Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    c5662cc5d31be06451276c30e7ddd8679b972dba34ba4323c28d60a446d9fce2

  • Size

    334KB

  • Sample

    231211-fdzx1adbgm

  • MD5

    075b6bf79f836c463d911069d68cea10

  • SHA1

    cd1dbf5f0abb23e5933bc075d6994b5166cd65f5

  • SHA256

    c5662cc5d31be06451276c30e7ddd8679b972dba34ba4323c28d60a446d9fce2

  • SHA512

    7544b23e50c9a73babdf585f85a32d313d26593683d832ca1a65cff740e7669633d493aaf0039188f5cb2b1f7336ce3a1cb6a07b5d175c5fcaba4ced973ead54

  • SSDEEP

    3072:L/ZzINX6KfHdRBXL15tnZhkgsE8J8khYf2pK3MLZQyNPrE+7bTNH9e:jFIvNXZ5tn0gmPQKK3MxNPr

Score
10/10
gluptebaredlinesmokeloaderxmriglogsdiller cloud (bot: @logsdillabot)pub1backdoordropperevasioninfostealerloaderminerpersistencethemidatrojanupx

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://humydrole.com/tmp/index.php

http://trunk-co.ru/tmp/index.php

http://weareelight.com/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Bot: @logsdillabot)

C2

45.15.156.187:23929

Extracted

Family

smokeloader

Botnet

pub1

Targets

    • Target

      c5662cc5d31be06451276c30e7ddd8679b972dba34ba4323c28d60a446d9fce2

    • Size

      334KB

    • MD5

      075b6bf79f836c463d911069d68cea10

    • SHA1

      cd1dbf5f0abb23e5933bc075d6994b5166cd65f5

    • SHA256

      c5662cc5d31be06451276c30e7ddd8679b972dba34ba4323c28d60a446d9fce2

    • SHA512

      7544b23e50c9a73babdf585f85a32d313d26593683d832ca1a65cff740e7669633d493aaf0039188f5cb2b1f7336ce3a1cb6a07b5d175c5fcaba4ced973ead54

    • SSDEEP

      3072:L/ZzINX6KfHdRBXL15tnZhkgsE8J8khYf2pK3MLZQyNPrE+7bTNH9e:jFIvNXZ5tn0gmPQKK3MxNPr

    Score
    10/10
    gluptebaredlinesmokeloaderxmriglogsdiller cloud (bot: @logsdillabot)pub1backdoordropperevasioninfostealerloaderminerpersistencethemidatrojanupx

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner payload

      miner

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks