Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3858383e03ee59f69562cd229c2f02ef94c202bb75917d623c09dfb14222854d

  • Size

    256KB

  • Sample

    231127-yea95sce2y

  • MD5

    f78fbd3fda50516bdc97e0c0b7e4ec52

  • SHA1

    8d3ac350cbee0b39ddca8f092be5ebf2de27bb97

  • SHA256

    3858383e03ee59f69562cd229c2f02ef94c202bb75917d623c09dfb14222854d

  • SHA512

    7df2785b263011e1a2b3ffe672c17a6ae856c51a7bdd3c667dc12565e74cdf721d088fa58bc3423375dffdd2efcddbe98fdf348b0ef9528aa7e0442285686e59

  • SSDEEP

    3072:ubF+w+LSzAwS++ntEFCQtPKoyvAoLPEnyi1VV3HH/sCliGo6Yis2W+grX:UFWSz/7+tOCRoZ+mycz/viP7I3s

Score
10/10
redlinesmokeloaderlogsdiller cloud (bot: @logsdillabot)pub1summbackdoorcollectiondiscoveryevasioninfostealerpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://stalagmijesarl.com/

http://ukdantist-sarl.com/

http://cpcorprotationltd.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Bot: @logsdillabot)

C2

95.214.26.17:24714

Extracted

Family

smokeloader

Botnet

summ

Extracted

Family

smokeloader

Botnet

pub1

Targets

    • Target

      3858383e03ee59f69562cd229c2f02ef94c202bb75917d623c09dfb14222854d

    • Size

      256KB

    • MD5

      f78fbd3fda50516bdc97e0c0b7e4ec52

    • SHA1

      8d3ac350cbee0b39ddca8f092be5ebf2de27bb97

    • SHA256

      3858383e03ee59f69562cd229c2f02ef94c202bb75917d623c09dfb14222854d

    • SHA512

      7df2785b263011e1a2b3ffe672c17a6ae856c51a7bdd3c667dc12565e74cdf721d088fa58bc3423375dffdd2efcddbe98fdf348b0ef9528aa7e0442285686e59

    • SSDEEP

      3072:ubF+w+LSzAwS++ntEFCQtPKoyvAoLPEnyi1VV3HH/sCliGo6Yis2W+grX:UFWSz/7+tOCRoZ+mycz/viP7I3s

    Score
    10/10
    redlinesmokeloaderlogsdiller cloud (bot: @logsdillabot)pub1summbackdoorcollectiondiscoveryevasioninfostealerpersistencespywarestealerthemidatrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks