Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445

  • Size

    149KB

  • Sample

    230217-1x2adshb6x

  • MD5

    932c74304b16cf546adfc4c1e7b8908a

  • SHA1

    083698ced09892795e485afcd3182d44734b1c69

  • SHA256

    cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445

  • SHA512

    d2e113596ffe3138b3b7c62e7ba579860a711e876800bc67da88f8c23cb168f6983eb6bfc9962a9fc1e56dfc354f20788709089f44fc5876ac62456704504771

  • SSDEEP

    3072:xFspHvXz3KRBFDE2jyStDq6FmoHhCxLVcxf5SbCcJwiN:4JvXbKR82GKDq6DHhCpCj2C8wi

Score
10/10
dcratsmokeloaderagilenetbackdoormicrosoftevasioninfostealerpersistencephishingratthemidatrojan

Malware Config

Targets

    • Target

      cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445

    • Size

      149KB

    • MD5

      932c74304b16cf546adfc4c1e7b8908a

    • SHA1

      083698ced09892795e485afcd3182d44734b1c69

    • SHA256

      cebf37f2fab89b80a422bdc1e8bde591fd7b05a3e3cd72d7181ae49d8332a445

    • SHA512

      d2e113596ffe3138b3b7c62e7ba579860a711e876800bc67da88f8c23cb168f6983eb6bfc9962a9fc1e56dfc354f20788709089f44fc5876ac62456704504771

    • SSDEEP

      3072:xFspHvXz3KRBFDE2jyStDq6FmoHhCxLVcxf5SbCcJwiN:4JvXbKR82GKDq6DHhCpCj2C8wi

    Score
    10/10
    dcratsmokeloaderagilenetbackdoormicrosoftevasioninfostealerpersistencephishingratthemidatrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Detected potential entity reuse from brand microsoft.

      phishingmicrosoft

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks