Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ade4775ff1971a3e260d671405057301a13e2120dc90b894e6ddc188008e4b33

  • Size

    239KB

  • Sample

    230924-abb59sah7x

  • MD5

    0d81e52c81f27226e28d3beee0773345

  • SHA1

    5af0d4ee95db2a6967c1185ae21ea1b8f25269a7

  • SHA256

    ade4775ff1971a3e260d671405057301a13e2120dc90b894e6ddc188008e4b33

  • SHA512

    2d1a1d6de4c737ff63420db015c5a4d83aac27601d1e2d2386c73e5f35d383ce58f414822fd0b88f6168af3f5cff9ac16ff54655bd00886398067ac14539517c

  • SSDEEP

    6144:iK46fuYXChoQTjlFgLuCY1dRuAO87vw8y0:ivYzXChdTbv1bucvw8y

Score
10/10
fabookiephobosredlinerhadamanthyssmokeloaderbackdoorgooglecollectiondiscoveryevasioninfostealerphishingransomwarespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

fabookie

C2

http://app.nnnaajjjgc.com/check/safe

Targets

    • Target

      ade4775ff1971a3e260d671405057301a13e2120dc90b894e6ddc188008e4b33

    • Size

      239KB

    • MD5

      0d81e52c81f27226e28d3beee0773345

    • SHA1

      5af0d4ee95db2a6967c1185ae21ea1b8f25269a7

    • SHA256

      ade4775ff1971a3e260d671405057301a13e2120dc90b894e6ddc188008e4b33

    • SHA512

      2d1a1d6de4c737ff63420db015c5a4d83aac27601d1e2d2386c73e5f35d383ce58f414822fd0b88f6168af3f5cff9ac16ff54655bd00886398067ac14539517c

    • SSDEEP

      6144:iK46fuYXChoQTjlFgLuCY1dRuAO87vw8y0:ivYzXChdTbv1bucvw8y

    Score
    10/10
    fabookiephobosredlinerhadamanthyssmokeloaderbackdoorgooglecollectiondiscoveryevasioninfostealerphishingransomwarespywarestealertrojan

    • Detect Fabookie payload

    • Detect rhadamanthys stealer shellcode

    • Detected google phishing page

      phishinggoogle

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks