Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    512c0b8c08e79d0acef6d5c2ae89900cba20de54c22736046d9d40f6c28d9dcd

  • Size

    1.1MB

  • Sample

    230409-hcvm1abd41

  • MD5

    30b80fd1148fd91703e5c581a949c4f6

  • SHA1

    c3b2531e4ab0587f9f84718990b01b15a7f69555

  • SHA256

    512c0b8c08e79d0acef6d5c2ae89900cba20de54c22736046d9d40f6c28d9dcd

  • SHA512

    372024b5f996492e9f2421a8c0d650e375830314621900742074b9957bcd450ea3607596281e9cd5fafeb05fca7666ec9b0f84e493d4a5cbbd0d4c8a361883ed

  • SSDEEP

    24576:+yjr1q14cNUzbkSDQVNqZ0uhMpDSOFxPM3x9N:NHNSURDjHhMtSOs

Score
10/10
amadeyredlinesectopratbuild123456789cheatlenoxnormcollectiondiscoveryevasioninfostealerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

lenox

C2

77.91.124.145:4125

Attributes
  • auth_value

    a5c9c17a250a084c5fd706c1df7c2d4e

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Extracted

Family

redline

Botnet

Build123456789

C2

91.237.124.206:44224

Attributes
  • auth_value

    604ef43e255e32e816084fe3f7e0a809

Extracted

Family

redline

Botnet

cheat

C2

154.81.220.233:28105

Targets

    • Target

      512c0b8c08e79d0acef6d5c2ae89900cba20de54c22736046d9d40f6c28d9dcd

    • Size

      1.1MB

    • MD5

      30b80fd1148fd91703e5c581a949c4f6

    • SHA1

      c3b2531e4ab0587f9f84718990b01b15a7f69555

    • SHA256

      512c0b8c08e79d0acef6d5c2ae89900cba20de54c22736046d9d40f6c28d9dcd

    • SHA512

      372024b5f996492e9f2421a8c0d650e375830314621900742074b9957bcd450ea3607596281e9cd5fafeb05fca7666ec9b0f84e493d4a5cbbd0d4c8a361883ed

    • SSDEEP

      24576:+yjr1q14cNUzbkSDQVNqZ0uhMpDSOFxPM3x9N:NHNSURDjHhMtSOs

    Score
    10/10
    amadeyredlinesectopratbuild123456789cheatlenoxnormcollectiondiscoveryevasioninfostealerpersistenceratspywarestealertrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Downloads MZ/PE file

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Hidden Files and Directories

2
T1158

File Permissions Modification

1
T1222

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

3
T1082

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks