-
Notifications
You must be signed in to change notification settings - Fork 11
/
2020-09-21-IOCs-for-Dridex-infection.txt
65 lines (51 loc) · 2.73 KB
/
2020-09-21-IOCs-for-Dridex-infection.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
2020-09-21 - INFECTION FROM DRIDEX MALSPAM
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1308153302513745920
EMAIL HEADER DATA:
- Received: from [91.81.229.185] (unknown [91.81.229.185]) by [removed]; Mon, 21 Sep 2020 14:25:24 +0200 (CEST)
- Received: from [1.124.14.21] (helo=FAWADUM.esa4.dhl-out.iphmx.com) by [removed] (envelope-from
[email protected]) [removed]; Mon, 21 Sep 2020 13:25:24 +0100
- Date: Mon, 21 Sep 2020 13:25:24 +0100
- From: BillingOnline <[email protected]>
- Subject: FedEx Billing Online - Invoice Ready for Payment
ONE OF AT LEAST 10 URLS GENERATED BY EXCEL MACRO:
- hxxps://cdn.applimmo[.]com/wxmn5b.pdf
- hxxps://mazimimarlik[.]com/ow1oorywn.pdf
- hxxps://lamesuspendue.swayb[.]com/pxxnmie14.zip
- hxxps://laptopsservicecenter[.]in/s3k9ebe2.pdf
- hxxps://mail.168vitheyrealestate[.]com/k5hkyj0.zip
- hxxps://retrodays[.]pt/lhtzu8p.zip
- hxxps://skybeetravels.cheapflightso[.]co[.]uk/py198k.pdf
- hxxps://starsignsdates[.]com/hurxlu8.pdf
- hxxps://stepco[.]ro/wij87mvg.txt
- hxxps://update.cabinetulieru[.]ro/thhqpn.txt
DRIDEX POST-INFECTION HTTPS TRAFFIC
- 51.75.24[.]85 port 443
- 109.169.24[.]37 port 453
ASSOCIATED MALWARE:
- SHA256 hash: 3259221b5378b9c9a983ae265527662c0c7856f6664a9a734754f549ee4d7a33
- File size: 28,618 bytes
- File name: 5-107-26477.xlsm
- File description: Excel spreadsheet with macro for Dridex
- SHA256 hash: 5b4337f9ae1d91113c91abd0da39794d8aa216b149562440de541ca99618840d
- File size: 331,776 bytes
- File location: xxps://cdn.applimmo[.]com/wxmn5b.pdf
- File location: C:\XMjrcrYY\WZzAVF\XkZVNh
- Run method: regsvr32.exe /s [file name]
- File description: DLL installer retrieved by Excel macro for Dridex
- Note: Random characters for directory path and file name each infection
- SHA256 hash: 55067d633bef8350b5de24e3e9f153fc4a6765af0af168fb444a6329c701b10a
- File size: 1,017,344 bytes
- File location: C:\Users\[username]\AppData\Roaming\Microsoft\Templates\LiveContent\bGGj9sX\MFC42u.DLL
- File description: Dridex malware DLL
- Note: Run by copy of legitimate system file DevicePairingWizard.exe in the same directory
- SHA256 hash: 8a7cc23e3b7af9ebd2d1dd3791bb62bd1da1efd3d2c480fa51483552520abd0a
- File size: 1,012,224 bytes
- File location: C:\Users\[username]\AppData\Roaming\Sun\0umgO\WTSAPI32.dll
- File description: Dridex malware DLL
- Note: Run by copy of legitimate system file rdpclip.exe in the same directory
- SHA256 hash: eb3c152be59903d29cf02100ed2f9edea183a37882a68ae5655bcbc9004775d8
- File size: 1,009,664 bytes
- File location: C:\Users\[username]\AppData\Roaming\Thunderbird\Profiles\1ovarfyl.default-release\ImapMail\.outlook.com\yFYLx\XmlLite.dll
- File description: Dridex malware DLL
- Note: Run by copy of legitimate system file sppsvc.exe in the same directory