Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    994066cac6a6b8221a8ec128a6eca14789f0e3e115311e1e89041aca9df45356

  • Size

    229KB

  • Sample

    230219-rx4k3sfb9w

  • MD5

    b069ab58cf11b8b11e4414bf5ea4bfe8

  • SHA1

    7d66355aec28616d043c6c1d2b8d804a566c9fc2

  • SHA256

    994066cac6a6b8221a8ec128a6eca14789f0e3e115311e1e89041aca9df45356

  • SHA512

    4b6e9b8a9c830dd45899e3a9deaa9e0f0a0d840421318c5f9509232b7f589f93953d1d7cb46823be7aacc0a9b2a6c99393495f24dd2ced2c6d6bc54db05b12fc

  • SSDEEP

    3072:4i9rxR8bLL1PnCsH2EUOWDZKaHfqjUUUU0HKhc6q1EX62Le5umF1K1MfF:txR8bLVCCUOcDHqUUUUg+c6ljLqK1M

Score
10/10
smokeloaderagilenetbackdoorevasionspywarestealerthemidatrojan

Malware Config

Targets

    • Target

      994066cac6a6b8221a8ec128a6eca14789f0e3e115311e1e89041aca9df45356

    • Size

      229KB

    • MD5

      b069ab58cf11b8b11e4414bf5ea4bfe8

    • SHA1

      7d66355aec28616d043c6c1d2b8d804a566c9fc2

    • SHA256

      994066cac6a6b8221a8ec128a6eca14789f0e3e115311e1e89041aca9df45356

    • SHA512

      4b6e9b8a9c830dd45899e3a9deaa9e0f0a0d840421318c5f9509232b7f589f93953d1d7cb46823be7aacc0a9b2a6c99393495f24dd2ced2c6d6bc54db05b12fc

    • SSDEEP

      3072:4i9rxR8bLL1PnCsH2EUOWDZKaHfqjUUUU0HKhc6q1EX62Le5umF1K1MfF:txR8bLVCCUOcDHqUUUUg+c6ljLqK1M

    Score
    10/10
    smokeloaderagilenetbackdoorevasionspywarestealerthemidatrojan

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks