Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Resubmissions

29/12/2022, 04:29

221229-e38qrscc96 10

27/12/2022, 22:01

221227-1xk86sbg2s 10

Sharing

Copy URL Twitter E-mail

General

  • Target

    9d7301c67f1622ae78ecb47d85bf5e693bc92f2a4c963068c03b6f7b24f33b96

  • Size

    301KB

  • Sample

    221227-1xk86sbg2s

  • MD5

    2696436262a5e030ee3ea3957fed4c9a

  • SHA1

    7dc56a360e948a0f9818abc5dbe1264e3595c054

  • SHA256

    9d7301c67f1622ae78ecb47d85bf5e693bc92f2a4c963068c03b6f7b24f33b96

  • SHA512

    180f8cdd55fd7454a40053f4e1ad962fb6b1374a24a10ccd00027cbd6e480259084131c11ca8d259ed3557ad9ecd9b09d1076ba437a1c685845e8b59d7735531

  • SSDEEP

    6144:NTLZ0WbjOnFu5ROu41+xgp/9UZdLaYon5Jk4eROw:Jl0BuvOzUdin5JF

Score
10/10
amadeygoziredlinesmokeloader22500@2023@newbackdoorbankerdiscoveryinfostealerisfbspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.63

C2

62.204.41.165/g8sjnd3xe/index.php

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

22500

C2

confisg.edge.skype.com

http://

s28bxcw.xyz

config.edgse.skype.com

http://89.43.107.7
Attributes
  • base_path

    /recycle/

  • build

    250249

  • exe_type

    loader

  • extension

    .alo

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

redline

Botnet

@2023@New

C2

91.215.85.155:32796

Attributes
  • auth_value

    0be5b9b84cd5b707e91a48e341e3f7d7

Extracted

Family

gozi

Botnet

22500

C2

confisg.edge.skype.com

http://s28bxcw.xyz

http://89.43.107.7
Attributes
  • base_path

    /recycle/

  • build

    250249

  • exe_type

    worker

  • extension

    .alo

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      9d7301c67f1622ae78ecb47d85bf5e693bc92f2a4c963068c03b6f7b24f33b96

    • Size

      301KB

    • MD5

      2696436262a5e030ee3ea3957fed4c9a

    • SHA1

      7dc56a360e948a0f9818abc5dbe1264e3595c054

    • SHA256

      9d7301c67f1622ae78ecb47d85bf5e693bc92f2a4c963068c03b6f7b24f33b96

    • SHA512

      180f8cdd55fd7454a40053f4e1ad962fb6b1374a24a10ccd00027cbd6e480259084131c11ca8d259ed3557ad9ecd9b09d1076ba437a1c685845e8b59d7735531

    • SSDEEP

      6144:NTLZ0WbjOnFu5ROu41+xgp/9UZdLaYon5Jk4eROw:Jl0BuvOzUdin5JF

    Score
    10/10
    amadeygoziredlinesmokeloader22500@2023@newbackdoorbankerdiscoveryinfostealerisfbspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Smokeloader packer

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks