Documentation.478396766.doc

Target

Size

116KB

Sample

201119-3z863g7932

Score

10 ^/10

MD5

e12004b1f374e47e4e63797096854321

SHA1

b3c2d856499174992dc5c13738991875bc9cc08c

SHA256

8921b2421d4fde9e229bdda0da89a5bd10023a9f9d2529f2fb2da9c5e1a060c6

SHA512

4e40379df93194528cb7de413861b0b1416b5d2adc6232b2cf101e18fba06843e481101f3ef651590e06a140348ace0a321b1a0639f389b5a93298d55c21c3c2

Extracted

Language	ps1
Deobfuscated
URLs	http://veva.vn/zntk070.png http://hardmed-eg.com/o76nxa.png http://islamabout.com/ga140h7l.zip http://ferretec.com/c2eivsswg.rar http://rasadbar.ir/t6yswb.pdf http://seniorcarecompass.inifaresworkshops.com/vr6ebzold.png exe.dropper http://veva.vn/zntk070.png exe.dropper http://hardmed-eg.com/o76nxa.png exe.dropper http://islamabout.com/ga140h7l.zip exe.dropper http://ferretec.com/c2eivsswg.rar exe.dropper http://rasadbar.ir/t6yswb.pdf exe.dropper http://seniorcarecompass.inifaresworkshops.com/vr6ebzold.png

Extracted

Family	dridex
Botnet	10555
C2	162.241.44.26:9443 192.232.229.53:4443 77.220.64.34:443 193.90.12.121:3098 162.241.44.26:9443 192.232.229.53:4443 77.220.64.34:443 193.90.12.121:3098
rc4.plain
rc4.plain

Target

Documentation.478396766.doc

MD5

e12004b1f374e47e4e63797096854321

Filesize

116KB

Score

10 ^/10

SHA1

b3c2d856499174992dc5c13738991875bc9cc08c

SHA256

8921b2421d4fde9e229bdda0da89a5bd10023a9f9d2529f2fb2da9c5e1a060c6

SHA512

4e40379df93194528cb7de413861b0b1416b5d2adc6232b2cf101e18fba06843e481101f3ef651590e06a140348ace0a321b1a0639f389b5a93298d55c21c3c2

Signatures

Dridex

Description

Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

Tags

botnet dridex
Process spawned unexpected child process

Description

This typically indicates the parent process was compromised via an exploit or macro.
Dridex Loader

Description

Detects Dridex both x86 and x64 loader in memory.

Tags

botnet loader
Blocklisted process makes network request
Loads dropped DLL
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled

Tags

evasion trojan

TTPs

System Information Discovery
Drops file in System32 directory

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

macro

8^/10

behavioral1

dridex 10555 botnet discovery evasion loader trojan

10^/10

behavioral2

dridex 10555 botnet discovery evasion loader trojan

10^/10

Extracted

Extracted

Tags

Signatures

Dridex

Description

Tags

Process spawned unexpected child process

Description

Dridex Loader

Description

Tags

Blocklisted process makes network request

Loads dropped DLL

Checks installed software on the system

Description

Tags

TTPs

Checks whether UAC is enabled

Tags

TTPs

Drops file in System32 directory

Related Tasks

static1

behavioral1

behavioral2