Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    df65f980e536318f22fdfc21773829fcd216e2b031b36d743a8bce082582b97d

  • Size

    600KB

  • Sample

    230608-sr842sgd72

  • MD5

    76da21809c28674d127cecb9a7b3e224

  • SHA1

    605c65f6e928e1ac405465af09b9e218f48d04be

  • SHA256

    df65f980e536318f22fdfc21773829fcd216e2b031b36d743a8bce082582b97d

  • SHA512

    5cc8c3774f52a1197460a8e663eda485aaf49677ba9cbf359cabc4b9787d6b7507d2c00a753990fb604204d9e2422d3cd173f702afa2ebf641929138345988bb

  • SSDEEP

    12288:LMrby909dgFHV0TeOTKgW4cZnJAfm87s3cUOlaOCQxAj2sa2:IywCl0KHZnJissUOlaFQxAN5

Score
10/10
redlineduhasheronevasioninfostealerpersistencespywaretrojan

Malware Config

Extracted

Family

redline

Botnet

duha

C2

83.97.73.129:19068

Attributes
  • auth_value

    aafe99874c3b8854069470882e00246c

Extracted

Family

redline

Botnet

sheron

C2

83.97.73.129:19068

Attributes
  • auth_value

    2d067e7e2372227d3a03b335260112e9

Targets

    • Target

      df65f980e536318f22fdfc21773829fcd216e2b031b36d743a8bce082582b97d

    • Size

      600KB

    • MD5

      76da21809c28674d127cecb9a7b3e224

    • SHA1

      605c65f6e928e1ac405465af09b9e218f48d04be

    • SHA256

      df65f980e536318f22fdfc21773829fcd216e2b031b36d743a8bce082582b97d

    • SHA512

      5cc8c3774f52a1197460a8e663eda485aaf49677ba9cbf359cabc4b9787d6b7507d2c00a753990fb604204d9e2422d3cd173f702afa2ebf641929138345988bb

    • SSDEEP

      12288:LMrby909dgFHV0TeOTKgW4cZnJAfm87s3cUOlaOCQxAj2sa2:IywCl0KHZnJissUOlaFQxAN5

    Score
    10/10
    redlineduhasheronevasioninfostealerpersistencespywaretrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks