General

  • Target

    Invoice_#_76493.xls

  • Size

    708KB

  • Sample

    210114-svawdcdyys

  • MD5

    a620468e6531acdd66d489d74320a54d

  • SHA1

    7055184739c438f2fdc770faced61b5a533a3aac

  • SHA256

    9ee8a6a201f5c956b8b37d692242a628d2d08d315629a35decc56c35439150a5

  • SHA512

    b1b9ef3c83167614f443c5b148fe02e0a8264eb2cd70e0249e657719114a1ab7447f105c81eab7ba65c4745872870564831de09a5b6497ad8044123ea5235572

Malware Config

Extracted

Family

dridex

Botnet

111

C2

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain
rc4.plain

Targets

    • Target

      Invoice_#_76493.xls

    • Size

      708KB

    • MD5

      a620468e6531acdd66d489d74320a54d

    • SHA1

      7055184739c438f2fdc770faced61b5a533a3aac

    • SHA256

      9ee8a6a201f5c956b8b37d692242a628d2d08d315629a35decc56c35439150a5

    • SHA512

      b1b9ef3c83167614f443c5b148fe02e0a8264eb2cd70e0249e657719114a1ab7447f105c81eab7ba65c4745872870564831de09a5b6497ad8044123ea5235572

    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Dridex Loader

      Detects Dridex both x86 and x64 loader in memory.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • JavaScript code in executable

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks