Overview

overview

10

Static

static

8

SecuriteIn...42.xls

windows7_x64

10

SecuriteIn...42.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.VB.Heur.EmoDldr.32.DB37E181.Gen.3346.8842

  • Size

    724KB

  • Sample

    210120-fb3np2mtyj

  • MD5

    4bc306fa5912af1812d9232b6f1c540e

  • SHA1

    c12b752ff9b700aac82b11242c53db061b1f0303

  • SHA256

    6dd691de8fde45048114ef90b481ca7160fe39ab182e727b073f3fda3e2f3259

  • SHA512

    41bb7e6947797822ceb181d4ac9b5a2c6e043e387a54844ff9c9e8c40533dc03218abb3c6fa36e635124e4c86f657699a0ff7278ee72d9d917b36f1d1640e076

Score
10/10
dridex111botnetdiscoveryevasionloadermacromacro_on_actionransomwaretrojan

Malware Config

Extracted

Family

dridex

Botnet

111

C2

77.220.64.40:443

8.4.9.152:3786

185.246.87.202:3098
rc4.plain
rc4.plain

Targets

    • Target

      SecuriteInfo.com.VB.Heur.EmoDldr.32.DB37E181.Gen.3346.8842

    • Size

      724KB

    • MD5

      4bc306fa5912af1812d9232b6f1c540e

    • SHA1

      c12b752ff9b700aac82b11242c53db061b1f0303

    • SHA256

      6dd691de8fde45048114ef90b481ca7160fe39ab182e727b073f3fda3e2f3259

    • SHA512

      41bb7e6947797822ceb181d4ac9b5a2c6e043e387a54844ff9c9e8c40533dc03218abb3c6fa36e635124e4c86f657699a0ff7278ee72d9d917b36f1d1640e076

    Score
    10/10
    dridex111botnetdiscoveryevasionloaderransomwaretrojan

    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

      botnetdridex

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Dridex Loader

      Detects Dridex both x86 and x64 loader in memory.

      botnetloader

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • JavaScript code in executable

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks