Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5608a119a5da54104852179ed4da981918c94fcae8f786ad31f49b768d88d652

  • Size

    704KB

  • Sample

    230217-v3nnlaga9v

  • MD5

    d33419ae305cc0303587520b324df5c6

  • SHA1

    2c06740052fc6091ab7f7db6aa1f763ed95aa27c

  • SHA256

    5608a119a5da54104852179ed4da981918c94fcae8f786ad31f49b768d88d652

  • SHA512

    0b7502784a287477c5474805a7c39b6799e58c76ca47b2ea449b4121fd638dbe956d0b7c8b2380c6b0b83843abe38d0ec1791d0bf00e5d78efa8f7519ae80e59

  • SSDEEP

    12288:iMrHy90ce/EmyZ5/oTkpjkd4vuyTtnIZYcoc9p4YWfDVl884sAVZsiANCP:5yde/+tuQAdJyTtIGczuFBe84foiAEP

Score
10/10
amadeypurecrypterredlinesmokeloaderdubikfurkabackdoorcollectiondiscoverydownloaderevasioninfostealerloaderpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

furka

C2

193.233.20.17:4139

Attributes
  • auth_value

    46dae41be0c00464bf56eddcc93e1bec

Extracted

Family

amadey

Version

3.67

C2

193.233.20.15/dF30Hn4m/index.php

Extracted

Family

amadey

Version

3.66

C2

62.204.41.88/9vdVVVjsw/index.php

Extracted

Family

redline

Botnet

dubik

C2

193.233.20.17:4139

Attributes
  • auth_value

    05136deb26ad700ca57d43b1de454f46

Extracted

Family

purecrypter

C2

https://miner2.me/Oaofdukyvr.dll

Targets

    • Target

      5608a119a5da54104852179ed4da981918c94fcae8f786ad31f49b768d88d652

    • Size

      704KB

    • MD5

      d33419ae305cc0303587520b324df5c6

    • SHA1

      2c06740052fc6091ab7f7db6aa1f763ed95aa27c

    • SHA256

      5608a119a5da54104852179ed4da981918c94fcae8f786ad31f49b768d88d652

    • SHA512

      0b7502784a287477c5474805a7c39b6799e58c76ca47b2ea449b4121fd638dbe956d0b7c8b2380c6b0b83843abe38d0ec1791d0bf00e5d78efa8f7519ae80e59

    • SSDEEP

      12288:iMrHy90ce/EmyZ5/oTkpjkd4vuyTtnIZYcoc9p4YWfDVl884sAVZsiANCP:5yde/+tuQAdJyTtIGczuFBe84foiAEP

    Score
    10/10
    amadeypurecrypterredlinesmokeloaderdubikfurkabackdoorcollectiondiscoverydownloaderevasioninfostealerloaderpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Smokeloader packer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

      loaderdownloaderpurecrypter

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Windows security modification

      evasiontrojan

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks