupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks