Overview

overview

10

Static

static

7

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    59s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2023 17:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe

  • Size

    6.8MB

  • MD5

    4fcd70f4d036361d2fef09cf03932f7b

  • SHA1

    b8c39838498676d95a267e8f9ee2bb59edb8e76e

  • SHA256

    bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67

  • SHA512

    3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

  • SSDEEP

    98304:TBWqiL18HkxPnA8n+wuxT4NqP2ozzv68ZslF8QLkY52P:9RiSk9pnNuiiXi8mF7LkY52P

Score
10/10
amadeyredlineevasioninfostealerspywarethemidatrojan

Malware Config

Extracted

Family

amadey

Version

3.80

C2

45.15.156.208/jd9dd3Vw/index.php

second.amadgood.com/jd9dd3Vw/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Themida packer 18 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe
    "C:\Users\Admin\AppData\Local\Temp\bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1400
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:2256
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2344
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          4⤵
            PID:916
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "oneetx.exe" /P "Admin:N"
            4⤵
              PID:4196
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "oneetx.exe" /P "Admin:R" /E
              4⤵
                PID:4144
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                4⤵
                  PID:3424
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\eb0f58bce7" /P "Admin:N"
                  4⤵
                    PID:3404
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\eb0f58bce7" /P "Admin:R" /E
                    4⤵
                      PID:4512
                  • C:\Users\Admin\AppData\Local\Temp\1000117001\foxtaskhost.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000117001\foxtaskhost.exe"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious use of WriteProcessMemory
                    PID:3060
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2236
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 148
                      4⤵
                      • Program crash
                      PID:3276
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3060 -ip 3060
                1⤵
                  PID:5108
                • C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
                  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4160

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\1000117001\foxtaskhost.exe
                  Filesize

                  896KB

                  MD5

                  e2c5529ffe6daad5131f78fa9d1dc097

                  SHA1

                  e4cbc78979afee670381e58c16c4c10147fe0bde

                  SHA256

                  4cb1e80a0a189fbbe6287df238cb360143cfb3b530d67e458947bfa667e42d92

                  SHA512

                  fc9e8172cfc6e860f16a3f482bc5f45ef1ed8416199bf4b6caab0fce55bbdf5d7a19a9165900a40fd2975b157a6f4d53d808ee87632f97e5d944facdd7f66a4b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000117001\foxtaskhost.exe
                  Filesize

                  896KB

                  MD5

                  e2c5529ffe6daad5131f78fa9d1dc097

                  SHA1

                  e4cbc78979afee670381e58c16c4c10147fe0bde

                  SHA256

                  4cb1e80a0a189fbbe6287df238cb360143cfb3b530d67e458947bfa667e42d92

                  SHA512

                  fc9e8172cfc6e860f16a3f482bc5f45ef1ed8416199bf4b6caab0fce55bbdf5d7a19a9165900a40fd2975b157a6f4d53d808ee87632f97e5d944facdd7f66a4b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1000117001\foxtaskhost.exe
                  Filesize

                  896KB

                  MD5

                  e2c5529ffe6daad5131f78fa9d1dc097

                  SHA1

                  e4cbc78979afee670381e58c16c4c10147fe0bde

                  SHA256

                  4cb1e80a0a189fbbe6287df238cb360143cfb3b530d67e458947bfa667e42d92

                  SHA512

                  fc9e8172cfc6e860f16a3f482bc5f45ef1ed8416199bf4b6caab0fce55bbdf5d7a19a9165900a40fd2975b157a6f4d53d808ee87632f97e5d944facdd7f66a4b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\176143399325
                  Filesize

                  81KB

                  MD5

                  4ceca2af9fd0079e2adc828f3c8d8308

                  SHA1

                  4f88faf5eb8df3f13fc5ef9729fe2225976f3dfd

                  SHA256

                  c61d6e59657f10e2244f95a66ac762847ecf2ffe576b060f6b57ca7296a6906a

                  SHA512

                  6368c59dc3c9b6ffb2f9add509c6f77b3818e741150e7fabde5c2fa9f9d93d0f3d2d9c507921dd643f4093920ae53a5d29db08f0ce7c5ee60117f55f2787daa3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
                  Filesize

                  6.8MB

                  MD5

                  4fcd70f4d036361d2fef09cf03932f7b

                  SHA1

                  b8c39838498676d95a267e8f9ee2bb59edb8e76e

                  SHA256

                  bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67

                  SHA512

                  3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
                  Filesize

                  6.8MB

                  MD5

                  4fcd70f4d036361d2fef09cf03932f7b

                  SHA1

                  b8c39838498676d95a267e8f9ee2bb59edb8e76e

                  SHA256

                  bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67

                  SHA512

                  3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
                  Filesize

                  6.8MB

                  MD5

                  4fcd70f4d036361d2fef09cf03932f7b

                  SHA1

                  b8c39838498676d95a267e8f9ee2bb59edb8e76e

                  SHA256

                  bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67

                  SHA512

                  3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
                  Filesize

                  2.6MB

                  MD5

                  d82339808f9f960b734400f81ffd4577

                  SHA1

                  5212149d817068ea3f57a345d370e347c4d8dc77

                  SHA256

                  e67fac4725c0acc8b674b2f07405ebce68e39a06362e18e243c3e35a51c482bf

                  SHA512

                  45941025cbb0ca72cb4100b60d383b30ac35c5cfafb4e2fc2cd51226d454d5146245c878829ec7737b674bbb0690096ed2a1e293e8e60839881d397ef95a11fd

                  Download Submit

                • memory/1400-153-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

                  Filesize

                  960KB

                  Download

                • memory/1400-196-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

                  Filesize

                  960KB

                  Download

                • memory/1400-198-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

                  Filesize

                  960KB

                  Download

                • memory/1400-152-0x0000000000A20000-0x0000000001116000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/1400-193-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

                  Filesize

                  960KB

                  Download

                • memory/1400-190-0x0000000000A20000-0x0000000001116000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/1400-188-0x0000000000A20000-0x0000000001116000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/1400-155-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

                  Filesize

                  960KB

                  Download

                • memory/1400-156-0x0000000000A20000-0x0000000001116000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/1400-157-0x0000000000A20000-0x0000000001116000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/1400-158-0x0000000000A20000-0x0000000001116000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/1400-159-0x0000000000A20000-0x0000000001116000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/2236-209-0x00000000087C0000-0x0000000008826000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/2236-213-0x0000000009C70000-0x0000000009C8E000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/2236-202-0x0000000007C40000-0x0000000007CD2000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/2236-203-0x0000000007D90000-0x0000000007DA0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2236-218-0x00000000734C0000-0x0000000073C70000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2236-216-0x0000000007D90000-0x0000000007DA0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2236-191-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/2236-215-0x00000000734C0000-0x0000000073C70000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2236-204-0x0000000007C20000-0x0000000007C2A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/2236-206-0x0000000007E90000-0x0000000007EA2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2236-212-0x000000000A430000-0x000000000A95C000-memory.dmp

                  Filesize

                  5.2MB

                  Download

                • memory/2236-211-0x0000000009D30000-0x0000000009EF2000-memory.dmp

                  Filesize

                  1.8MB

                  Download

                • memory/2236-200-0x00000000734C0000-0x0000000073C70000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2236-201-0x0000000008150000-0x00000000086F4000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/2236-210-0x0000000009AE0000-0x0000000009B56000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/2236-208-0x0000000007F20000-0x0000000007F5C000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/2236-207-0x0000000007FF0000-0x00000000080FA000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/2236-205-0x0000000008D20000-0x0000000009338000-memory.dmp

                  Filesize

                  6.1MB

                  Download

                • memory/2592-151-0x00000000006C0000-0x0000000000DB6000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/2592-138-0x00000000006C0000-0x0000000000DB6000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/2592-139-0x00000000006C0000-0x0000000000DB6000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/2592-137-0x0000000077C24000-0x0000000077C26000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2592-140-0x00000000006C0000-0x0000000000DB6000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/2592-141-0x00000000006C0000-0x0000000000DB6000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/2592-133-0x00000000006C0000-0x0000000000DB6000-memory.dmp

                  Filesize

                  7.0MB

                  Download

                • memory/2592-135-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

                  Filesize

                  960KB

                  Download

                • memory/2592-154-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

                  Filesize

                  960KB

                  Download

                • memory/2592-134-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

                  Filesize

                  960KB

                  Download

                • memory/2592-136-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

                  Filesize

                  960KB

                  Download

                • memory/3060-199-0x0000000000E00000-0x0000000000EE4000-memory.dmp

                  Filesize

                  912KB

                  Download

                • memory/4160-223-0x0000000000A20000-0x0000000001116000-memory.dmp

                  Filesize

                  7.0MB

                  Download