Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    be5474d737b94c741ce76684b75845789e955ed8e12fbc0da8c54a61ebb04d4e

  • Size

    242KB

  • Sample

    221025-nb75laceak

  • MD5

    a67442221d98483f413b98d68212f0c2

  • SHA1

    338245e81e18be00054f7e54b50991b14111cc54

  • SHA256

    be5474d737b94c741ce76684b75845789e955ed8e12fbc0da8c54a61ebb04d4e

  • SHA512

    e1d50612556f500d2f161979dd62487e83e19f8c474907f6dd6463bf09d044f954e432da17accde4a93e8b8d00a2cd11214674fb09c949d427f73ef685019a5c

  • SSDEEP

    3072:OXsjgcJLEgEug/8dX5OGO6GeLd+b7+L35y2FnTT43MWboO:WncJLe/8eGfJvL35PFTTMoO

Score
10/10
danabotnymaimsmokeloadervidar324937backdoorbankerbootkitdiscoverypersistencespywarestealertrojan

Malware Config

Extracted

Family

vidar

Version

55.2

Botnet

324

C2

https://t.me/slivetalks

https://c.im/@xinibin420
Attributes
  • profile_id

    324

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535
Attributes
  • embedded_hash

    569235DCA8F16ED8310BBACCB674F896

  • type

    loader

Extracted

Family

vidar

Version

55.2

Botnet

937

C2

https://t.me/slivetalks

https://c.im/@xinibin420
Attributes
  • profile_id

    937

Extracted

Family

nymaim

C2

45.139.105.171

85.31.46.167

Targets

    • Target

      be5474d737b94c741ce76684b75845789e955ed8e12fbc0da8c54a61ebb04d4e

    • Size

      242KB

    • MD5

      a67442221d98483f413b98d68212f0c2

    • SHA1

      338245e81e18be00054f7e54b50991b14111cc54

    • SHA256

      be5474d737b94c741ce76684b75845789e955ed8e12fbc0da8c54a61ebb04d4e

    • SHA512

      e1d50612556f500d2f161979dd62487e83e19f8c474907f6dd6463bf09d044f954e432da17accde4a93e8b8d00a2cd11214674fb09c949d427f73ef685019a5c

    • SSDEEP

      3072:OXsjgcJLEgEug/8dX5OGO6GeLd+b7+L35y2FnTT43MWboO:WncJLe/8eGfJvL35PFTTMoO

    Score
    10/10
    danabotnymaimsmokeloadervidar324937backdoorbankerbootkitdiscoverypersistencespywarestealertrojan

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Detects Smokeloader packer

    • NyMaim

      NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

      trojannymaim

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks