General

  • Target

    Order.802796810.doc

  • Size

    87KB

  • Sample

    210114-dstj2gsacj

  • MD5

    b1c2a32cb28d07acc8b2d65ab2012db8

  • SHA1

    3ac3123decd86944a576227554edbcbb3d62aa58

  • SHA256

    6951461b231a0f4f2ee086768d3e5e79b30dd68efd55da80997d73c160e6ddce

  • SHA512

    e459e361501efa4f1c22748a0715c0e78af58690e207e08e40bbe739e002b3b9e10207987345e907559069f0866aca03e4080fe69eb0fa722ef03179dd292430

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://mail.kyojinconduits.com/jhgun753.zip

exe.dropper

http://accuratebc.gr/e0lw3t.zip

exe.dropper

http://tumkuv.org.tr/zd8dxb2u.zip

exe.dropper

http://theworldofjacob.com/cjsomlo.zip

exe.dropper

http://e-macom.com.br/cl35e0.zip

exe.dropper

http://legion.seriesnow.website/q33rv2.zip

Extracted

Family

dridex

Botnet

10555

C2

221.126.244.72:443

195.231.69.151:3889

157.7.166.26:5353

rc4.plain
rc4.plain

Targets

    • Target

      Order.802796810.doc

    • Size

      87KB

    • MD5

      b1c2a32cb28d07acc8b2d65ab2012db8

    • SHA1

      3ac3123decd86944a576227554edbcbb3d62aa58

    • SHA256

      6951461b231a0f4f2ee086768d3e5e79b30dd68efd55da80997d73c160e6ddce

    • SHA512

      e459e361501efa4f1c22748a0715c0e78af58690e207e08e40bbe739e002b3b9e10207987345e907559069f0866aca03e4080fe69eb0fa722ef03179dd292430

    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Dridex Loader

      Detects Dridex both x86 and x64 loader in memory.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks