Overview

overview

10

Static

static

8

Contract 30964.xls

windows7_x64

10

Contract 30964.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Contract 30964.xls

  • Size

    727KB

  • Sample

    210114-8jl43x3vrx

  • MD5

    c84236e6997a25861e15d5d44a7d207e

  • SHA1

    f4b0cad4dfa47c8ce6feaaeea3ee3ef79708ffe5

  • SHA256

    4b365dadb8a5d68b5ff999a1b5991aa0cad00852e0ed7517c4748ecc5f402558

  • SHA512

    ca35ae9393899391a9593d2f0c94d04314c267c4385fd96b06776c066cfa3bc42db6c348a622349cbc4315352fb63213c105c47a9c198f417b898bddf8105058

Score
10/10
dridex111botnetloadermacromacro_on_actionransomware

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353
rc4.plain
rc4.plain

Targets

    • Target

      Contract 30964.xls

    • Size

      727KB

    • MD5

      c84236e6997a25861e15d5d44a7d207e

    • SHA1

      f4b0cad4dfa47c8ce6feaaeea3ee3ef79708ffe5

    • SHA256

      4b365dadb8a5d68b5ff999a1b5991aa0cad00852e0ed7517c4748ecc5f402558

    • SHA512

      ca35ae9393899391a9593d2f0c94d04314c267c4385fd96b06776c066cfa3bc42db6c348a622349cbc4315352fb63213c105c47a9c198f417b898bddf8105058

    Score
    10/10
    dridex111botnetloaderransomware

    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

      botnetdridex

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Dridex Loader

      Detects Dridex both x86 and x64 loader in memory.

      botnetloader

    • Blocklisted process makes network request

    • Loads dropped DLL

    • JavaScript code in executable

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks