Overview

overview

10

Static

static

7

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a655b21f62e43db8d8165f270f8fb39719e54c19b868e03acd489237c1d2c85a

  • Size

    2.8MB

  • Sample

    231209-kwfdjahbg4

  • MD5

    c0e25b42de43029f09e6cd39965e9a8d

  • SHA1

    f2b4c918b53feaecf6d56d2bfcbce2c61f3378c0

  • SHA256

    a655b21f62e43db8d8165f270f8fb39719e54c19b868e03acd489237c1d2c85a

  • SHA512

    6b66ba5918f698a3f7658c09f5dfb072d3625c733374da0d7d076997c4bbd520fb4854b43a6656819ef67e9ad8a949bf353e438319e309eaf9954e18de5e54b6

  • SSDEEP

    49152:f956kz+GBq2Nenr2C1p9hEmmJoYp21RCRQPktvD/71Tys60Za:fvl+YNcP1jWLJCRf8tr/79t6ca

Score
10/10
amadeyevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

amadey

C2

http://185.172.128.5

Attributes
  • strings_key

    11bb398ff31ee80d2c37571aecd1d36d

  • url_paths

    /v8sjh3hs8/index.php

rc4.plain

Extracted

Family

amadey

Version

4.13

C2

http://185.172.128.5

Attributes
  • install_dir

    4fdb51ccdc

  • install_file

    Utsysc.exe

  • strings_key

    11bb398ff31ee80d2c37571aecd1d36d

  • url_paths

    /v8sjh3hs8/index.php

rc4.plain

Targets

    • Target

      a655b21f62e43db8d8165f270f8fb39719e54c19b868e03acd489237c1d2c85a

    • Size

      2.8MB

    • MD5

      c0e25b42de43029f09e6cd39965e9a8d

    • SHA1

      f2b4c918b53feaecf6d56d2bfcbce2c61f3378c0

    • SHA256

      a655b21f62e43db8d8165f270f8fb39719e54c19b868e03acd489237c1d2c85a

    • SHA512

      6b66ba5918f698a3f7658c09f5dfb072d3625c733374da0d7d076997c4bbd520fb4854b43a6656819ef67e9ad8a949bf353e438319e309eaf9954e18de5e54b6

    • SSDEEP

      49152:f956kz+GBq2Nenr2C1p9hEmmJoYp21RCRQPktvD/71Tys60Za:fvl+YNcP1jWLJCRf8tr/79t6ca

    Score
    10/10
    amadeyevasionspywarestealerthemidatrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks