Open Hunting - Threat Library

Openhunting Threat Library

DreamBot

(Type: Banking trojan, Info stealer, Credential stealer, Botnet)

(Proofpoint) The Dreambot malware is still in active development and over the last few months we have seen multiple versions of it spreading in the wild. The Tor-enabled version of Dreambot has been active since at least July 2016, when we first observed the malware successfully download the Tor client and connect to the Tor network. Today, many Dreambot samples include this functionality, but few use it as their primary mode of communication with their command and control (C&C) infrastructure. However, in the future this feature may be utilized much more frequently, creating additional problems for defenders.

[News Analysis] Trends:

Total Trend: 8

Trend Per Year

2016

2017

2020

2021

2022

Trend Per Month

Aug 2016

May 2017

Feb 2020

May 2020

Aug 2020

Sep 2020

Jan 2021

Aug 2022

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure

2022-08-08 by Benoît Ancel from Medium CSIS Techblog

The Bagsu banker case

2021-01-28 by Benoît Ancel from Youtube (Virus Bulletin)

The Inter Skimmer Kit

2020-09-02 by Jordan Herman from RiskIQ

Gozi: The Malware with a Thousand Faces

2020-08-28 by Check Point Research from Checkpoint

The end of Dreambot? Obituary for a loved piece of Gozi.

2020-05-01 by Benoît Ancel from CSIS

InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime

2020-02-07 by Benoît Ancel from Medium CSIS Techblog

Gozi Tree

2017-05-29 by Maciej Kotowicz from Lokalhost.pl

Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality

2016-08-29 by Proofpoint Staff from Proofpoint

Basic Information (Credit @etda.or.th)

Tool: DreamBot

Names: DreamBot

Description: (Proofpoint) The Dreambot malware is still in active development and over the last few months we have seen multiple versions of it spreading in the wild. The Tor-enabled version of Dreambot has been active since at least July 2016, when we first observed the malware successfully download the Tor client and connect to the Tor network. Today, many Dreambot samples include this functionality, but few use it as their primary mode of communication with their command and control (C&C) infrastructure. However, in the future this feature may be utilized much more frequently, creating additional problems for defenders.

Category: Malware

Type: Banking trojan, Info stealer, Credential stealer, Botnet

Information: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

Information: https://lokalhost.pl/gozi_tree.txt

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=DreamBot

Last-card-change: 2020-05-24

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

Indicators of Compromise (Credit @ThreatFox)

MD5_HASH

4103f92313df741c926014545472ca43
a908e3261ee99c8fe331293b2fc11d6f

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact