General

  • Target

    http://zero.testtrack.xyz/

  • Sample

    210208-8p35lpcy1j

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

51.68.224.245:4646

188.165.17.91:8443

173.255.246.77:691

rc4.plain
rc4.plain

Targets

    • Target

      http://zero.testtrack.xyz/

    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Dridex Loader

      Detects Dridex both x86 and x64 loader in memory.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Program crash

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks