Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    210s
  • max time network
    230s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 10:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966.exe

  • Size

    209KB

  • MD5

    9a557c8759ef2110b4fb56daf43a9376

  • SHA1

    178ec11e910999d49f0c51e47ae25c3f60f327e2

  • SHA256

    8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966

  • SHA512

    ecf57244634a298de0fecf9765ef15d344ddd87d203e2df742d4cbed0e48c4a9d238b0be7e7ed8d9061a8822706846d7d29029e93fabfd604866bfbbf4f4643a

  • SSDEEP

    6144:VLwQ3tESz48VdfPSqnk7e7d/+qvedJe8:VX2SzFVdf6qkkd/zmbe

Score
10/10
amadeylaplascollectionspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.194/h49vlBP/index.php

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Amadey credential stealer module 2 IoCs
  • Laplas Clipper

    Laplas is a crypto wallet stealer with two variants written in Golang and C#.

    stealerlaplas
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966.exe
    "C:\Users\Admin\AppData\Local\Temp\8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3760
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:760
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • outlook_win_path
        PID:3208
      • C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exe
        "C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exe"
        3⤵
        • Executes dropped EXE
        PID:2224
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 904
      2⤵
      • Program crash
      PID:4320
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2320 -ip 2320
    1⤵
      PID:3644
    • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      1⤵
      • Executes dropped EXE
      PID:2504
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 420
        2⤵
        • Program crash
        PID:3508
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2504 -ip 2504
      1⤵
        PID:4580
      • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
        C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
        1⤵
        • Executes dropped EXE
        PID:1916
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 420
          2⤵
          • Program crash
          PID:3512
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1916 -ip 1916
        1⤵
          PID:648

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Email Collection

        1
        T1114

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exe
          Filesize

          2.2MB

          MD5

          08f22a3693c2368a29dff26e7246b74a

          SHA1

          f7100b6e13c67ef57c9b8c841fb12ea3668b1cfd

          SHA256

          a3bde8f159c8b68f5b84249258ff3bf4bc6594820bf25a053e4b61eb913aebd1

          SHA512

          6b651b6e2265da83d4c38c5d4f2006f01ebfd298a89746104bd1982908bfc8b4023cbe121d72fc253c949924ecff404a66b42deed6cc7e0efc2dc0964d59ee69

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exe
          Filesize

          2.2MB

          MD5

          08f22a3693c2368a29dff26e7246b74a

          SHA1

          f7100b6e13c67ef57c9b8c841fb12ea3668b1cfd

          SHA256

          a3bde8f159c8b68f5b84249258ff3bf4bc6594820bf25a053e4b61eb913aebd1

          SHA512

          6b651b6e2265da83d4c38c5d4f2006f01ebfd298a89746104bd1982908bfc8b4023cbe121d72fc253c949924ecff404a66b42deed6cc7e0efc2dc0964d59ee69

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
          Filesize

          209KB

          MD5

          9a557c8759ef2110b4fb56daf43a9376

          SHA1

          178ec11e910999d49f0c51e47ae25c3f60f327e2

          SHA256

          8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966

          SHA512

          ecf57244634a298de0fecf9765ef15d344ddd87d203e2df742d4cbed0e48c4a9d238b0be7e7ed8d9061a8822706846d7d29029e93fabfd604866bfbbf4f4643a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
          Filesize

          209KB

          MD5

          9a557c8759ef2110b4fb56daf43a9376

          SHA1

          178ec11e910999d49f0c51e47ae25c3f60f327e2

          SHA256

          8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966

          SHA512

          ecf57244634a298de0fecf9765ef15d344ddd87d203e2df742d4cbed0e48c4a9d238b0be7e7ed8d9061a8822706846d7d29029e93fabfd604866bfbbf4f4643a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
          Filesize

          209KB

          MD5

          9a557c8759ef2110b4fb56daf43a9376

          SHA1

          178ec11e910999d49f0c51e47ae25c3f60f327e2

          SHA256

          8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966

          SHA512

          ecf57244634a298de0fecf9765ef15d344ddd87d203e2df742d4cbed0e48c4a9d238b0be7e7ed8d9061a8822706846d7d29029e93fabfd604866bfbbf4f4643a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
          Filesize

          209KB

          MD5

          9a557c8759ef2110b4fb56daf43a9376

          SHA1

          178ec11e910999d49f0c51e47ae25c3f60f327e2

          SHA256

          8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966

          SHA512

          ecf57244634a298de0fecf9765ef15d344ddd87d203e2df742d4cbed0e48c4a9d238b0be7e7ed8d9061a8822706846d7d29029e93fabfd604866bfbbf4f4643a

          Download Submit
        • C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
          Filesize

          126KB

          MD5

          674cec24e36e0dfaec6290db96dda86e

          SHA1

          581e3a7a541cc04641e751fc850d92e07236681f

          SHA256

          de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

          SHA512

          6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

          Download Submit
        • C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
          Filesize

          126KB

          MD5

          674cec24e36e0dfaec6290db96dda86e

          SHA1

          581e3a7a541cc04641e751fc850d92e07236681f

          SHA256

          de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

          SHA512

          6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

          Download Submit
        • memory/760-139-0x0000000000000000-mapping.dmp
          Download
        • memory/1916-153-0x000000000056F000-0x000000000058E000-memory.dmp
          Filesize

          124KB

          Download
        • memory/1916-161-0x000000000056F000-0x000000000058E000-memory.dmp
          Filesize

          124KB

          Download
        • memory/1916-156-0x0000000000400000-0x000000000046A000-memory.dmp
          Filesize

          424KB

          Download
        • memory/2224-158-0x00000000024E1000-0x0000000002700000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/2224-154-0x0000000000000000-mapping.dmp
          Download
        • memory/2224-162-0x0000000000400000-0x00000000008CB000-memory.dmp
          Filesize

          4.8MB

          Download
        • memory/2224-160-0x0000000000400000-0x00000000008CB000-memory.dmp
          Filesize

          4.8MB

          Download
        • memory/2224-159-0x0000000002710000-0x0000000002BA9000-memory.dmp
          Filesize

          4.6MB

          Download
        • memory/2320-148-0x000000000077D000-0x000000000079C000-memory.dmp
          Filesize

          124KB

          Download
        • memory/2320-133-0x00000000005B0000-0x00000000005EE000-memory.dmp
          Filesize

          248KB

          Download
        • memory/2320-138-0x000000000077D000-0x000000000079C000-memory.dmp
          Filesize

          124KB

          Download
        • memory/2320-134-0x0000000000400000-0x000000000046A000-memory.dmp
          Filesize

          424KB

          Download
        • memory/2320-132-0x000000000077D000-0x000000000079C000-memory.dmp
          Filesize

          124KB

          Download
        • memory/2320-143-0x0000000000400000-0x000000000046A000-memory.dmp
          Filesize

          424KB

          Download
        • memory/2504-147-0x0000000000400000-0x000000000046A000-memory.dmp
          Filesize

          424KB

          Download
        • memory/2504-146-0x000000000065F000-0x000000000067E000-memory.dmp
          Filesize

          124KB

          Download
        • memory/3208-149-0x0000000000000000-mapping.dmp
          Download
        • memory/3760-135-0x0000000000000000-mapping.dmp
          Download
        • memory/3760-140-0x00000000004CC000-0x00000000004EB000-memory.dmp
          Filesize

          124KB

          Download
        • memory/3760-142-0x0000000000400000-0x000000000046A000-memory.dmp
          Filesize

          424KB

          Download
        • memory/3760-141-0x0000000001F90000-0x0000000001FCE000-memory.dmp
          Filesize

          248KB

          Download
        • memory/3760-144-0x0000000000400000-0x000000000046A000-memory.dmp
          Filesize

          424KB

          Download