Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    74fd38dd61ceddcb1f7d0c4a90053154dfbd1b15ce3e6fdccea23671f3e228bc

  • Size

    245KB

  • Sample

    230218-xxmv8adc26

  • MD5

    8c3e351d278db4d6e187fe2977a0c7eb

  • SHA1

    5a26f77085279fc4791e3f1af157386324961bf4

  • SHA256

    74fd38dd61ceddcb1f7d0c4a90053154dfbd1b15ce3e6fdccea23671f3e228bc

  • SHA512

    37395f9721921815586a7c1eb3c8508ae5852eb1a5b9c732dfe5fec3f4bcd7df8cdf69d3a8d78eb8907162839dd621c188ebc5bdd7ab11cf17e112afece2f992

  • SSDEEP

    3072:tY21YzDL00HOnlBId81ePkmN9JFAi4VdbpEWcgKcb3vlcwWI8sdsi5VULVIZ:CEIDL00QBPelN9DAdVdtEWcjcbGUja

Score
10/10
smokeloaderagilenetbackdoormicrosoftevasionpersistencephishingthemidatrojan

Malware Config

Targets

    • Target

      74fd38dd61ceddcb1f7d0c4a90053154dfbd1b15ce3e6fdccea23671f3e228bc

    • Size

      245KB

    • MD5

      8c3e351d278db4d6e187fe2977a0c7eb

    • SHA1

      5a26f77085279fc4791e3f1af157386324961bf4

    • SHA256

      74fd38dd61ceddcb1f7d0c4a90053154dfbd1b15ce3e6fdccea23671f3e228bc

    • SHA512

      37395f9721921815586a7c1eb3c8508ae5852eb1a5b9c732dfe5fec3f4bcd7df8cdf69d3a8d78eb8907162839dd621c188ebc5bdd7ab11cf17e112afece2f992

    • SSDEEP

      3072:tY21YzDL00HOnlBId81ePkmN9JFAi4VdbpEWcgKcb3vlcwWI8sdsi5VULVIZ:CEIDL00QBPelN9DAdVdtEWcjcbGUja

    Score
    10/10
    smokeloaderagilenetbackdoormicrosoftevasionpersistencephishingthemidatrojan

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Detected potential entity reuse from brand microsoft.

      phishingmicrosoft

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks