Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b415a5cc8d0c1c960e7bc16bcb9351943b2c998f9430b1a1425b715754cc1e11

  • Size

    685KB

  • Sample

    230418-l23xfsag42

  • MD5

    66b8754b442f4b670f96017505518a72

  • SHA1

    be14dae2c9ecc2227269053fa0829d57cc6052b4

  • SHA256

    b415a5cc8d0c1c960e7bc16bcb9351943b2c998f9430b1a1425b715754cc1e11

  • SHA512

    e5120d94714d6a3180040b4a803f29de2378eaa0c5795e156e76a27ffd8ec16ada899d7c3d77d5a69267ee10e412fce6fd1625dee1549a9ec6646d0c751d1e8a

  • SSDEEP

    12288:lnGZwDJEET9iY7ED3FxwMueDDn/gUZDArfzaEGcNmd:lnWZExiY4FN/TU7znc

Score
10/10
azorultmodiloadervidarxmrigbbee3401930f10e95914ad2b6f71c79ddiscoveryinfostealerminerspywarestealertrojan

Malware Config

Extracted

Family

vidar

Version

3.5

Botnet

bbee3401930f10e95914ad2b6f71c79d

C2

https://steamcommunity.com/profiles/76561199497218285

https://t.me/tg_duckworld
Attributes
  • profile_id_v2

    bbee3401930f10e95914ad2b6f71c79d

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Targets

    • Target

      b415a5cc8d0c1c960e7bc16bcb9351943b2c998f9430b1a1425b715754cc1e11

    • Size

      685KB

    • MD5

      66b8754b442f4b670f96017505518a72

    • SHA1

      be14dae2c9ecc2227269053fa0829d57cc6052b4

    • SHA256

      b415a5cc8d0c1c960e7bc16bcb9351943b2c998f9430b1a1425b715754cc1e11

    • SHA512

      e5120d94714d6a3180040b4a803f29de2378eaa0c5795e156e76a27ffd8ec16ada899d7c3d77d5a69267ee10e412fce6fd1625dee1549a9ec6646d0c751d1e8a

    • SSDEEP

      12288:lnGZwDJEET9iY7ED3FxwMueDDn/gUZDArfzaEGcNmd:lnWZExiY4FN/TU7znc

    Score
    10/10
    azorultmodiloadervidarxmrigbbee3401930f10e95914ad2b6f71c79ddiscoveryinfostealerminerspywarestealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • ModiLoader Second Stage

    • XMRig Miner payload

      miner

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks