dridex

General

Target

http://zeroexit.xyz/9HJDckdsvfsdefvs34
Sample

210128-6mreeg38ea

Score

10^/10

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

157.7.166.26:5353

162.144.127.197:3786

46.22.57.17:5037

rc4.plain

Targets

- Target
  
  http://zeroexit.xyz/9HJDckdsvfsdefvs34
Score

10^/10

dridex 10111 botnet cryptone discovery evasion loader packer ransomware trojan
- Dridex
  Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
  botnet dridex
- Suspicious use of NtCreateProcessExOtherParentProcess
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Dridex Loader
  Detects Dridex both x86 and x64 loader in memory.
  botnet loader
- Blocklisted process makes network request
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Program crash
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Suspicious use of NtCreateProcessExOtherParentProcess

CryptOne packer

Dridex Loader

Blocklisted process makes network request

Executes dropped EXE

Checks installed software on the system

Checks whether UAC is enabled

Program crash

Enumerates physical storage devices

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

urlscan1

behavioral1