Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c38a33d08840e23aef88d6a9b5c00bed49aea5681c6cf29d293d2b2be2b7469b

  • Size

    957KB

  • Sample

    231101-21w1hsfh27

  • MD5

    399c70db942fdc350774c4350e08697f

  • SHA1

    f6e9499be20257ffab465b1e9a65bffd9ab88165

  • SHA256

    c38a33d08840e23aef88d6a9b5c00bed49aea5681c6cf29d293d2b2be2b7469b

  • SHA512

    b7a480acddaa39e5d471450a819059119d21c940174e396bcfc9dd6937815aa8bd3cb879efae43814acc90001aea9ea86ddb36efaa4a06397556f2c1942c02d6

  • SSDEEP

    12288:Xbc1xo2dAKlpItf+BV3XHSlHYBPHJqXbmxoRj3cQpRnRu9cdTXb0:w1u2dAK4tf+BVHHkIoRj3cQDX

Score
10/10
redlinesmokeloadergromekinzabackdoorpaypalinfostealerpersistencephishingtrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Targets

    • Target

      c38a33d08840e23aef88d6a9b5c00bed49aea5681c6cf29d293d2b2be2b7469b

    • Size

      957KB

    • MD5

      399c70db942fdc350774c4350e08697f

    • SHA1

      f6e9499be20257ffab465b1e9a65bffd9ab88165

    • SHA256

      c38a33d08840e23aef88d6a9b5c00bed49aea5681c6cf29d293d2b2be2b7469b

    • SHA512

      b7a480acddaa39e5d471450a819059119d21c940174e396bcfc9dd6937815aa8bd3cb879efae43814acc90001aea9ea86ddb36efaa4a06397556f2c1942c02d6

    • SSDEEP

      12288:Xbc1xo2dAKlpItf+BV3XHSlHYBPHJqXbmxoRj3cQpRnRu9cdTXb0:w1u2dAK4tf+BVHHkIoRj3cQDX

    Score
    10/10
    redlinesmokeloadergromekinzabackdoorpaypalinfostealerpersistencephishingtrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks