General

  • Target

    Sales_Invoice_186311_725945_from_Inc.xls

  • Size

    51KB

  • Sample

    201111-h4v2l73s2e

  • MD5

    e696a3e6497ced315b344d6ab1aa6c5f

  • SHA1

    66c6efb7cc4b48bd6e4a14d9edae16bb7e21ffd0

  • SHA256

    7bb7de3215d3e8a98b95fee746692f710b91da494b80bc7fe73636875dc610b7

  • SHA512

    3879731cb03d4b5d7bc441ca30495cd781cec86205a8fdf6091695598f23974be1c71bbd1e34b17a2989412f5725ef5e7d504ff7c6452014d9e5d3def2dfab61

Malware Config

Extracted

Family

dridex

Botnet

10444

C2

77.220.64.39:443

69.164.207.140:3388

78.47.139.43:4443

103.244.206.74:33443

rc4.plain
rc4.plain

Targets

    • Target

      Sales_Invoice_186311_725945_from_Inc.xls

    • Size

      51KB

    • MD5

      e696a3e6497ced315b344d6ab1aa6c5f

    • SHA1

      66c6efb7cc4b48bd6e4a14d9edae16bb7e21ffd0

    • SHA256

      7bb7de3215d3e8a98b95fee746692f710b91da494b80bc7fe73636875dc610b7

    • SHA512

      3879731cb03d4b5d7bc441ca30495cd781cec86205a8fdf6091695598f23974be1c71bbd1e34b17a2989412f5725ef5e7d504ff7c6452014d9e5d3def2dfab61

    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Dridex Loader

      Detects Dridex both x86 and x64 loader in memory.

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks