Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee

  • Size

    259KB

  • Sample

    231127-tlgy2shf98

  • MD5

    de4ccc518825994daf9f2033134ee0e0

  • SHA1

    972b5359c0c00118736eea07d006138f5e656c45

  • SHA256

    05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee

  • SHA512

    6743d6b44c3f42f072b38eabb1aa47f6755ce19ac46015b145e865adb64e1f401efe6ec213f51667167bf4d6184d5526e77a1484f1a11b830687547f2a80bbb5

  • SSDEEP

    6144:A0gegUj4MOqapvZHK+0pwx0zRxDTJCOCFPp:AM9jOqaJZHKEgxDFYtp

Score
10/10
redlinesmokeloaderxmriglogsdiller cloud (bot: @logsdillabot)pub1summbackdoorevasioninfostealerminerpersistencespywarestealerthemidatrojanupx

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://stalagmijesarl.com/

http://ukdantist-sarl.com/

http://cpcorprotationltd.com/

http://humydrole.com/tmp/index.php

http://trunk-co.ru/tmp/index.php

http://weareelight.com/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php
rc4.i32
rc4.i32
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Bot: @logsdillabot)

C2

95.214.26.17:24714

Extracted

Family

smokeloader

Botnet

summ

Extracted

Family

smokeloader

Botnet

pub1

Targets

    • Target

      05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee

    • Size

      259KB

    • MD5

      de4ccc518825994daf9f2033134ee0e0

    • SHA1

      972b5359c0c00118736eea07d006138f5e656c45

    • SHA256

      05b9a94a8637357b01e46221ae85512910df3868987c9a893fb2e480d60681ee

    • SHA512

      6743d6b44c3f42f072b38eabb1aa47f6755ce19ac46015b145e865adb64e1f401efe6ec213f51667167bf4d6184d5526e77a1484f1a11b830687547f2a80bbb5

    • SSDEEP

      6144:A0gegUj4MOqapvZHK+0pwx0zRxDTJCOCFPp:AM9jOqaJZHKEgxDFYtp

    Score
    10/10
    redlinesmokeloaderxmriglogsdiller cloud (bot: @logsdillabot)pub1summbackdoorevasioninfostealerminerpersistencespywarestealerthemidatrojanupx

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner payload

      miner

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks