Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb

  • Size

    283KB

  • Sample

    230713-yy9baabg8t

  • MD5

    b50821fcc6d29b82bc232849e5b98c3a

  • SHA1

    c99bbfe0ed81d6625820bd8d659303a09f9100f8

  • SHA256

    cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb

  • SHA512

    d8f9beca0a583803e6fd5c7476bbb7839f5b350992709f46d770dffb79f74d5f7717e0cd3ae8d9cbbf72cde5296349a55b65856103a91be1bf988d435832956b

  • SSDEEP

    3072:vWbWHLzf7UXeE1RZGp9R6j2nxjqjy6fXA5nwhHz9tbLLwTA0B:ubWHLPhYZcRt0jjuwhLsT

Score
10/10
phobosrhadamanthyssmokeloadersummbackdoorcollectionevasionpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Botnet

summ

Extracted

Family

smokeloader

Version

2022

C2

http://stalagmijesarl.com/

http://ukdantist-sarl.com/

http://cpcorprotationltd.com/

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Targets

    • Target

      cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb

    • Size

      283KB

    • MD5

      b50821fcc6d29b82bc232849e5b98c3a

    • SHA1

      c99bbfe0ed81d6625820bd8d659303a09f9100f8

    • SHA256

      cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb

    • SHA512

      d8f9beca0a583803e6fd5c7476bbb7839f5b350992709f46d770dffb79f74d5f7717e0cd3ae8d9cbbf72cde5296349a55b65856103a91be1bf988d435832956b

    • SSDEEP

      3072:vWbWHLzf7UXeE1RZGp9R6j2nxjqjy6fXA5nwhHz9tbLLwTA0B:ubWHLPhYZcRt0jjuwhLsT

    Score
    10/10
    phobosrhadamanthyssmokeloadersummbackdoorcollectionevasionpersistenceransomwarespywarestealertrojan

    • Detect rhadamanthys stealer shellcode

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (91) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks