Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2022 20:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa.exe

  • Size

    281KB

  • MD5

    af991d7c2db58e42549976ccb36e5cc7

  • SHA1

    748c8a3a47d7331df0fc2f25a4e891161ec11c2d

  • SHA256

    fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa

  • SHA512

    d57b56ea10ba0abf572ec67a272e0e6b958a4ddd27d9f8d92cfb31191cf9838132b99936f15490ca67acdedaddaae2c4a9239e30adef4d9cd970e0bff7421b2a

  • SSDEEP

    6144:hYPLCzXNHJFXbYGq2x5whJ4X5R158YXeIeYC8o13azHk5o:hg2zXHFXEGqAwhaXXXXeZaQ

Score
10/10
amadeycollectionspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.61

C2

62.204.41.79/U7vfDb3kg/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Amadey credential stealer module 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa.exe
    "C:\Users\Admin\AppData\Local\Temp\fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3956
    • C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
      "C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4840
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:380
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • outlook_win_path
        PID:3932
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 876
      2⤵
      • Program crash
      PID:3916
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3956 -ip 3956
    1⤵
      PID:5096
    • C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
      C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
      1⤵
      • Executes dropped EXE
      PID:4792
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 316
        2⤵
        • Program crash
        PID:4536
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4792 -ip 4792
      1⤵
        PID:3692
      • C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
        C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
        1⤵
        • Executes dropped EXE
        PID:5004
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 316
          2⤵
          • Program crash
          PID:1976
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5004 -ip 5004
        1⤵
          PID:1268

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
          Filesize

          281KB

          MD5

          af991d7c2db58e42549976ccb36e5cc7

          SHA1

          748c8a3a47d7331df0fc2f25a4e891161ec11c2d

          SHA256

          fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa

          SHA512

          d57b56ea10ba0abf572ec67a272e0e6b958a4ddd27d9f8d92cfb31191cf9838132b99936f15490ca67acdedaddaae2c4a9239e30adef4d9cd970e0bff7421b2a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
          Filesize

          281KB

          MD5

          af991d7c2db58e42549976ccb36e5cc7

          SHA1

          748c8a3a47d7331df0fc2f25a4e891161ec11c2d

          SHA256

          fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa

          SHA512

          d57b56ea10ba0abf572ec67a272e0e6b958a4ddd27d9f8d92cfb31191cf9838132b99936f15490ca67acdedaddaae2c4a9239e30adef4d9cd970e0bff7421b2a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
          Filesize

          281KB

          MD5

          af991d7c2db58e42549976ccb36e5cc7

          SHA1

          748c8a3a47d7331df0fc2f25a4e891161ec11c2d

          SHA256

          fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa

          SHA512

          d57b56ea10ba0abf572ec67a272e0e6b958a4ddd27d9f8d92cfb31191cf9838132b99936f15490ca67acdedaddaae2c4a9239e30adef4d9cd970e0bff7421b2a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
          Filesize

          281KB

          MD5

          af991d7c2db58e42549976ccb36e5cc7

          SHA1

          748c8a3a47d7331df0fc2f25a4e891161ec11c2d

          SHA256

          fd016b0f0a876b5fc97df610464984865015fe799b2ff700e672168737e44faa

          SHA512

          d57b56ea10ba0abf572ec67a272e0e6b958a4ddd27d9f8d92cfb31191cf9838132b99936f15490ca67acdedaddaae2c4a9239e30adef4d9cd970e0bff7421b2a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
          Filesize

          126KB

          MD5

          af364df1b3d1011a1e53cc43a0f47931

          SHA1

          40a1afe04bb41b40c0369ac5d4707fc74583d2a3

          SHA256

          3357dbe44c1e509faa7b63e62b70600ef38fbc44aa9a7a4037b1edeb9c5528c2

          SHA512

          e25a6185d047a29797c34d43c4bed82fb3c062f057fa0d28f19bdf6b067e1166a232b981797c0d7e371bf3faa2e5b3ca00bdf8a0a8303221bdcc8b126c669f69

          Download Submit

        • C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
          Filesize

          126KB

          MD5

          af364df1b3d1011a1e53cc43a0f47931

          SHA1

          40a1afe04bb41b40c0369ac5d4707fc74583d2a3

          SHA256

          3357dbe44c1e509faa7b63e62b70600ef38fbc44aa9a7a4037b1edeb9c5528c2

          SHA512

          e25a6185d047a29797c34d43c4bed82fb3c062f057fa0d28f19bdf6b067e1166a232b981797c0d7e371bf3faa2e5b3ca00bdf8a0a8303221bdcc8b126c669f69

          Download Submit

        • memory/3956-139-0x0000000000400000-0x000000000046B000-memory.dmp

          Filesize

          428KB

          Download

        • memory/3956-134-0x0000000000400000-0x000000000046B000-memory.dmp

          Filesize

          428KB

          Download

        • memory/3956-132-0x000000000069A000-0x00000000006B8000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3956-138-0x000000000069A000-0x00000000006B8000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3956-133-0x0000000000A00000-0x0000000000A3C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4792-144-0x000000000072D000-0x000000000074C000-memory.dmp

          Filesize

          124KB

          Download

        • memory/4792-145-0x0000000000400000-0x000000000046B000-memory.dmp

          Filesize

          428KB

          Download

        • memory/4840-141-0x00000000006CA000-0x00000000006E8000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4840-142-0x0000000000400000-0x000000000046B000-memory.dmp

          Filesize

          428KB

          Download

        • memory/5004-150-0x00000000004DD000-0x00000000004FC000-memory.dmp

          Filesize

          124KB

          Download

        • memory/5004-151-0x0000000000400000-0x000000000046B000-memory.dmp

          Filesize

          428KB

          Download