dridex | 7bebb1f39af44412c5a7d8263d4fdae5ec1f234ad2f96e6f07add6daa3ce9b0a | Triage

Submit
Reports

Overview

overview

Static

static

8

Copy_#_824.xls

windows7_x64

Copy_#_824.xls

windows10_x64

Sharing

General

Target

Copy_#_824.xls
Size

707KB
Sample

210114-ffet2qky3a
MD5

36e8e3ce267eed9890d07b45b339a71b
SHA1

47e662c6d5041836ba207ad2e6ed22a99ca1a4da
SHA256

7bebb1f39af44412c5a7d8263d4fdae5ec1f234ad2f96e6f07add6daa3ce9b0a
SHA512

af22f3d08e86f3b97f0169f3ceeed46dd0cfb027d761c9b9b6589e2b8b2990a63d1ac3a40d1dcb0b0d4b2f7a2df16e898e66d158b00e567d37699f572fc6d9f3

Score

10^/10

dridex 111 botnet loader macro macro_on_action ransomware

Static task

static1

macro macro_on_action

Behavioral task

behavioral1

Sample

Copy_#_824.xls

Resource

win7v20201028

dridex 111 botnet loader ransomware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Copy_#_824.xls

Resource

win10v20201028

dridex 111 botnet loader ransomware

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

rc4.plain

Targets

- Target
  
  Copy_#_824.xls
- Size
  
  707KB
- MD5
  
  36e8e3ce267eed9890d07b45b339a71b
- SHA1
  
  47e662c6d5041836ba207ad2e6ed22a99ca1a4da
- SHA256
  
  7bebb1f39af44412c5a7d8263d4fdae5ec1f234ad2f96e6f07add6daa3ce9b0a
- SHA512
  
  af22f3d08e86f3b97f0169f3ceeed46dd0cfb027d761c9b9b6589e2b8b2990a63d1ac3a40d1dcb0b0d4b2f7a2df16e898e66d158b00e567d37699f572fc6d9f3
Score

10^/10

dridex 111 botnet loader ransomware
- Dridex
  Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
  botnet dridex
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Dridex Loader
  Detects Dridex both x86 and x64 loader in memory.
  botnet loader
- Blocklisted process makes network request
- Loads dropped DLL
- JavaScript code in executable
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

macromacro_on_action

behavioral1

dridex111botnetloaderransomware

behavioral2

dridex111botnetloaderransomware

© 2018-2024

Terms | Privacy