Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7e72da72067790a21be98ff4d92cac2af99dcec2ffe810c19743a004fd36c877

  • Size

    1.7MB

  • Sample

    231129-r1syraha9y

  • MD5

    f93d2c6a98bf005e0c96fceda1e67a0c

  • SHA1

    0714a8778cfc99aa77c07e8ff30f277462ebfea8

  • SHA256

    7e72da72067790a21be98ff4d92cac2af99dcec2ffe810c19743a004fd36c877

  • SHA512

    41d263149ab868c13fa8ef705ef6ad2f6545ec10ab17ed54c1a37553437dd999e6670e2cbfad09391183ab7c85830173cbbc0cd7b74a5e355f8af263517d5fc7

  • SSDEEP

    24576:dykM1+u3D4L8AGdTk/6qBbcVx4/h4rensM2+zhsujFY55H33vjciwLvv9qzsDZ:4kFeDU8/k/6qBo4/h4isFVuqBwr0

Score
10/10
privateloaderredlineriseprosmokeloaderzgrat@ytlogsbothordalivetrafficup3backdoorgooglepaypalevasioninfostealerloaderpersistencephishingratstealertrojan

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

smokeloader

Version

2022

C2

http://194.49.94.210/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

@ytlogsbot

C2

194.169.175.235:42691

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

LiveTraffic

C2

195.10.205.16:2245

Targets

    • Target

      7e72da72067790a21be98ff4d92cac2af99dcec2ffe810c19743a004fd36c877

    • Size

      1.7MB

    • MD5

      f93d2c6a98bf005e0c96fceda1e67a0c

    • SHA1

      0714a8778cfc99aa77c07e8ff30f277462ebfea8

    • SHA256

      7e72da72067790a21be98ff4d92cac2af99dcec2ffe810c19743a004fd36c877

    • SHA512

      41d263149ab868c13fa8ef705ef6ad2f6545ec10ab17ed54c1a37553437dd999e6670e2cbfad09391183ab7c85830173cbbc0cd7b74a5e355f8af263517d5fc7

    • SSDEEP

      24576:dykM1+u3D4L8AGdTk/6qBbcVx4/h4rensM2+zhsujFY55H33vjciwLvv9qzsDZ:4kFeDU8/k/6qBo4/h4isFVuqBwr0

    Score
    10/10
    privateloaderredlineriseprosmokeloaderzgrat@ytlogsbothordalivetrafficup3backdoorgooglepaypalevasioninfostealerloaderpersistencephishingratstealertrojan

    • Detect ZGRat V1

    • Detected google phishing page

      phishinggoogle

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks