Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Resubmissions

19-05-2024 21:23

240519-z8sxqaaf7v 10

04-03-2023 01:15

230304-bmabgscb99 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d2c003daab8f6f32f6feeeff393cff2be86149c98ab4f484e266ca304bab5e8b

  • Size

    180KB

  • Sample

    230304-bmabgscb99

  • MD5

    15b60623c9bca83824f1167b90e85e19

  • SHA1

    2843541afb8ec9fc10083a4cf89e3eea9fa8085f

  • SHA256

    d2c003daab8f6f32f6feeeff393cff2be86149c98ab4f484e266ca304bab5e8b

  • SHA512

    2de2f0baffef67c1cd5653e30fd7a640881373484db86e465b157d9d6e2bfb329295b911d6eaaa8b880160277afc4dda21ff6c70a8f114da32315c6bc10f4634

  • SSDEEP

    3072:3+utkx7rgxYELEcyZ5lJuulGSrCGpZ7jAXPSQ:ZaxngxYrZbI6hTj

Score
10/10
amadeyredlinesmokeloaderfoksarostobackdoordiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

rosto

C2

hueref.eu:4162

Attributes
  • auth_value

    07d81eba8cad42bbd0ae60042d48eac6

Extracted

Family

amadey

Version

3.68

C2

193.233.20.25/buH5N004d/index.php

Extracted

Family

redline

Botnet

foksa

C2

hueref.eu:4162

Attributes
  • auth_value

    6a9b2601a21672b285de3ed41b5402e4

Targets

    • Target

      d2c003daab8f6f32f6feeeff393cff2be86149c98ab4f484e266ca304bab5e8b

    • Size

      180KB

    • MD5

      15b60623c9bca83824f1167b90e85e19

    • SHA1

      2843541afb8ec9fc10083a4cf89e3eea9fa8085f

    • SHA256

      d2c003daab8f6f32f6feeeff393cff2be86149c98ab4f484e266ca304bab5e8b

    • SHA512

      2de2f0baffef67c1cd5653e30fd7a640881373484db86e465b157d9d6e2bfb329295b911d6eaaa8b880160277afc4dda21ff6c70a8f114da32315c6bc10f4634

    • SSDEEP

      3072:3+utkx7rgxYELEcyZ5lJuulGSrCGpZ7jAXPSQ:ZaxngxYrZbI6hTj

    Score
    10/10
    amadeyredlinesmokeloaderfoksarostobackdoordiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Smokeloader packer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1

MITRE ATT&CK Enterprise v6

Tasks