Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5c9b5107620451274bb07fbe4536032a0d708e84108c29134577330400fe19a3

  • Size

    321KB

  • Sample

    221102-vcxtkschbr

  • MD5

    c211703567f324a3307f54e0e0d6e16e

  • SHA1

    48192cb9c60c3e1a5c76a233efff568b2b00928c

  • SHA256

    5c9b5107620451274bb07fbe4536032a0d708e84108c29134577330400fe19a3

  • SHA512

    724e01eed0edc233108dbad96537db05fd711aa833684aae22e4cf24a091aa6eeb8b2e139bfc7da59c76020e703bf8371630b6895f219bc4587996c0559d57e2

  • SSDEEP

    3072:BUj8KA7oSofER45xlIqa09lnFNQbyoNLJlbxPPfNyDxIX34VggjcGkNIVqI/F:Kj8KUgqWWqa09lobyoDflX3U7ITsq

Score
10/10
amadeydcratcollectionevasioninfostealerratspywarestealertrojanupx

Malware Config

Targets

    • Target

      5c9b5107620451274bb07fbe4536032a0d708e84108c29134577330400fe19a3

    • Size

      321KB

    • MD5

      c211703567f324a3307f54e0e0d6e16e

    • SHA1

      48192cb9c60c3e1a5c76a233efff568b2b00928c

    • SHA256

      5c9b5107620451274bb07fbe4536032a0d708e84108c29134577330400fe19a3

    • SHA512

      724e01eed0edc233108dbad96537db05fd711aa833684aae22e4cf24a091aa6eeb8b2e139bfc7da59c76020e703bf8371630b6895f219bc4587996c0559d57e2

    • SSDEEP

      3072:BUj8KA7oSofER45xlIqa09lnFNQbyoNLJlbxPPfNyDxIX34VggjcGkNIVqI/F:Kj8KUgqWWqa09lobyoDflX3U7ITsq

    Score
    10/10
    amadeydcratcollectionevasioninfostealerratspywarestealertrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect Amadey credential stealer module

    • UAC bypass

      evasiontrojan

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Deletes itself

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks