Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/04/2023, 09:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe

  • Size

    223KB

  • MD5

    10a23e5e5c59b8d1470248a72be5faeb

  • SHA1

    48cdf8db907f4efc039c477198b11d9541306395

  • SHA256

    985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da

  • SHA512

    c618b4d7c0c41629f0279e1d6c14f84908d2da6f3b8cd98be444757c1c12e236068604e55f81b3b05bbb2e2cc1cad0e3a88e586361a71dbce3e213061765a295

  • SSDEEP

    3072:WIMolJB8OtFSTWZk9FRhKUMb4jYgQLRZiitUPX4q56lm22Td:LDUTWCiNqgTzt1oT

Score
10/10
smokeloaderpu10backdoortrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pu10

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
1
0x33f8f0d2
rc4.i32
1
0xaa0488bb

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe
    "C:\Users\Admin\AppData\Local\Temp\985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Users\Admin\AppData\Local\Temp\985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe
      "C:\Users\Admin\AppData\Local\Temp\985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3016

Network

  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    42.220.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    42.220.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    host-file-host6.com
    Remote address:
    8.8.8.8:53
    Request
    host-file-host6.com
    IN A
    Response
    host-file-host6.com
    IN A
    193.233.134.82
  • flag-us
    POST
    http://host-file-host6.com/
    Remote address:
    193.233.134.82:80
    Request
    POST / HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://olttcqylat.net/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 201
    Host: host-file-host6.com
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.20.2
    Date: Wed, 26 Apr 2023 09:36:07 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: close
  • flag-us
    DNS
    host-host-file8.com
    Remote address:
    8.8.8.8:53
    Request
    host-host-file8.com
    IN A
    Response
  • flag-us
    DNS
    host-host-file8.com
    Remote address:
    8.8.8.8:53
    Request
    host-host-file8.com
    IN A
    Response
  • flag-us
    DNS
    host-host-file8.com
    Remote address:
    8.8.8.8:53
    Request
    host-host-file8.com
    IN A
    Response
  • flag-us
    DNS
    host-host-file8.com
    Remote address:
    8.8.8.8:53
    Request
    host-host-file8.com
    IN A
    Response
  • flag-us
    DNS
    82.134.233.193.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    82.134.233.193.in-addr.arpa
    IN PTR
    Response
    82.134.233.193.in-addr.arpa
    IN PTR
    hosted-bybenderrdp
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.8.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.8.109.52.in-addr.arpa
    IN PTR
    Response
  • 193.233.134.82:80
    http://host-file-host6.com/
    http
    745 B
     402 B
     6
    5

    HTTP Request

    POST http://host-file-host6.com/

    HTTP Response

    200
  • 52.152.110.14:443
    260 B
     5
  • 52.182.141.63:443
    322 B
     7
  • 173.223.113.164:443
    322 B
     7
  • 204.79.197.203:80
    322 B
     7
  • 52.152.110.14:443
    260 B
     5
  • 13.107.4.50:80
    322 B
     7
  • 52.152.110.14:443
    260 B
     5
  • 52.152.110.14:443
    260 B
     5
  • 52.152.110.14:443
    260 B
     5
  • 52.152.110.14:443
    208 B
     4
  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    42.220.44.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    42.220.44.20.in-addr.arpa

  • 8.8.8.8:53
    host-file-host6.com
    dns
    65 B
     81 B
     1
    1

    DNS Request

    host-file-host6.com

    DNS Response

    193.233.134.82

  • 8.8.8.8:53
    host-host-file8.com
    dns
    260 B
     260 B
     4
    4

    DNS Request

    host-host-file8.com

    DNS Request

    host-host-file8.com

    DNS Request

    host-host-file8.com

    DNS Request

    host-host-file8.com

  • 8.8.8.8:53
    82.134.233.193.in-addr.arpa
    dns
    73 B
     107 B
     1
    1

    DNS Request

    82.134.233.193.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    86.8.109.52.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    86.8.109.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1816-135-0x0000000002DF0000-0x0000000002DF9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2512-137-0x0000000003200000-0x0000000003216000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2512-142-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-143-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-144-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-145-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-146-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-147-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-148-0x0000000008630000-0x0000000008640000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-149-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-150-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-151-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-152-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-153-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-154-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-155-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-156-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-157-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-158-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-162-0x0000000008630000-0x0000000008640000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-163-0x0000000008630000-0x0000000008640000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-164-0x0000000008630000-0x0000000008640000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-165-0x0000000008630000-0x0000000008640000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-166-0x0000000008630000-0x0000000008640000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-167-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-168-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-169-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-170-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-171-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-172-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-173-0x0000000001340000-0x0000000001342000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2512-174-0x0000000001340000-0x0000000001342000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2512-175-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-176-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-177-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-178-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-179-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-180-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-181-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-182-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-183-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-184-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-185-0x0000000001350000-0x000000000135B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2512-186-0x0000000001340000-0x0000000001342000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2512-187-0x0000000001350000-0x000000000135B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2512-188-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-189-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-190-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-191-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-192-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-193-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-194-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-195-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-196-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-197-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-198-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-199-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-200-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-201-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-202-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-204-0x0000000008290000-0x00000000082A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2512-203-0x0000000001330000-0x0000000001332000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3016-134-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3016-136-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3016-138-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.