Overview

overview

10

Static

static

dridex

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    42230b48233fc426941264b26d0c74bca4d67e9fa0ace03e5f691c1160db3909

  • Size

    250KB

  • Sample

    220120-qd2rpsabbn

  • MD5

    ada89e9ff0f024e9071f58cb843b4505

  • SHA1

    9f1581a3345ce6ec96aa642c9c0c2cae8d9b79fe

  • SHA256

    42230b48233fc426941264b26d0c74bca4d67e9fa0ace03e5f691c1160db3909

  • SHA512

    209135a5d1254758d85c1203b4d922d22d9548892a3613da4e0ae89c530ac804ba0e71b24fb456c90576619b1fb343cf933acec855ad1d3faa5114de3deda3d8

Score
10/10
asyncratsmokeloadervenom clientsbackdoorpersistenceratsuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://abpa.at/upload/

http://emaratghajari.com/upload/

http://d7qw.cn/upload/

http://alumik-group.ru/upload/

http://zamkikurgan.ru/upload/
rc4.i32
rc4.i32

Extracted

Family

asyncrat

Version

VenomRAT_HVNC 5.0.4

Botnet

Venom Clients

C2

127.0.0.1:4449

91.92.136.123:4449
Mutex

Venom_RAT_Mutex_Venom_RAT

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    0

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Targets

    • Target

      42230b48233fc426941264b26d0c74bca4d67e9fa0ace03e5f691c1160db3909

    • Size

      250KB

    • MD5

      ada89e9ff0f024e9071f58cb843b4505

    • SHA1

      9f1581a3345ce6ec96aa642c9c0c2cae8d9b79fe

    • SHA256

      42230b48233fc426941264b26d0c74bca4d67e9fa0ace03e5f691c1160db3909

    • SHA512

      209135a5d1254758d85c1203b4d922d22d9548892a3613da4e0ae89c530ac804ba0e71b24fb456c90576619b1fb343cf933acec855ad1d3faa5114de3deda3d8

    Score
    10/10
    asyncratsmokeloadervenom clientsbackdoorpersistenceratsuricatatrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Async RAT payload

      rat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks