哈希 / 信息
SHA2568cd9c1725c59139cafb22e210d4cbd0e6d78c2d5ed5cddda30b173dc85950d9e
MD5aa0ffec1cd9b4482262af7a9627dea44
SHA16fb4d8a51447e03cd7b3c5fc325fe255d32c6d03
ImpHash5ad3b93adc2f9b7a31e634988c069f77
文件 Adiaa0ffec1cd9b4482262af7a9627dea44
文件类型dll
大小524,288 bytes
首次发现2021-12-20

Tehdit 值lendirmesi

Bu ornek, hedef sisteme ek zararlı yazılım yuklemek amacıyla tasarlanmis moduler bir yukleyici (loader) olarak tespit edilmistir. Bankacılık trojanları, fidye yazılımları veya diger ikinci asama yukler indirebilmektedir.

检测到的功能

  • Payload Indirme
  • Surec Enjeksiyonu
  • Kalicilik
  • Anti-Analiz
  • Sifrelenmis Iletisim

MalwareBazaar 标签

32dllDridexexe

分析说明

Bu ornek Dridex ailesine ait ve MalwareBazaar platformundan alınmıstır. KEYDAL Guvenlik Arastirmaları tarafından metadata analizi gerceklestirilmis ve IOC veritabanına eklenmistir.

Dridex — 恶意软件档案

Dridex Bugat TA505 banking trojan. Chrome/Firefox form hooking with obfuscated strings. DirectUI RTTI.

恶意软件类型
Other
编程语言
C++
C2协议
HTTPS
目标系统
Windows
别名 (AKA)
Bugat

技术细节

Dridex (Bugat/Cridex) is a modular banking trojan operated by TA505/Evil Corp since 2011. Uses peer-to-peer botnet architecture for C2 communication to resist takedowns. Modules: form grabber, VNC backdoor, network proxy, credential stealer, spread module. Encrypted communication: RC4 + custom protocol over HTTP. Delivered via Microsoft Office macro phishing (VBA macros). Used to deliver: BitPaymer, WastedLocker, Grief (PayOrGrief) ransomware. Evil Corp sanctioned by US Treasury October 2019, making ransom payments illegal for US entities. Dridex infrastructure heavily overlaps with Locky ransomware campaigns. Botnet IDs (bot IDs): 220, 444, 7777, multiple active botnets simultaneously.

归因 / 威胁行为者

Evil Corp (TA505), Maksim Yakubets (indicted by FBI)

能力与行为

Zararlı Yazılım Aktivitesi
Kalıcılık Mekanizması
C2 İletişimi
Anti-Analiz

IOC列表 (2 个指标)

IOC — Dridex
# SHA256 8cd9c1725c59139cafb22e210d4cbd0e6d78c2d5ed5cddda30b173dc85950d9e # MD5 aa0ffec1cd9b4482262af7a9627dea44
类型备注
sha256 8cd9c1725c59139cafb22e210d4cbd0e6d78c2d5ed5cddda30b173dc85950d9e
md5 aa0ffec1cd9b4482262af7a9627dea44

C2服务器 (该家族共有 3 台已记录服务器)

地址 类型 端口 协议 状态 国家
79.141.164.52 ip 4444 TCP sinkholed RO
185.234.218.151 ip 4444 HTTPS sinkholed RU
77.73.133.84 ip 443 HTTPS sinkholed BG

C2 地址仅来自 KEYDAL 团队人工验证的恶意软件样本。禁止用于商业用途。

标签
32dllDridexexe