eGift-CardAmazon.907427310.doc

Target

Size

112KB

Sample

201126-epjy89wscs

Score

10 ^/10

MD5

b40361fe26889021f4f934c9b68aaa0a

SHA1

8e0a6fe27090e76ecac36cc7be25de7a551c029a

SHA256

d4704ca87e4e6072526a67adbf5e5a752172e947a4e6354d962455b4dce37994

SHA512

504e66710a8df7391d54a6e5e8e6d27b7598e13396456170a8ab9e4038220b6bf9359bdcf2c48a5afd54ff7a677ff273c73894e37ff7c845e892fa10ec0d2a0a

Extracted

Language	ps1
Deobfuscated
URLs	https://burstner.clabris.se/ucjk7st.zip http://bespokeweddings.ie/k1c8dh4.rar https://conjurosdeamoryhechiceriaacacio.com/tjbdhdvi1.zip https://keitauniv.keita.ae/wchfvdsd7.rar https://cms.keita.ae/h0mqrz.rar https://airbornegroup.net/y461xrm.zip https://phones.pmrspain.com/xzeoxn8.rar http://oya.qa/lfonl5.rar exe.dropper https://burstner.clabris.se/ucjk7st.zip exe.dropper http://bespokeweddings.ie/k1c8dh4.rar exe.dropper https://conjurosdeamoryhechiceriaacacio.com/tjbdhdvi1.zip exe.dropper https://keitauniv.keita.ae/wchfvdsd7.rar exe.dropper https://cms.keita.ae/h0mqrz.rar exe.dropper https://airbornegroup.net/y461xrm.zip exe.dropper https://phones.pmrspain.com/xzeoxn8.rar exe.dropper http://oya.qa/lfonl5.rar

Extracted

Family	dridex
Botnet	10555
C2	194.225.58.216:443 178.254.40.132:691 216.172.165.70:3889 198.57.200.100:3786 194.225.58.216:443 178.254.40.132:691 216.172.165.70:3889 198.57.200.100:3786
rc4.plain
rc4.plain

Target

eGift-CardAmazon.907427310.doc

MD5

b40361fe26889021f4f934c9b68aaa0a

Filesize

112KB

Score

10 ^/10

SHA1

8e0a6fe27090e76ecac36cc7be25de7a551c029a

SHA256

d4704ca87e4e6072526a67adbf5e5a752172e947a4e6354d962455b4dce37994

SHA512

504e66710a8df7391d54a6e5e8e6d27b7598e13396456170a8ab9e4038220b6bf9359bdcf2c48a5afd54ff7a677ff273c73894e37ff7c845e892fa10ec0d2a0a

Signatures

Dridex

Description

Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

Tags

botnet dridex
Process spawned unexpected child process

Description

This typically indicates the parent process was compromised via an exploit or macro.
Dridex Loader

Description

Detects Dridex both x86 and x64 loader in memory.

Tags

botnet loader
Blocklisted process makes network request
Loads dropped DLL
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled

Tags

evasion trojan

TTPs

System Information Discovery
Drops file in System32 directory

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

macro

8^/10

behavioral1

dridex 10555 botnet discovery evasion loader trojan

10^/10

behavioral2

dridex 10555 botnet discovery evasion loader trojan

10^/10

Extracted

Extracted

Tags

Signatures

Dridex

Description

Tags

Process spawned unexpected child process

Description

Dridex Loader

Description

Tags

Blocklisted process makes network request

Loads dropped DLL

Checks installed software on the system

Description

Tags

TTPs

Checks whether UAC is enabled

Tags

TTPs

Drops file in System32 directory

Related Tasks

static1

behavioral1

behavioral2