Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 08:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b.exe

  • Size

    247KB

  • MD5

    798ff0b559822277e4ac2f672152171d

  • SHA1

    10bb06bcc4d6cf3c1cce06ae178488afe4e64c51

  • SHA256

    e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b

  • SHA512

    dfe1c14446b2a52529fb5cea43967fa99cec4d91bc46afcbe536fcac3299e00c226dbb2b7df814d842c90c2c647efdd83988fa47f4fdb3edd47cd750bb18bf45

  • SSDEEP

    3072:qh2ugGVHrD61I8L5psIRuVi5DWRUoE7qN8QYUl9wcwUy8PpfnuF09BeqZFtFsGLX:C21L5pDu9RUoE7qBxkRO1numeqP9X

Score
10/10
amadeylaplasredlinenewyear2023collectiondiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.194/h49vlBP/index.php

Extracted

Family

redline

Botnet

NewYear2023

C2

185.106.92.111:2510

Attributes
  • auth_value

    99e9bde3b38509ea98c3316cc27e6106

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Amadey credential stealer module 2 IoCs
  • Laplas Clipper

    Laplas is a crypto wallet stealer with two variants written in Golang and C#.

    stealerlaplas
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b.exe
    "C:\Users\Admin\AppData\Local\Temp\e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3088
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:3136
      • C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe
        "C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3764
      • C:\Users\Admin\AppData\Local\Temp\1000131001\ree.exe
        "C:\Users\Admin\AppData\Local\Temp\1000131001\ree.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4888
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C schtasks /create /tn KaAOqfgxzZ /tr C:\Users\Admin\AppData\Roaming\KaAOqfgxzZ\JnEdxrtoRb.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4692
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn KaAOqfgxzZ /tr C:\Users\Admin\AppData\Roaming\KaAOqfgxzZ\JnEdxrtoRb.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
            5⤵
            • Creates scheduled task(s)
            PID:2132
      • C:\Users\Admin\AppData\Local\Temp\1000133001\linda5.exe
        "C:\Users\Admin\AppData\Local\Temp\1000133001\linda5.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4208
        • C:\Windows\SysWOW64\msiexec.exe
          "C:\Windows\System32\msiexec.exe" -y .\xZew.U
          4⤵
          • Loads dropped DLL
          PID:3128
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • outlook_win_path
        PID:4436
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1136
      2⤵
      • Program crash
      PID:4796
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4368 -ip 4368
    1⤵
      PID:4836
    • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      1⤵
      • Executes dropped EXE
      PID:5064
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 424
        2⤵
        • Program crash
        PID:2728
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5064 -ip 5064
      1⤵
        PID:1428

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      3
      T1081

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      3
      T1005

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe
        Filesize

        137KB

        MD5

        c8fbf7e62159275b2d13849b26341184

        SHA1

        a1245f045d07a1edf3690b7a2e09b65036342f9a

        SHA256

        96062d8acceacfd16b85960764411640718d9bc7b56cabd43cf664d07744368a

        SHA512

        81b1c74d56900f034b7076091dbe2102b1a3434524b5c7d92e2310166bf6a059079181532db09a007207688a22e563f05d31081c509530ba122d1a385126c216

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe
        Filesize

        137KB

        MD5

        c8fbf7e62159275b2d13849b26341184

        SHA1

        a1245f045d07a1edf3690b7a2e09b65036342f9a

        SHA256

        96062d8acceacfd16b85960764411640718d9bc7b56cabd43cf664d07744368a

        SHA512

        81b1c74d56900f034b7076091dbe2102b1a3434524b5c7d92e2310166bf6a059079181532db09a007207688a22e563f05d31081c509530ba122d1a385126c216

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\1000131001\ree.exe
        Filesize

        4.6MB

        MD5

        f6829a19455a7b24a79e0b984d2a42d9

        SHA1

        c71d657301d721b42c52c0252aa5fe0dbfb04f9f

        SHA256

        7dc8f90673b102c2945e36747763ccccd243519500eca01fd1cfdbbfcb61d61b

        SHA512

        e3d8db3d3938366e9fe8c1645647dbf29bfb5c9a6210f54bdfca05b9782f005b9b40df2a7980f160143c48139a638c5a4ff6b091d0d846a839d363eba94bce4c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\1000131001\ree.exe
        Filesize

        4.6MB

        MD5

        f6829a19455a7b24a79e0b984d2a42d9

        SHA1

        c71d657301d721b42c52c0252aa5fe0dbfb04f9f

        SHA256

        7dc8f90673b102c2945e36747763ccccd243519500eca01fd1cfdbbfcb61d61b

        SHA512

        e3d8db3d3938366e9fe8c1645647dbf29bfb5c9a6210f54bdfca05b9782f005b9b40df2a7980f160143c48139a638c5a4ff6b091d0d846a839d363eba94bce4c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\1000133001\linda5.exe
        Filesize

        1.7MB

        MD5

        ab096a32e13a22485de8e5d843bdd5e3

        SHA1

        be867d609bf8e38b9a3c6bc03f7caf16ee92bb9c

        SHA256

        364ad5d08966d3e1694054fc3ae4360dbb81e21cacebd24442b1bb37fe991558

        SHA512

        35a5b8f56047f9977747ec68cc2c97d28e8c75a9d34b8e19e080ad35939e16f9afde45ce73dbec3e97d82fb514361c854fde4d5ccd12d4d5c96c79a3a4d35966

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\1000133001\linda5.exe
        Filesize

        1.7MB

        MD5

        ab096a32e13a22485de8e5d843bdd5e3

        SHA1

        be867d609bf8e38b9a3c6bc03f7caf16ee92bb9c

        SHA256

        364ad5d08966d3e1694054fc3ae4360dbb81e21cacebd24442b1bb37fe991558

        SHA512

        35a5b8f56047f9977747ec68cc2c97d28e8c75a9d34b8e19e080ad35939e16f9afde45ce73dbec3e97d82fb514361c854fde4d5ccd12d4d5c96c79a3a4d35966

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
        Filesize

        247KB

        MD5

        798ff0b559822277e4ac2f672152171d

        SHA1

        10bb06bcc4d6cf3c1cce06ae178488afe4e64c51

        SHA256

        e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b

        SHA512

        dfe1c14446b2a52529fb5cea43967fa99cec4d91bc46afcbe536fcac3299e00c226dbb2b7df814d842c90c2c647efdd83988fa47f4fdb3edd47cd750bb18bf45

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
        Filesize

        247KB

        MD5

        798ff0b559822277e4ac2f672152171d

        SHA1

        10bb06bcc4d6cf3c1cce06ae178488afe4e64c51

        SHA256

        e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b

        SHA512

        dfe1c14446b2a52529fb5cea43967fa99cec4d91bc46afcbe536fcac3299e00c226dbb2b7df814d842c90c2c647efdd83988fa47f4fdb3edd47cd750bb18bf45

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
        Filesize

        247KB

        MD5

        798ff0b559822277e4ac2f672152171d

        SHA1

        10bb06bcc4d6cf3c1cce06ae178488afe4e64c51

        SHA256

        e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b

        SHA512

        dfe1c14446b2a52529fb5cea43967fa99cec4d91bc46afcbe536fcac3299e00c226dbb2b7df814d842c90c2c647efdd83988fa47f4fdb3edd47cd750bb18bf45

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\xZew.U
        Filesize

        2.0MB

        MD5

        25d2fc1ba77872da52162dc64c52c366

        SHA1

        dd8e82f724114c02ef59661b574edf39a13ea477

        SHA256

        29b90675adfbfe4ff879d6372c155e803acdf7bcfa0b3fa672519a8b5dd3b761

        SHA512

        016a9ec956b4a1caaadcea7c005f7174d5443fd6c03764749fba7b9f36a4d728d5197d404cb1ac7a7420cff9eea4d7319e861d2669fc33eea154d30fb93537f0

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\xZew.U
        Filesize

        2.0MB

        MD5

        25d2fc1ba77872da52162dc64c52c366

        SHA1

        dd8e82f724114c02ef59661b574edf39a13ea477

        SHA256

        29b90675adfbfe4ff879d6372c155e803acdf7bcfa0b3fa672519a8b5dd3b761

        SHA512

        016a9ec956b4a1caaadcea7c005f7174d5443fd6c03764749fba7b9f36a4d728d5197d404cb1ac7a7420cff9eea4d7319e861d2669fc33eea154d30fb93537f0

        Download Submit
      • C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
        Filesize

        126KB

        MD5

        674cec24e36e0dfaec6290db96dda86e

        SHA1

        581e3a7a541cc04641e751fc850d92e07236681f

        SHA256

        de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

        SHA512

        6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

        Download Submit
      • C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
        Filesize

        126KB

        MD5

        674cec24e36e0dfaec6290db96dda86e

        SHA1

        581e3a7a541cc04641e751fc850d92e07236681f

        SHA256

        de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

        SHA512

        6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

        Download Submit
      • memory/2132-169-0x0000000000000000-mapping.dmp
        Download
      • memory/3088-135-0x0000000000000000-mapping.dmp
        Download
      • memory/3088-140-0x0000000000400000-0x0000000000A2C000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/3088-157-0x0000000000400000-0x0000000000A2C000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/3088-139-0x0000000000A8C000-0x0000000000AAB000-memory.dmp
        Filesize

        124KB

        Download
      • memory/3088-156-0x0000000000A8C000-0x0000000000AAB000-memory.dmp
        Filesize

        124KB

        Download
      • memory/3128-171-0x0000000003200000-0x00000000032B4000-memory.dmp
        Filesize

        720KB

        Download
      • memory/3128-166-0x0000000002D30000-0x0000000002EC9000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3128-167-0x0000000003000000-0x000000000312E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/3128-163-0x0000000000000000-mapping.dmp
        Download
      • memory/3128-170-0x0000000003130000-0x00000000031F8000-memory.dmp
        Filesize

        800KB

        Download
      • memory/3128-174-0x0000000003000000-0x000000000312E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/3136-141-0x0000000000000000-mapping.dmp
        Download
      • memory/3764-142-0x0000000000000000-mapping.dmp
        Download
      • memory/3764-147-0x0000000005310000-0x000000000541A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/3764-145-0x00000000009D0000-0x00000000009F8000-memory.dmp
        Filesize

        160KB

        Download
      • memory/3764-158-0x00000000077C0000-0x0000000007982000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/3764-155-0x0000000005E30000-0x0000000005E96000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3764-154-0x0000000006370000-0x0000000006914000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3764-153-0x00000000055F0000-0x0000000005682000-memory.dmp
        Filesize

        584KB

        Download
      • memory/3764-146-0x00000000057A0000-0x0000000005DB8000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/3764-149-0x00000000052A0000-0x00000000052DC000-memory.dmp
        Filesize

        240KB

        Download
      • memory/3764-148-0x0000000005240000-0x0000000005252000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3764-159-0x0000000007EC0000-0x00000000083EC000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/4208-160-0x0000000000000000-mapping.dmp
        Download
      • memory/4368-132-0x0000000000D1E000-0x0000000000D3D000-memory.dmp
        Filesize

        124KB

        Download
      • memory/4368-138-0x0000000000400000-0x0000000000A2C000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4368-134-0x0000000000400000-0x0000000000A2C000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4368-133-0x00000000027A0000-0x00000000027DE000-memory.dmp
        Filesize

        248KB

        Download
      • memory/4436-176-0x0000000000000000-mapping.dmp
        Download
      • memory/4692-168-0x0000000000000000-mapping.dmp
        Download
      • memory/4888-150-0x0000000000000000-mapping.dmp
        Download
      • memory/5064-179-0x0000000000D90000-0x0000000000DAF000-memory.dmp
        Filesize

        124KB

        Download
      • memory/5064-180-0x0000000000400000-0x0000000000A2C000-memory.dmp
        Filesize

        6.2MB

        Download