General

  • Target

    fn58ds.pdf

  • Size

    725KB

  • Sample

    220626-f8zkqaagc3

  • MD5

    aa7ad8fdea021577637b6e0520046686

  • SHA1

    f847d66c48d910ec01127d5e188ceaf4919d418f

  • SHA256

    7a77b516c563c8bbe904af3b90cfb89148b879b807aa34d93be3b1a2eb93a016

  • SHA512

    cd0744f471cbf9fa880ed16dc6d56a55a683f8d85fd5988f6532280c054200a8d83304a4e43d9801325925b81d4532d1cd25a5ec8c476159dc1c53049b9d5e9f

Malware Config

Extracted

Family

dridex

Botnet

10444

C2

146.164.126.197:443

69.16.193.166:9443

193.90.12.122:3098

157.245.103.132:14043

rc4.plain
rc4.plain

Targets

    • Target

      fn58ds.pdf

    • Size

      725KB

    • MD5

      aa7ad8fdea021577637b6e0520046686

    • SHA1

      f847d66c48d910ec01127d5e188ceaf4919d418f

    • SHA256

      7a77b516c563c8bbe904af3b90cfb89148b879b807aa34d93be3b1a2eb93a016

    • SHA512

      cd0744f471cbf9fa880ed16dc6d56a55a683f8d85fd5988f6532280c054200a8d83304a4e43d9801325925b81d4532d1cd25a5ec8c476159dc1c53049b9d5e9f

    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    • Dridex Loader 'dmod' strings

      Detects 'dmod' strings in Dridex loader.

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v6

Tasks