Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b24a073afb15a0893d5ad5f99971b875b9af765354fa938a6bd35eae6098933c

  • Size

    286KB

  • Sample

    230315-r7aezsdf99

  • MD5

    8e1250c51f4f05644484074b21015e12

  • SHA1

    10af5c61515d09ea7e418dbc236f0cf14df224d4

  • SHA256

    b24a073afb15a0893d5ad5f99971b875b9af765354fa938a6bd35eae6098933c

  • SHA512

    8df5ee82ad41d01db8b561ac781f6c3d409ee9e1871ecb645198c9a7856e173e1d0fd789f745332ab8ca7d009c189903d778876295253950dedaa437d84fce8a

  • SSDEEP

    6144:KSy+bnr+ip0yN90QEL6EGQ9Qu/aNACA/7q0KfRFikQmyfyZGvO5:GMrSy901PiuyNyCRKfycS

Score
10/10
amadeyauroraredlinerhadamanthyslintmatywon2collectiondiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

lint

C2

193.233.20.28:4125

Attributes
  • auth_value

    0e95262fb78243c67430f3148303e5b7

Extracted

Family

amadey

Version

3.68

C2

62.204.41.87/joomla/index.php

Extracted

Family

aurora

C2

45.84.1.87:8081

Extracted

Family

redline

Botnet

MatyWon2

C2

85.31.54.216:43728

Attributes
  • auth_value

    abc9e9d7ec3024110589ea03bcfaaa89

Extracted

Family

redline

C2

207.246.108.255:28142

Attributes
  • auth_value

    9daf678a2d5915fdad9bc78e736a0e61

Targets

    • Target

      b24a073afb15a0893d5ad5f99971b875b9af765354fa938a6bd35eae6098933c

    • Size

      286KB

    • MD5

      8e1250c51f4f05644484074b21015e12

    • SHA1

      10af5c61515d09ea7e418dbc236f0cf14df224d4

    • SHA256

      b24a073afb15a0893d5ad5f99971b875b9af765354fa938a6bd35eae6098933c

    • SHA512

      8df5ee82ad41d01db8b561ac781f6c3d409ee9e1871ecb645198c9a7856e173e1d0fd789f745332ab8ca7d009c189903d778876295253950dedaa437d84fce8a

    • SSDEEP

      6144:KSy+bnr+ip0yN90QEL6EGQ9Qu/aNACA/7q0KfRFikQmyfyZGvO5:GMrSy901PiuyNyCRKfycS

    Score
    10/10
    amadeyauroraredlinerhadamanthyslintmatywon2collectiondiscoveryinfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • Detect rhadamanthys stealer shellcode

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks