Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b8504df7f396ab849abb0db2b8cabae6918ab0b3bd9d986e3b567369b7ce02ee

  • Size

    1.1MB

  • Sample

    230514-vxqwrsce96

  • MD5

    eb58c15600f974d7beb1cf404fadc2da

  • SHA1

    11e27de8b96d8e8f968ab0ebd9f532218b321ebc

  • SHA256

    b8504df7f396ab849abb0db2b8cabae6918ab0b3bd9d986e3b567369b7ce02ee

  • SHA512

    519830019371ab5848e57fe079b9b9dc46099b84b59f0e87bb87b3c8ceebe8f866f4653e2a9968cd33746404c8bb392fcf09891c59e20acc701ea3b360fb4859

  • SSDEEP

    24576:ryqsz6bhFwBq0tK0EZ5Tw8H3d0G59jYHtQUcdB9BkKAqbShe83u8z9Z:eqccXGK0EZJwA3d0e9EuUcJBkKAy383F

Score
10/10
redlinevjw0rmwshratlarrywarumdiscoveryevasioninfostealerpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

redline

Botnet

larry

C2

185.161.248.75:4132

Attributes
  • auth_value

    9039557bb7a08f5f2f60e2b71e1dee0e

Extracted

Family

redline

Botnet

warum

C2

185.161.248.75:4132

Attributes
  • auth_value

    0bdb2dda91dadc65f555dee088a6a2a4

Targets

    • Target

      b8504df7f396ab849abb0db2b8cabae6918ab0b3bd9d986e3b567369b7ce02ee

    • Size

      1.1MB

    • MD5

      eb58c15600f974d7beb1cf404fadc2da

    • SHA1

      11e27de8b96d8e8f968ab0ebd9f532218b321ebc

    • SHA256

      b8504df7f396ab849abb0db2b8cabae6918ab0b3bd9d986e3b567369b7ce02ee

    • SHA512

      519830019371ab5848e57fe079b9b9dc46099b84b59f0e87bb87b3c8ceebe8f866f4653e2a9968cd33746404c8bb392fcf09891c59e20acc701ea3b360fb4859

    • SSDEEP

      24576:ryqsz6bhFwBq0tK0EZ5Tw8H3d0G59jYHtQUcdB9BkKAqbShe83u8z9Z:eqccXGK0EZJwA3d0e9EuUcJBkKAy383F

    Score
    10/10
    redlinevjw0rmwshratlarrywarumdiscoveryevasioninfostealerpersistencespywarestealertrojanworm

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • WSHRAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks