Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    acf2a71cba2dc40faf0c8a9a63189beb1cfd5a3601a202b02101cd7b69ec34e8

  • Size

    28KB

  • Sample

    220707-f52wnsfgh7

  • MD5

    0900fded4335b644fc5a6064236a2050

  • SHA1

    546e9292879e58e98af15fa56468a3f051e71ab9

  • SHA256

    acf2a71cba2dc40faf0c8a9a63189beb1cfd5a3601a202b02101cd7b69ec34e8

  • SHA512

    237a98edbaaa5dd7d908dc289bf69b5ea9b8a6262142d5dc511547f15590d0481f5d4eadd59afeea488765239a07f24a9bca45112104fd36208d5f9ef13cf931

Score
10/10
asyncratdefaultevasionratspywarestealersuricataupxvmprotect

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

7.tcp.eu.ngrok.io:12728

Mutex

whrjiouwrhjnwui

Attributes
  • delay

    1

  • install

    true

  • install_file

    MsEdge.exe

  • install_folder

    %Temp%

aes.plain

Targets

    • Target

      acf2a71cba2dc40faf0c8a9a63189beb1cfd5a3601a202b02101cd7b69ec34e8

    • Size

      28KB

    • MD5

      0900fded4335b644fc5a6064236a2050

    • SHA1

      546e9292879e58e98af15fa56468a3f051e71ab9

    • SHA256

      acf2a71cba2dc40faf0c8a9a63189beb1cfd5a3601a202b02101cd7b69ec34e8

    • SHA512

      237a98edbaaa5dd7d908dc289bf69b5ea9b8a6262142d5dc511547f15590d0481f5d4eadd59afeea488765239a07f24a9bca45112104fd36208d5f9ef13cf931

    Score
    10/10
    asyncratdefaultevasionratspywarestealersuricataupxvmprotect

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)

      suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)

      suricata

    • Async RAT payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

7
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks