Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b2342e0ebf939d7d7e81ff782b4539b84fed2ca4e418e965f0cb8552a860fe5c

  • Size

    149KB

  • Sample

    230217-tz8nxsfg9t

  • MD5

    6701afef3227aa7daa28f8a416981a2f

  • SHA1

    fea537b3cee11bcc2b3eb5eb68636124b2c8b985

  • SHA256

    b2342e0ebf939d7d7e81ff782b4539b84fed2ca4e418e965f0cb8552a860fe5c

  • SHA512

    eb3d60095245e11f545c85763fd9cb24dc0eaab72feb463f29b4393b307b541fae8525401b893c31aef5355a8ee440d95544983b606e1377adbab8b89b020535

  • SSDEEP

    3072:rNCFuCMZ69PLIA9oeWzPybSDljAc11koaAL9a3UhoG:rgFuzZ690Blza2BAc1KDAL9a3Qo

Score
10/10
dcratsmokeloaderagilenetbackdoormicrosoftevasioninfostealerpersistencephishingratthemidatrojan

Malware Config

Targets

    • Target

      b2342e0ebf939d7d7e81ff782b4539b84fed2ca4e418e965f0cb8552a860fe5c

    • Size

      149KB

    • MD5

      6701afef3227aa7daa28f8a416981a2f

    • SHA1

      fea537b3cee11bcc2b3eb5eb68636124b2c8b985

    • SHA256

      b2342e0ebf939d7d7e81ff782b4539b84fed2ca4e418e965f0cb8552a860fe5c

    • SHA512

      eb3d60095245e11f545c85763fd9cb24dc0eaab72feb463f29b4393b307b541fae8525401b893c31aef5355a8ee440d95544983b606e1377adbab8b89b020535

    • SSDEEP

      3072:rNCFuCMZ69PLIA9oeWzPybSDljAc11koaAL9a3UhoG:rgFuzZ690Blza2BAc1KDAL9a3Qo

    Score
    10/10
    dcratsmokeloaderagilenetbackdoormicrosoftevasioninfostealerpersistencephishingratthemidatrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Sets file execution options in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Registers COM server for autorun

      persistence

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Detected potential entity reuse from brand microsoft.

      phishingmicrosoft

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks