Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a1ad019a246135df45b5a99c2bc3ae67799629d6badacb508536dccff3059f79

  • Size

    288KB

  • Sample

    220912-g6fkhagdhp

  • MD5

    ce29be61700fab69db5ab7d660a07794

  • SHA1

    ed402bdcaa0f4c72a7552462c14479319ad4cc68

  • SHA256

    a1ad019a246135df45b5a99c2bc3ae67799629d6badacb508536dccff3059f79

  • SHA512

    56a885b829bb95d4cf3f3623707f72c266054e3fd85d48f7317c8ad4e526f53185a55dc9ad1e2c7bce1c26f11da23bbfb913658281d44e5905a641fac6eae81e

  • SSDEEP

    6144:xWb83o71aKdG9Xj/nlOHn9ZXd/jwGTxzmWQPuTmS:x7u1avdj/nlOHn/d/MibQPh

Score
10/10
icexloadernetsupportquasarsmokeloader2ccabackdoorloaderratspywaretrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://microsoftdownload.ddns.net:8808/downloader/WinSecurityUpdate

Extracted

Family

icexloader

C2

http://microsoftdownload.ddns.net:8808/Server/Script.php

Extracted

Family

quasar

Version

2.7.0.0

Botnet

2CCA

C2

thisisfakeih2d.ddns.net:4545

Mutex

GXLGIiyQp5wWhAjcFv

Attributes
  • encryption_key

    JsEHaZbfJjURZfPkp9qk

  • install_name

    face.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Client

Targets

    • Target

      a1ad019a246135df45b5a99c2bc3ae67799629d6badacb508536dccff3059f79

    • Size

      288KB

    • MD5

      ce29be61700fab69db5ab7d660a07794

    • SHA1

      ed402bdcaa0f4c72a7552462c14479319ad4cc68

    • SHA256

      a1ad019a246135df45b5a99c2bc3ae67799629d6badacb508536dccff3059f79

    • SHA512

      56a885b829bb95d4cf3f3623707f72c266054e3fd85d48f7317c8ad4e526f53185a55dc9ad1e2c7bce1c26f11da23bbfb913658281d44e5905a641fac6eae81e

    • SSDEEP

      6144:xWb83o71aKdG9Xj/nlOHn9ZXd/jwGTxzmWQPuTmS:x7u1avdj/nlOHn/d/MibQPh

    Score
    10/10
    icexloadernetsupportquasarsmokeloader2ccabackdoorloaderratspywaretrojan

    • Detects IceXLoader v3.0

    • Detects Smokeloader packer

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • icexloader

      IceXLoader is a downloader used to deliver other malware families.

      loadericexloader

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks