General

  • Target

    Information-478224510.doc

  • Size

    127KB

  • Sample

    201119-6tymwzqj9s

  • MD5

    bb0198d56eff259292f821cf9777f4ea

  • SHA1

    67e6018e71d49acecab8018ec3e31388e5afdb09

  • SHA256

    8880aa45619f26fcb4cca6671e7decc6dcf94163344a819a156ed9f5bd414d0b

  • SHA512

    26585f0ae9576b40ff6635b464fa1cc3947e549a45f0648b4b754ef3225bb605ff5dd4926483636c85eed595102a57eacff634bef65e83cbd3dd54e823f1907f

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://wordpress.abbeytek.com/gb9b076.zip

exe.dropper

http://garywhitehead.com/j64cw5.rar

exe.dropper

http://test.taphoare.com/j4r7zap.rar

exe.dropper

http://deepfreedom.org/qz0h69.pdf

exe.dropper

http://forestof.life/gkd9jtb9z.png

exe.dropper

https://rockingrenergy.info/b6exhyx4.zip

exe.dropper

https://aeromiic.com/l8uvw4.pdf

exe.dropper

http://jkra.nl/ce5c6ut.pdf

exe.dropper

https://amazedelectrical.com.au/ff2e84tvk.pdf

Extracted

Family

dridex

Botnet

10555

C2

162.241.44.26:9443

192.232.229.53:4443

77.220.64.34:443

193.90.12.121:3098

rc4.plain
rc4.plain

Targets

    • Target

      Information-478224510.doc

    • Size

      127KB

    • MD5

      bb0198d56eff259292f821cf9777f4ea

    • SHA1

      67e6018e71d49acecab8018ec3e31388e5afdb09

    • SHA256

      8880aa45619f26fcb4cca6671e7decc6dcf94163344a819a156ed9f5bd414d0b

    • SHA512

      26585f0ae9576b40ff6635b464fa1cc3947e549a45f0648b4b754ef3225bb605ff5dd4926483636c85eed595102a57eacff634bef65e83cbd3dd54e823f1907f

    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Dridex Loader

      Detects Dridex both x86 and x64 loader in memory.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Tasks