Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e96bffaf47466cbe75dcf428e6644292c49af8db919bfbcf6d5797cb0eeef35d

  • Size

    152KB

  • Sample

    220217-m3t7dabad8

  • MD5

    68658cac51a3ee725891799aac339613

  • SHA1

    8a00543b1af0d4ab8f130bc66d2a4a0b2d33cb0f

  • SHA256

    e96bffaf47466cbe75dcf428e6644292c49af8db919bfbcf6d5797cb0eeef35d

  • SHA512

    231a5517b22101dfd33295f294cedf32626a8586d1fa762cae783d779e551a3dfe5a6f972184ebcc1a832783b4fd51ce57965aee50d089a9c6e6e1256e2a9a63

Score
10/10
onlyloggersocelarsevasionloaderspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

socelars

C2

https://dhner.s3.ap-southeast-2.amazonaws.com/eyxjet/

Targets

    • Target

      e96bffaf47466cbe75dcf428e6644292c49af8db919bfbcf6d5797cb0eeef35d

    • Size

      152KB

    • MD5

      68658cac51a3ee725891799aac339613

    • SHA1

      8a00543b1af0d4ab8f130bc66d2a4a0b2d33cb0f

    • SHA256

      e96bffaf47466cbe75dcf428e6644292c49af8db919bfbcf6d5797cb0eeef35d

    • SHA512

      231a5517b22101dfd33295f294cedf32626a8586d1fa762cae783d779e551a3dfe5a6f972184ebcc1a832783b4fd51ce57965aee50d089a9c6e6e1256e2a9a63

    Score
    10/10
    onlyloggersocelarsevasionloaderspywarestealerthemidatrojanupx

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • OnlyLogger Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks