Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230824-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-08-2023 08:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    673192e23603b5a23173abeb594103e7babf154eb3af5288ccfb0fa6db6eacf5.exe

  • Size

    619KB

  • MD5

    06add227c345dd1c1431948aa14daa60

  • SHA1

    997d37b60d2760f9c7a39f69bdc682ced0f61453

  • SHA256

    673192e23603b5a23173abeb594103e7babf154eb3af5288ccfb0fa6db6eacf5

  • SHA512

    0070004fb3cceacb670bf9ee38159c52782e367357ddd360ee4685de1829a92083ea7d62a131778dd9c68b4f3f455b28b2ec63e5e3bb8a5b7979c45a7c1f67dd

  • SSDEEP

    12288:/F+sUVFY9mukbdejkPjIQ65D5zgXQCR4MZ/R3rAKyX:/FsVi9mxbkjkPjIQLX9TVKKg

Score
10/10
amadeyfabookiesmokeloaderup3backdoorspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.83

C2

5.42.65.80/8bmeVwqx/index.php

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Fabookie payload 2 IoCs
  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\673192e23603b5a23173abeb594103e7babf154eb3af5288ccfb0fa6db6eacf5.exe
    "C:\Users\Admin\AppData\Local\Temp\673192e23603b5a23173abeb594103e7babf154eb3af5288ccfb0fa6db6eacf5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:512
    • C:\Users\Admin\AppData\Local\Temp\ss41.exe
      "C:\Users\Admin\AppData\Local\Temp\ss41.exe"
      2⤵
      • Executes dropped EXE
      PID:2892
    • C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
      "C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
        "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4264
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:4164
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1348
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:1148
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "oneetx.exe" /P "Admin:N"
              5⤵
                PID:4280
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                5⤵
                  PID:1472
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\207aa4515d" /P "Admin:N"
                  5⤵
                    PID:5096
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    5⤵
                      PID:2000
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\207aa4515d" /P "Admin:R" /E
                      5⤵
                        PID:100
                    • C:\Users\Admin\AppData\Local\Temp\1000423001\toolspub2.exe
                      "C:\Users\Admin\AppData\Local\Temp\1000423001\toolspub2.exe"
                      4⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of WriteProcessMemory
                      PID:2884
                      • C:\Users\Admin\AppData\Local\Temp\1000423001\toolspub2.exe
                        "C:\Users\Admin\AppData\Local\Temp\1000423001\toolspub2.exe"
                        5⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: MapViewOfSection
                        PID:4100
              • C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                1⤵
                • Executes dropped EXE
                PID:3296
              • C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                1⤵
                • Executes dropped EXE
                PID:1480
              • C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                1⤵
                • Executes dropped EXE
                PID:3416

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\1000423001\toolspub2.exe
                Filesize

                261KB

                MD5

                759c7436e814bf2725ff42e2bc284f3c

                SHA1

                1c5d90940e6d4983876666b03e469ceb1aa32bb0

                SHA256

                0a43bc29b96992aaec01af4c1a83318e1db149f8d8f216425c371b3a1400bf8e

                SHA512

                22df8fd0ca5495a7e3e2d6aae9d779407243b9afea0236230464818ceac20a2d8b468f2460a0f937e06961e313ddd45acc931756e52d069efc59e03171baf28e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1000423001\toolspub2.exe
                Filesize

                261KB

                MD5

                759c7436e814bf2725ff42e2bc284f3c

                SHA1

                1c5d90940e6d4983876666b03e469ceb1aa32bb0

                SHA256

                0a43bc29b96992aaec01af4c1a83318e1db149f8d8f216425c371b3a1400bf8e

                SHA512

                22df8fd0ca5495a7e3e2d6aae9d779407243b9afea0236230464818ceac20a2d8b468f2460a0f937e06961e313ddd45acc931756e52d069efc59e03171baf28e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1000423001\toolspub2.exe
                Filesize

                261KB

                MD5

                759c7436e814bf2725ff42e2bc284f3c

                SHA1

                1c5d90940e6d4983876666b03e469ceb1aa32bb0

                SHA256

                0a43bc29b96992aaec01af4c1a83318e1db149f8d8f216425c371b3a1400bf8e

                SHA512

                22df8fd0ca5495a7e3e2d6aae9d779407243b9afea0236230464818ceac20a2d8b468f2460a0f937e06961e313ddd45acc931756e52d069efc59e03171baf28e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1000423001\toolspub2.exe
                Filesize

                261KB

                MD5

                759c7436e814bf2725ff42e2bc284f3c

                SHA1

                1c5d90940e6d4983876666b03e469ceb1aa32bb0

                SHA256

                0a43bc29b96992aaec01af4c1a83318e1db149f8d8f216425c371b3a1400bf8e

                SHA512

                22df8fd0ca5495a7e3e2d6aae9d779407243b9afea0236230464818ceac20a2d8b468f2460a0f937e06961e313ddd45acc931756e52d069efc59e03171baf28e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                Filesize

                198KB

                MD5

                a64a886a695ed5fb9273e73241fec2f7

                SHA1

                363244ca05027c5beb938562df5b525a2428b405

                SHA256

                563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

                SHA512

                122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                Filesize

                198KB

                MD5

                a64a886a695ed5fb9273e73241fec2f7

                SHA1

                363244ca05027c5beb938562df5b525a2428b405

                SHA256

                563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

                SHA512

                122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                Filesize

                198KB

                MD5

                a64a886a695ed5fb9273e73241fec2f7

                SHA1

                363244ca05027c5beb938562df5b525a2428b405

                SHA256

                563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

                SHA512

                122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                Filesize

                198KB

                MD5

                a64a886a695ed5fb9273e73241fec2f7

                SHA1

                363244ca05027c5beb938562df5b525a2428b405

                SHA256

                563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

                SHA512

                122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
                Filesize

                198KB

                MD5

                a64a886a695ed5fb9273e73241fec2f7

                SHA1

                363244ca05027c5beb938562df5b525a2428b405

                SHA256

                563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

                SHA512

                122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
                Filesize

                198KB

                MD5

                a64a886a695ed5fb9273e73241fec2f7

                SHA1

                363244ca05027c5beb938562df5b525a2428b405

                SHA256

                563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

                SHA512

                122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
                Filesize

                198KB

                MD5

                a64a886a695ed5fb9273e73241fec2f7

                SHA1

                363244ca05027c5beb938562df5b525a2428b405

                SHA256

                563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

                SHA512

                122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
                Filesize

                198KB

                MD5

                a64a886a695ed5fb9273e73241fec2f7

                SHA1

                363244ca05027c5beb938562df5b525a2428b405

                SHA256

                563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

                SHA512

                122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\ss41.exe
                Filesize

                416KB

                MD5

                7433b89533975644206ecef89d1f69c2

                SHA1

                1d39291d98d9ed5280e774ac83400350bdd04dd0

                SHA256

                24bb49806a6bbbbad6be8c3714104d2faf72cf6c68eb8e156b15b00eb91c8a94

                SHA512

                70a69d9f03478327ecf33f323f86de269779362f840698c2c7bac3e21645432c87a0024d787c15a2c0ee5ac06d692955f1b73d94563d89f4f8f58afe57ce28b1

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\ss41.exe
                Filesize

                416KB

                MD5

                7433b89533975644206ecef89d1f69c2

                SHA1

                1d39291d98d9ed5280e774ac83400350bdd04dd0

                SHA256

                24bb49806a6bbbbad6be8c3714104d2faf72cf6c68eb8e156b15b00eb91c8a94

                SHA512

                70a69d9f03478327ecf33f323f86de269779362f840698c2c7bac3e21645432c87a0024d787c15a2c0ee5ac06d692955f1b73d94563d89f4f8f58afe57ce28b1

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\ss41.exe
                Filesize

                416KB

                MD5

                7433b89533975644206ecef89d1f69c2

                SHA1

                1d39291d98d9ed5280e774ac83400350bdd04dd0

                SHA256

                24bb49806a6bbbbad6be8c3714104d2faf72cf6c68eb8e156b15b00eb91c8a94

                SHA512

                70a69d9f03478327ecf33f323f86de269779362f840698c2c7bac3e21645432c87a0024d787c15a2c0ee5ac06d692955f1b73d94563d89f4f8f58afe57ce28b1

                Download Submit

              • memory/2884-58-0x0000000001F90000-0x0000000001F99000-memory.dmp

                Filesize

                36KB

                Download

              • memory/2884-56-0x0000000002120000-0x0000000002220000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/2892-36-0x0000000003000000-0x0000000003131000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2892-60-0x0000000003000000-0x0000000003131000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2892-16-0x00007FF6F5DB0000-0x00007FF6F5E1A000-memory.dmp

                Filesize

                424KB

                Download

              • memory/2892-35-0x0000000002E80000-0x0000000002FF1000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/3148-62-0x0000000002B50000-0x0000000002B66000-memory.dmp

                Filesize

                88KB

                Download

              • memory/4100-57-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/4100-61-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/4100-63-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download