Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    2676151be486236d8c0b11a106a578a7181c58093f74f9fb56f99d3d4a4d8df4

  • Size

    2.4MB

  • Sample

    231212-bf8wgaccel

  • MD5

    bc24ff3e9fddcacebcb1eb827166c041

  • SHA1

    7d29b0d92e4f1c56837f2d0b8c96c0c126dc7f30

  • SHA256

    2676151be486236d8c0b11a106a578a7181c58093f74f9fb56f99d3d4a4d8df4

  • SHA512

    8bbd0cd274b8f0af438cf0f0e41334757b7d93c34d64b4a48eb15632ec440bcfccd893709a8b468c871a40ca5da1cdebe6c760ac5039bd2cbfa9fe8777622734

  • SSDEEP

    49152:lY77g6Es54c4YOgRIPyBzkQPxtTw/tE797qkIKi9:yg6Es5AcWKbPxtctEB7qAi

Score
10/10
privateloaderredlineriseprosmokeloader@oleh_pslivetrafficup3backdoorcollectiondiscoveryevasioninfostealerloaderpersistencespywarestealertrojan

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:17066

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Targets

    • Target

      2676151be486236d8c0b11a106a578a7181c58093f74f9fb56f99d3d4a4d8df4

    • Size

      2.4MB

    • MD5

      bc24ff3e9fddcacebcb1eb827166c041

    • SHA1

      7d29b0d92e4f1c56837f2d0b8c96c0c126dc7f30

    • SHA256

      2676151be486236d8c0b11a106a578a7181c58093f74f9fb56f99d3d4a4d8df4

    • SHA512

      8bbd0cd274b8f0af438cf0f0e41334757b7d93c34d64b4a48eb15632ec440bcfccd893709a8b468c871a40ca5da1cdebe6c760ac5039bd2cbfa9fe8777622734

    • SSDEEP

      49152:lY77g6Es54c4YOgRIPyBzkQPxtTw/tE797qkIKi9:yg6Es5AcWKbPxtctEB7qAi

    Score
    10/10
    privateloaderredlineriseprosmokeloader@oleh_pslivetrafficup3backdoorcollectiondiscoveryevasioninfostealerloaderpersistencespywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

4
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks