Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    844336701be3388c4b86a6bf6e5aaf06a4a533df6198bab420e3de51bc2028de

  • Size

    1.0MB

  • Sample

    230414-kv9kzsaf71

  • MD5

    0818690cc1efddfcce820bbb94145922

  • SHA1

    3e681fc1abdcec6143ac2d10f25db04878fdc9bd

  • SHA256

    844336701be3388c4b86a6bf6e5aaf06a4a533df6198bab420e3de51bc2028de

  • SHA512

    b062cff2cb676c1c4450f91561b1d871b2353a03f4311765958547fbe8ff119d40a8d117c63dc733c263ccfd3f4e5a721f77e22c4dcac3a84533cca0009c261c

  • SSDEEP

    24576:Py2CRwvLT4FTYy/tAg74Kj1E91wUBcUX06B9d5P0NcuQ+McTf:a2hvLT4FTYy/J74Kj1AC2NBn5s4e

Score
10/10
amadeyredlinedisaladadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

lada

C2

185.161.248.90:4125

Attributes
  • auth_value

    0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

C2

185.161.248.90:4125

Attributes
  • auth_value

    93f8c4ca7000e3381dd4b6b86434de05

Targets

    • Target

      844336701be3388c4b86a6bf6e5aaf06a4a533df6198bab420e3de51bc2028de

    • Size

      1.0MB

    • MD5

      0818690cc1efddfcce820bbb94145922

    • SHA1

      3e681fc1abdcec6143ac2d10f25db04878fdc9bd

    • SHA256

      844336701be3388c4b86a6bf6e5aaf06a4a533df6198bab420e3de51bc2028de

    • SHA512

      b062cff2cb676c1c4450f91561b1d871b2353a03f4311765958547fbe8ff119d40a8d117c63dc733c263ccfd3f4e5a721f77e22c4dcac3a84533cca0009c261c

    • SSDEEP

      24576:Py2CRwvLT4FTYy/tAg74Kj1E91wUBcUX06B9d5P0NcuQ+McTf:a2hvLT4FTYy/J74Kj1AC2NBn5s4e

    Score
    10/10
    amadeyredlinedisaladadiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks