General

  • Target

    Subconract_848.xls

  • Size

    785KB

  • Sample

    210114-p42lc23fla

  • MD5

    541f54e85e64235f5171da05a3898779

  • SHA1

    feb4448f9ae957dbacb175ad9b5bda6f0a66c13d

  • SHA256

    c08a0dd14c4a913989af9b24e5b18e5a8f1b9b4bce8e7906aea0def230cf3780

  • SHA512

    192ba986fe2c3df5119fbae11ca1760f185a6c47e93cc597321290076782ea87df9019350195112321ab6ab39f82421a70ec3cec1bb298035a170e0156e1903d

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain
rc4.plain

Targets

    • Target

      Subconract_848.xls

    • Size

      785KB

    • MD5

      541f54e85e64235f5171da05a3898779

    • SHA1

      feb4448f9ae957dbacb175ad9b5bda6f0a66c13d

    • SHA256

      c08a0dd14c4a913989af9b24e5b18e5a8f1b9b4bce8e7906aea0def230cf3780

    • SHA512

      192ba986fe2c3df5119fbae11ca1760f185a6c47e93cc597321290076782ea87df9019350195112321ab6ab39f82421a70ec3cec1bb298035a170e0156e1903d

    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Dridex Loader

      Detects Dridex both x86 and x64 loader in memory.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • JavaScript code in executable

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks