Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    96b675ea1180623cbaaab1a0fa5028320bf161fa829bfa922a4b920160b47def

  • Size

    4.1MB

  • Sample

    230201-n6yveafa3w

  • MD5

    57b08e037d5b265b459aefdf565d817a

  • SHA1

    525b42a7c5a736c45810bdeab451301673c775b8

  • SHA256

    96b675ea1180623cbaaab1a0fa5028320bf161fa829bfa922a4b920160b47def

  • SHA512

    77ff717f277ec544b88760ff08dd19134669b7c0b109d141daf3695686402ef57db4d38fddaf64945adc72da05af55dd9f427590eca5f4c96bddc3ffa28a3422

  • SSDEEP

    98304:Xvb+8kiY/43mw/pKVw6GL2MDo17yxfdo6Co5auE/INc:Xm3w312GSMDo1yH

Score
10/10
amadeydcratsmokeloaderbackdoorcollectiondiscoveryinfostealerratspywarestealertrojanvmprotect

Malware Config

Extracted

Family

amadey

Version

3.65

C2

77.73.134.27/8bmdh3Slb2/index.php

Targets

    • Target

      96b675ea1180623cbaaab1a0fa5028320bf161fa829bfa922a4b920160b47def

    • Size

      4.1MB

    • MD5

      57b08e037d5b265b459aefdf565d817a

    • SHA1

      525b42a7c5a736c45810bdeab451301673c775b8

    • SHA256

      96b675ea1180623cbaaab1a0fa5028320bf161fa829bfa922a4b920160b47def

    • SHA512

      77ff717f277ec544b88760ff08dd19134669b7c0b109d141daf3695686402ef57db4d38fddaf64945adc72da05af55dd9f427590eca5f4c96bddc3ffa28a3422

    • SSDEEP

      98304:Xvb+8kiY/43mw/pKVw6GL2MDo17yxfdo6Co5auE/INc:Xm3w312GSMDo1yH

    Score
    10/10
    amadeydcratsmokeloaderbackdoorcollectiondiscoveryinfostealerratspywarestealertrojanvmprotect

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detects Smokeloader packer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks