Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    96f9c9e28808d8ce4c2a101176b5aa8da444f8bca44b2b031cda2f6722cf6f47

  • Size

    239KB

  • Sample

    230923-1x8pgaaf4t

  • MD5

    37f8e179952948c5b27795a2737a4f99

  • SHA1

    03d4e6517c12238b66a50582bcc248821e2cf120

  • SHA256

    96f9c9e28808d8ce4c2a101176b5aa8da444f8bca44b2b031cda2f6722cf6f47

  • SHA512

    7e8d49a6e013fd0b992efa00c877ac2901396f34c3d9750539f5074fe2cb0494b8828195a0a2321128f88961f4a090a93e867f943b1fbbab2dedc612ead7343a

  • SSDEEP

    6144:uk46fuYXChoQTjlFgLuCY1dRuAOY0ikw3jlw8y0:utYzXChdTbv1buji3lw8y

Score
10/10
fabookiephobosredlinesmokeloaderbackdoorgooglecollectiondiscoveryinfostealerphishingransomwarespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

fabookie

C2

http://app.nnnaajjjgc.com/check/safe

Targets

    • Target

      96f9c9e28808d8ce4c2a101176b5aa8da444f8bca44b2b031cda2f6722cf6f47

    • Size

      239KB

    • MD5

      37f8e179952948c5b27795a2737a4f99

    • SHA1

      03d4e6517c12238b66a50582bcc248821e2cf120

    • SHA256

      96f9c9e28808d8ce4c2a101176b5aa8da444f8bca44b2b031cda2f6722cf6f47

    • SHA512

      7e8d49a6e013fd0b992efa00c877ac2901396f34c3d9750539f5074fe2cb0494b8828195a0a2321128f88961f4a090a93e867f943b1fbbab2dedc612ead7343a

    • SSDEEP

      6144:uk46fuYXChoQTjlFgLuCY1dRuAOY0ikw3jlw8y0:utYzXChdTbv1buji3lw8y

    Score
    10/10
    fabookiephobosredlinesmokeloaderbackdoorgooglecollectiondiscoveryinfostealerphishingransomwarespywarestealertrojan

    • Detect Fabookie payload

    • Detected google phishing page

      phishinggoogle

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks