Overview

overview

10

Static

static

10

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bc73998864190a9562a117c1e4587cc39de1bc1017b369f4aa0c736cd39b353a

  • Size

    235KB

  • Sample

    221223-sa6btsgf26

  • MD5

    15f57d45fe2a1e8da248cf9b3723d775

  • SHA1

    aafb9168ed62dc2ebeeb8428c3a39a6525142f6c

  • SHA256

    bc73998864190a9562a117c1e4587cc39de1bc1017b369f4aa0c736cd39b353a

  • SHA512

    aa0dea76d7677aa5773d1e0bf1ef8d297f8f30437318ebb13e5ca3fc029be758c9799004c5c6331aee68167e3b38796f572a4394f03eeb2023cf8a085efb1174

  • SSDEEP

    6144:okwjBO99g6779r0psUhmiIuVyD2NgOJgN:VTrOh2uVyCN3S

Score
10/10
amadeychinese_generic_botnetredlineremcosrhadamanthyssmokeloader12-22-22installsinstalls1installs2backdoorbootkitbotnetcollectiondiscoveryevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.63

C2

62.204.41.182/g9TTnd3bS/index.php

Extracted

Language
ps1
Source
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1049569242455998544/1049862157858242560/string4633.err

Extracted

Language
ps1
Source
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1049569242455998544/1049862157594021948/string792.err

Extracted

Family

amadey

Version

3.60

C2

193.42.33.28/game0ver/index.php

Extracted

Family

redline

Botnet

Installs2

C2

89.23.96.2:7253

Attributes
  • auth_value

    d1c0296fa519fe99ab9b066aba8fe5ce

Extracted

Family

remcos

Botnet

12-22-22

C2

194.180.48.225:1024

Attributes
  • audio_folder

    iujhgv

  • audio_path

    %Temp%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    lkjhg.exe

  • copy_folder

    sdfghjk

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    oijkhb.dat

  • keylog_flag

    false

  • keylog_folder

    hgfds

  • keylog_path

    %WinDir%

  • mouse_option

    false

  • mutex

    yuhgfd-9Z85LD

  • screenshot_crypt

    false

  • screenshot_flag

    true

  • screenshot_folder

    lkjhg

  • screenshot_path

    %AppData%

  • screenshot_time

    5

  • startup_value

    ijhgf

  • take_screenshot_option

    true

  • take_screenshot_time

    5

  • take_screenshot_title

    bank

Extracted

Family

redline

Botnet

installs

C2

89.23.96.2:7253

Attributes
  • auth_value

    8d4428f372143572364f044ea9649d7f

Extracted

Family

redline

Botnet

installs1

C2

89.23.96.2:7253

Attributes
  • auth_value

    fb538922d8f77f00fb6c39f8066af176

Targets

    • Target

      bc73998864190a9562a117c1e4587cc39de1bc1017b369f4aa0c736cd39b353a

    • Size

      235KB

    • MD5

      15f57d45fe2a1e8da248cf9b3723d775

    • SHA1

      aafb9168ed62dc2ebeeb8428c3a39a6525142f6c

    • SHA256

      bc73998864190a9562a117c1e4587cc39de1bc1017b369f4aa0c736cd39b353a

    • SHA512

      aa0dea76d7677aa5773d1e0bf1ef8d297f8f30437318ebb13e5ca3fc029be758c9799004c5c6331aee68167e3b38796f572a4394f03eeb2023cf8a085efb1174

    • SSDEEP

      6144:okwjBO99g6779r0psUhmiIuVyD2NgOJgN:VTrOh2uVyCN3S

    Score
    10/10
    amadeychinese_generic_botnetredlineremcosrhadamanthyssmokeloader12-22-22installsinstalls1installs2backdoorbootkitbotnetcollectiondiscoveryevasioninfostealerpersistenceratspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Amadey credential stealer module

    • Detect rhadamanthys stealer shellcode

    • Detects Smokeloader packer

    • Generic Chinese Botnet

      A botnet originating from China which is currently unnamed publicly.

      botnetchinese_generic_botnet

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • UAC bypass

      evasiontrojan

    • Chinese Botnet payload

      botnet

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks