Overview

overview

10

Static

static

8

Invoice.29002611.doc

windows7_x64

10

Invoice.29002611.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Invoice.29002611.doc

  • Size

    121KB

  • Sample

    201209-bvl4plmwgs

  • MD5

    25b5fa933bd817640e0667d6c44492ec

  • SHA1

    62dea05abf45ffc52c9310a31bae70b595edf301

  • SHA256

    4a982207a74a1474f377367f8a55354d45231cad96b3ca24c69be6e833fa5b55

  • SHA512

    f638ea0d0d3e0e107b596fff05357748f30237e8228158e7e3bdae653c576a9711fa16d9f3613479a49a20b921d2048364f58b08bc74f0377e33b7d02f0792c5

Score
10/10
dridex10555botnetdiscoveryevasionloadermacrotrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://urbanwxrld.com/rimwhu.rar
exe.dropper

http://www.madmaxswimwear.com/ikkai8.rar
exe.dropper

https://nubemp.com.br/navm0jxg.zip
exe.dropper

https://sharpec.com/j6pi9eq7.rar
exe.dropper

https://miracle-missions.com/rirgclt4b.zip
exe.dropper

https://blackbeardrecords.com/jdtts3krp.zip
exe.dropper

https://ochaclean.com/x8qaxr55.zip
exe.dropper

https://chakanaecu.com/zvh4acz7.rar

Extracted

Family

dridex

Botnet

10555

C2

169.255.216.36:443

138.201.138.91:3389

89.174.36.41:4643

87.106.89.36:3389
rc4.plain
rc4.plain

Targets

    • Target

      Invoice.29002611.doc

    • Size

      121KB

    • MD5

      25b5fa933bd817640e0667d6c44492ec

    • SHA1

      62dea05abf45ffc52c9310a31bae70b595edf301

    • SHA256

      4a982207a74a1474f377367f8a55354d45231cad96b3ca24c69be6e833fa5b55

    • SHA512

      f638ea0d0d3e0e107b596fff05357748f30237e8228158e7e3bdae653c576a9711fa16d9f3613479a49a20b921d2048364f58b08bc74f0377e33b7d02f0792c5

    Score
    10/10
    dridex10555botnetdiscoveryevasionloadertrojan

    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

      botnetdridex

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Dridex Loader

      Detects Dridex both x86 and x64 loader in memory.

      botnetloader

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks