Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec

  • Size

    252KB

  • Sample

    230225-vrrk4sdf4v

  • MD5

    4c321bea573c9d741d073aee4280af7d

  • SHA1

    57f6df6d4b8b0c1e093c96aa88177582cd75b59a

  • SHA256

    f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec

  • SHA512

    eb06034eda2e0871b66f9f588c1243d52e74d8315a1a4cb245d41868ba2f13d7933a9c0114c635b73a7625c4c4e2e5ce1b9b41affb17a3cae34e7063ecd62aca

  • SSDEEP

    3072:hAxkekLAFD6gK/32/dJhN3rvg/7/E8argeVTtXPpxBqRhDmlhHo:KOLTgK/4ogrxPXBq7mL

Score
10/10
dcratrhadamanthyssmokeloaderagilenetbackdoorevasioninfostealerpersistenceratspywarestealerthemidatrojan

Malware Config

Targets

    • Target

      f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec

    • Size

      252KB

    • MD5

      4c321bea573c9d741d073aee4280af7d

    • SHA1

      57f6df6d4b8b0c1e093c96aa88177582cd75b59a

    • SHA256

      f255f64aded09b91eed435a1c93100e006d59aa82fdbc931bec2da402d540eec

    • SHA512

      eb06034eda2e0871b66f9f588c1243d52e74d8315a1a4cb245d41868ba2f13d7933a9c0114c635b73a7625c4c4e2e5ce1b9b41affb17a3cae34e7063ecd62aca

    • SSDEEP

      3072:hAxkekLAFD6gK/32/dJhN3rvg/7/E8argeVTtXPpxBqRhDmlhHo:KOLTgK/4ogrxPXBq7mL

    Score
    10/10
    dcratrhadamanthyssmokeloaderagilenetbackdoorevasioninfostealerpersistenceratspywarestealerthemidatrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect rhadamanthys stealer shellcode

    • Detects Smokeloader packer

    • Modifies security service

      evasion

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Impair Defenses

1
T1562

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks