Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6f0f13849fa98bfbf8cf325139076aba2f2304f4abf8be57fad2d06675be1874

  • Size

    230KB

  • Sample

    221228-d37ysshd33

  • MD5

    9761b4c5d71e3051866c59d6ec8f4d73

  • SHA1

    aeaa311c0370ec016975b6e85719ce045bc056e2

  • SHA256

    6f0f13849fa98bfbf8cf325139076aba2f2304f4abf8be57fad2d06675be1874

  • SHA512

    c62219f9d1149280fd2d7644c07285fc789172b7671cf64cdd4854d50724c953018a3013228a71cdb85a5ad73fbd51bef23bd452bcbb67594b1f9fbc304635a9

  • SSDEEP

    3072:iRn5/3LJ8t/T8503xYjgqoQmMS8iI8+7fuKDQEEsNkwtSMGq0sPPtYKs/xAI9y:U3LJ8B33KHNmsiI8+7fuExJNvqK1YDZ

Score
10/10
amadeygozismokeloader22500backdoorbankercollectiondiscoveryisfbspywarestealertrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    250249

Extracted

Family

gozi

Botnet

22500

C2

confisg.edge.skype.com

http://

s28bxcw.xyz

config.edgse.skype.com

http://89.43.107.7
Attributes
  • base_path

    /recycle/

  • build

    250249

  • exe_type

    loader

  • extension

    .alo

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

amadey

Version

3.63

C2

62.204.41.165/g8sjnd3xe/index.php

Extracted

Family

gozi

Botnet

22500

C2

confisg.edge.skype.com

http://s28bxcw.xyz

http://89.43.107.7
Attributes
  • base_path

    /recycle/

  • exe_type

    worker

  • extension

    .alo

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      6f0f13849fa98bfbf8cf325139076aba2f2304f4abf8be57fad2d06675be1874

    • Size

      230KB

    • MD5

      9761b4c5d71e3051866c59d6ec8f4d73

    • SHA1

      aeaa311c0370ec016975b6e85719ce045bc056e2

    • SHA256

      6f0f13849fa98bfbf8cf325139076aba2f2304f4abf8be57fad2d06675be1874

    • SHA512

      c62219f9d1149280fd2d7644c07285fc789172b7671cf64cdd4854d50724c953018a3013228a71cdb85a5ad73fbd51bef23bd452bcbb67594b1f9fbc304635a9

    • SSDEEP

      3072:iRn5/3LJ8t/T8503xYjgqoQmMS8iI8+7fuKDQEEsNkwtSMGq0sPPtYKs/xAI9y:U3LJ8B33KHNmsiI8+7fuExJNvqK1YDZ

    Score
    10/10
    amadeygozismokeloader22500backdoorbankercollectiondiscoveryisfbspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Amadey credential stealer module

    • Detects Smokeloader packer

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks