Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9bf79c4eea7098f7ccec3230946bf05befd47718194df94d18b99444afbc7075

  • Size

    490KB

  • Sample

    231210-1jvkpaech2

  • MD5

    4aea166ab1af034fe64b95c4d89d062a

  • SHA1

    3844aff425a172236e082f9721c55d4a456b1a3b

  • SHA256

    9bf79c4eea7098f7ccec3230946bf05befd47718194df94d18b99444afbc7075

  • SHA512

    d0bc243ed07edc5cbdd0538b211fa7ec7b3e936c0d6cfa4b6f4433bf13afc2ae56ba48467174cfa686cf9991c18ff19cef85eddda49236403e6fe104c808a29b

  • SSDEEP

    6144:Kh4FvAGaZJbvtGEjbOLlc+DWEx3EI/8BjV40KCyqnTpge+T4sP:Kh40ZJbvtGEjbuc+DH3E0RCyaNglT

Score
10/10
amadeyraccoonbb40861824ba44befee652a03d45206fspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://89.23.98.143:30020/receive

Extracted

Family

amadey

C2

http://5.42.66.32

Attributes
  • strings_key

    770b33c35f4c9fa1490bc855b11e57bc

  • url_paths

    /g8samsA2/index.php

rc4.plain

Extracted

Family

amadey

Version

4.13

C2

http://5.42.66.32

Attributes
  • install_dir

    3df7a97f01

  • install_file

    Utsysc.exe

  • strings_key

    770b33c35f4c9fa1490bc855b11e57bc

  • url_paths

    /g8samsA2/index.php

rc4.plain

Extracted

Family

raccoon

Botnet

bb40861824ba44befee652a03d45206f

C2

http://5.42.64.45:80

Attributes
  • user_agent

    MrBidenNeverKnow

xor.plain

Targets

    • Target

      9bf79c4eea7098f7ccec3230946bf05befd47718194df94d18b99444afbc7075

    • Size

      490KB

    • MD5

      4aea166ab1af034fe64b95c4d89d062a

    • SHA1

      3844aff425a172236e082f9721c55d4a456b1a3b

    • SHA256

      9bf79c4eea7098f7ccec3230946bf05befd47718194df94d18b99444afbc7075

    • SHA512

      d0bc243ed07edc5cbdd0538b211fa7ec7b3e936c0d6cfa4b6f4433bf13afc2ae56ba48467174cfa686cf9991c18ff19cef85eddda49236403e6fe104c808a29b

    • SSDEEP

      6144:Kh4FvAGaZJbvtGEjbOLlc+DWEx3EI/8BjV40KCyqnTpge+T4sP:Kh40ZJbvtGEjbuc+DH3E0RCyaNglT

    Score
    10/10
    amadeyraccoonbb40861824ba44befee652a03d45206fspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer V2 payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks