Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e7f652d8c7a7008cd1a6e6d310b6a9ffc6f7b1aac8d919b791405d5d67c6d240

  • Size

    301KB

  • Sample

    221228-a9v12acb2v

  • MD5

    f8697692651df4409cd41ac29ff9a6ee

  • SHA1

    868509362dacfad2aba26e38896e4a939f22649c

  • SHA256

    e7f652d8c7a7008cd1a6e6d310b6a9ffc6f7b1aac8d919b791405d5d67c6d240

  • SHA512

    1c9503db68990280398b3186adc66998fcea246dc9f8818fa05738d7cb4685a36a0342ea4edd9fae56f93d7dc77307ec8781b6b09c90bad08ccbb8a2ad507cc8

  • SSDEEP

    6144:8KALyWutF2wTROenFTJvW3WRm5s3/9UZdLaYon5Jk4eROwNj:+GWAFn9B1AeOdin5JFW

Score
10/10
amadeygozismokeloader22500backdoorbankercollectiondiscoveryisfbspywarestealertrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

22500

C2

confisg.edge.skype.com

http://

s28bxcw.xyz

config.edgse.skype.com

http://89.43.107.7
Attributes
  • base_path

    /recycle/

  • build

    250249

  • exe_type

    loader

  • extension

    .alo

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

amadey

Version

3.63

C2

62.204.41.165/g8sjnd3xe/index.php

Extracted

Family

gozi

Botnet

22500

C2

confisg.edge.skype.com

http://s28bxcw.xyz

http://89.43.107.7
Attributes
  • base_path

    /recycle/

  • build

    250249

  • exe_type

    worker

  • extension

    .alo

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      e7f652d8c7a7008cd1a6e6d310b6a9ffc6f7b1aac8d919b791405d5d67c6d240

    • Size

      301KB

    • MD5

      f8697692651df4409cd41ac29ff9a6ee

    • SHA1

      868509362dacfad2aba26e38896e4a939f22649c

    • SHA256

      e7f652d8c7a7008cd1a6e6d310b6a9ffc6f7b1aac8d919b791405d5d67c6d240

    • SHA512

      1c9503db68990280398b3186adc66998fcea246dc9f8818fa05738d7cb4685a36a0342ea4edd9fae56f93d7dc77307ec8781b6b09c90bad08ccbb8a2ad507cc8

    • SSDEEP

      6144:8KALyWutF2wTROenFTJvW3WRm5s3/9UZdLaYon5Jk4eROwNj:+GWAFn9B1AeOdin5JFW

    Score
    10/10
    amadeygozismokeloader22500backdoorbankercollectiondiscoveryisfbspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Amadey credential stealer module

    • Detects Smokeloader packer

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks