Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c9a86ad99e833a67cd0f8e16306a55a00c694706b41faf2986051b66ded67073

  • Size

    1.0MB

  • Sample

    230421-rggflshh3x

  • MD5

    8fe607a4db1ece0ce7fac21eedd682ac

  • SHA1

    9bbeb42eb6cfe482e14e1e9155d4123ea7467b7e

  • SHA256

    c9a86ad99e833a67cd0f8e16306a55a00c694706b41faf2986051b66ded67073

  • SHA512

    2a8743836c168e04bb26ab9812f74ec268b003d096fafab2261c781c74b1f9a3248909f50dcbbfe00276711a99aa7d6acc7141fe5adca26b0040d43250fc7dab

  • SSDEEP

    24576:ty9BMBFxtenfMO4sGF90i2GBDAgyCIREp9hXoM:I9+Ufys40MBDAgXIup7X

Score
10/10
amadeylaplasredlineheavan daveclipperdiscoveryevasioninfostealerpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Extracted

Family

redline

Botnet

Heavan Dave

C2

199.115.193.116:15763

Attributes
  • auth_value

    53923b5ff123b63db4445e5dfd21c16f

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Targets

    • Target

      c9a86ad99e833a67cd0f8e16306a55a00c694706b41faf2986051b66ded67073

    • Size

      1.0MB

    • MD5

      8fe607a4db1ece0ce7fac21eedd682ac

    • SHA1

      9bbeb42eb6cfe482e14e1e9155d4123ea7467b7e

    • SHA256

      c9a86ad99e833a67cd0f8e16306a55a00c694706b41faf2986051b66ded67073

    • SHA512

      2a8743836c168e04bb26ab9812f74ec268b003d096fafab2261c781c74b1f9a3248909f50dcbbfe00276711a99aa7d6acc7141fe5adca26b0040d43250fc7dab

    • SSDEEP

      24576:ty9BMBFxtenfMO4sGF90i2GBDAgyCIREp9hXoM:I9+Ufys40MBDAgXIup7X

    Score
    10/10
    amadeylaplasredlineheavan daveclipperdiscoveryevasioninfostealerpersistencespywarestealerthemidatrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

      stealerclipperlaplas

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks