Overview

overview

10

Static

static

7

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    11a64f03a39302cb535e3ea166a21aa1dfa9719ebe2bdc4d61cbdc8303e479e0

  • Size

    2.1MB

  • Sample

    231208-xhpq9sdee5

  • MD5

    961e28736e5d6df32b2cade394431891

  • SHA1

    a755d8c1fd60f724e1d206b79bf08759d6e2b4c4

  • SHA256

    11a64f03a39302cb535e3ea166a21aa1dfa9719ebe2bdc4d61cbdc8303e479e0

  • SHA512

    d9ea12405f9d739f06d8e67a6ed5392709a79e521d504cb05999da600abc179a14b4bd7e96cd20fb4fbc76409577b5cca6f8e20b9f7530bfa00a34c8db469b1e

  • SSDEEP

    49152:8G6SPD8IdvUJfbqUt3iE/rE05Ssf9uLO+CoyftCxpNR:P6S7ZabqY/rZf9uLO+ritCxZ

Score
10/10
amadeysectopratdiscoveryevasionpersistenceratspywarestealerthemidatrojan

Malware Config

Extracted

Family

amadey

C2

http://185.172.128.5

Attributes
  • strings_key

    11bb398ff31ee80d2c37571aecd1d36d

  • url_paths

    /v8sjh3hs8/index.php

rc4.plain

Extracted

Family

amadey

Version

4.13

C2

http://185.172.128.5

Attributes
  • install_dir

    4fdb51ccdc

  • install_file

    Utsysc.exe

  • strings_key

    11bb398ff31ee80d2c37571aecd1d36d

  • url_paths

    /v8sjh3hs8/index.php

rc4.plain

Targets

    • Target

      11a64f03a39302cb535e3ea166a21aa1dfa9719ebe2bdc4d61cbdc8303e479e0

    • Size

      2.1MB

    • MD5

      961e28736e5d6df32b2cade394431891

    • SHA1

      a755d8c1fd60f724e1d206b79bf08759d6e2b4c4

    • SHA256

      11a64f03a39302cb535e3ea166a21aa1dfa9719ebe2bdc4d61cbdc8303e479e0

    • SHA512

      d9ea12405f9d739f06d8e67a6ed5392709a79e521d504cb05999da600abc179a14b4bd7e96cd20fb4fbc76409577b5cca6f8e20b9f7530bfa00a34c8db469b1e

    • SSDEEP

      49152:8G6SPD8IdvUJfbqUt3iE/rE05Ssf9uLO+CoyftCxpNR:P6S7ZabqY/rZf9uLO+ritCxZ

    Score
    10/10
    amadeysectopratdiscoveryevasionpersistenceratspywarestealerthemidatrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks