Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    935545bec5fcc278c6a6ad485ccb32bf4e691e4a7b3ec0d9a19bb10d4bb42977

  • Size

    932KB

  • Sample

    231113-rhmzsada5y

  • MD5

    a3bda5d729b453a8ea9c370e87793c2e

  • SHA1

    46fe616c3cc82b64231a9f3fff268822a310982d

  • SHA256

    935545bec5fcc278c6a6ad485ccb32bf4e691e4a7b3ec0d9a19bb10d4bb42977

  • SHA512

    8e0c7eed52e9c60738ccd1354dba9a03d44bc913f33de393aeb9c05e6049e444b1d24b8b4fb515ef10d2b5fa2f3f5556a6af1628b40d72ac12ed35e6347d1216

  • SSDEEP

    12288:fMrly90ZnDzgrheQ7IgzBcDFT+JTsOQlp0XB59uQvztbj4OXXIEmtA6P37hf5rE:uygDzgr8wI0+DZ78ZuQRwpE

Score
10/10
mysticredlinesmokeloadertaigaup3backdoorevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Extracted

Family

smokeloader

Version

2022

C2

http://5.42.92.190/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Targets

    • Target

      935545bec5fcc278c6a6ad485ccb32bf4e691e4a7b3ec0d9a19bb10d4bb42977

    • Size

      932KB

    • MD5

      a3bda5d729b453a8ea9c370e87793c2e

    • SHA1

      46fe616c3cc82b64231a9f3fff268822a310982d

    • SHA256

      935545bec5fcc278c6a6ad485ccb32bf4e691e4a7b3ec0d9a19bb10d4bb42977

    • SHA512

      8e0c7eed52e9c60738ccd1354dba9a03d44bc913f33de393aeb9c05e6049e444b1d24b8b4fb515ef10d2b5fa2f3f5556a6af1628b40d72ac12ed35e6347d1216

    • SSDEEP

      12288:fMrly90ZnDzgrheQ7IgzBcDFT+JTsOQlp0XB59uQvztbj4OXXIEmtA6P37hf5rE:uygDzgr8wI0+DZ78ZuQRwpE

    Score
    10/10
    mysticredlinesmokeloadertaigaup3backdoorevasioninfostealerpersistencestealertrojan

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks