Overview

overview

10

Static

static

10

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2c25b70f08a34cc52989882c4715854c4f488dacfa2c4a615ce5f8c265b21862

  • Size

    235KB

  • Sample

    230118-ae8cwafb61

  • MD5

    9630e11f88c832c3c7a5da18ef9cc0ac

  • SHA1

    5bfadbe22a7b3a1db3cb5a7f2ec224f4e44c7bd0

  • SHA256

    2c25b70f08a34cc52989882c4715854c4f488dacfa2c4a615ce5f8c265b21862

  • SHA512

    da94fdf546709e7f18af019cd92e23af81d161b9e2730b65719381da052320191d957db16d06b26021f8de686a7fb6b20d9715fe7e64a0c7063a6b3051dab4cd

  • SSDEEP

    6144:WfSsOzqs7nAV3QN2tW0J3SluVy3VYlSgXqgkX:jbN6J4uVy3VmSga

Score
10/10
amadeyauroraeternityraccoonredlinesocelars571391c08bcfc49c97149aeb137899e0@dridexxsupport ( http://t.me/dridexxhackingtutorials )@redlinevip cloud (tg: @fatherofcarders)instvertucollectiondiscoveryinfostealerpersistencespywarestealertrojanvmprotect

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.121/ZxhssZx/index.php

maximumpushtodaynotnowbut.com/Nmkn5d9Dn/index.php

motiontodaynotgogoodnowok.com/Nmkn5d9Dn/index.php

sogoodnowtodaynow.com/Nmkn5d9Dn/index.php

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes
  • auth_value

    fbee175162920530e6bf470c8003fa1a

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Extracted

Family

redline

Botnet

vertu

C2

62.204.41.159:4062

Attributes
  • auth_value

    fcf83997f362e2cd45c3f3c30912dd41

Extracted

Family

amadey

Version

3.65

C2

77.73.134.27/8bmdh3Slb2/index.php

193.42.33.28/8bmdh3Slb2/index.php

Extracted

Family

redline

C2

45.88.67.20:80

193.42.33.6:5431

193.47.61.243:80
Attributes
  • auth_value

    29b63fca3ce84b8df33b2ea8d60d05ee

Extracted

Family

redline

Botnet

inst

C2

65.109.187.41:3042

Attributes
  • auth_value

    8ef99fdc075dae8e33613f12c3d304f4

Extracted

Family

raccoon

Botnet

571391c08bcfc49c97149aeb137899e0

C2

http://185.180.199.215

rc4.plain

Extracted

Family

redline

Botnet

@DridexxSupport ( http://t.me/DridexxHackingTutorials )

C2

154.7.253.146:40762

Attributes
  • auth_value

    ee07f3e6fb42718b666e27fe7bb35986

Extracted

Family

socelars

C2

https://hdbywe.s3.us-west-2.amazonaws.com/adwwe09/

Targets

    • Target

      2c25b70f08a34cc52989882c4715854c4f488dacfa2c4a615ce5f8c265b21862

    • Size

      235KB

    • MD5

      9630e11f88c832c3c7a5da18ef9cc0ac

    • SHA1

      5bfadbe22a7b3a1db3cb5a7f2ec224f4e44c7bd0

    • SHA256

      2c25b70f08a34cc52989882c4715854c4f488dacfa2c4a615ce5f8c265b21862

    • SHA512

      da94fdf546709e7f18af019cd92e23af81d161b9e2730b65719381da052320191d957db16d06b26021f8de686a7fb6b20d9715fe7e64a0c7063a6b3051dab4cd

    • SSDEEP

      6144:WfSsOzqs7nAV3QN2tW0J3SluVy3VYlSgXqgkX:jbN6J4uVy3VmSga

    Score
    10/10
    amadeyauroraeternityraccoonredlinesocelars571391c08bcfc49c97149aeb137899e0@dridexxsupport ( http://t.me/dridexxhackingtutorials )@redlinevip cloud (tg: @fatherofcarders)instvertucollectiondiscoveryinfostealerpersistencespywarestealertrojanvmprotect

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

      eternity

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks