2017-06-05 - DRIDEX INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-05-Dridex-infection-traffic.pcap.zip   72.9 kB (72,896 bytes)
• 2017-06-05-Dridex-malspam-tracker.csv.zip   1.1 kB (1,073 bytes)
• 2017-06-05-Dridex-malware-and-artifacts.zip   966.6 kB (966,558 bytes)

OTHER REPORTS ON TODAY'S DRIDEX ACTIVITY WITH MORE INDICATORS AT:

• Dynamoo's Blog: Malware spam: "John Miller Limited" / "Invoice"
• My Online Security: Spoofed John Miller invoice pretending to come from somebody named Holmes delivers Dridex banking Trojan

 

EMAILS

Shown above:  Spreadsheet on the 8 emails I collected.

 

MALWARE

Shown above:  As usual, the PDF attachment contains an embedded Word document with malicious macros.

 

Shown above:  Another shot of the PDF attachment from the second wave.

 

Shown above:  No picture or instructions this time.  Just a blank Word document with macros.

 

SHA256 HASHES FOR THE PDF ATTACHMENTS:

• 0e3adf0314c28862e2ebbb80e985734afef46f41155891b31d75d095aa2d2e24
• 2793481cba97250c877ab15789ce851c7da360ca9a5602a2f86fdef8e842471d
• 2ba45f9e37a6db042f1b6492e2b92eb2decaa8b0b18508affa79f72c2a51bf04
• 7a11a65f347bbfb2c6865b90e1373cfdf4085468864953ec59d7412512256d36
• b2fc044e9e49f5c539d13705548b0adf822d5a5f431c61f083cc2c59ba08aac9

SHA256 HASHES FOR THE EMBEDDED WORD DOCUMENTS:

• 011bf13d75adfd98c1e60aec9e3470be4e89f9c56263e511ab30aa2c69f132c2
• 564be1d40296c09cd7247fbd396158d9bcad443f2bd627f53a7e3672fffa361e
• b865826fdd7ef22cb5621f92d9391fbacfe10e9c75402b571e1484597d25b49c
• bdb3b5081a31d6b10a2602af6aee5c4eaa3722c17b4d5c90b4874968454c9654
• df2bc524fafb759eae77e3053c6f7d7dacdf6b5be43048d9c849529d749c61f7

FILES RETRIEVED FROM INFECTED HOST:

• SHA256 hash:  c7dc1e2d1dbda6e287675160f1e96f6514b8a6f10017a1e4b76c7591c3785e97
  File size:  118.784 bytes
  File location:  C:\User\[username]\AppData\Local\Temp\miniramon8.exe
  File description:  Windows EXE for Dridex

 

TRAFFIC

URLS FROM THE WORD MACROS TO DOWNLOAD DRIDEX:

• multielectricos[.]com - GET /8yfh4gfff
• newserniggrofg[.]net - GET /af/8yfh4gfff
• resevesssetornument[.]com - GET /af/8yfh4gfff
• salonpalmareal[.]com - GET /8yfh4gfff
• select-hire[.]com - GET /8yfh4gfff
• sukko-diona[.]ru - GET /8yfh4gfff
• ymcaonline[.]net - GET /8yfh4gfff
• zhongjianbao[.]com - GET /8yfh4gfff

 

DRIDEX POST-INFECTION TRAFFIC:

• 46.101.154[.]177 port 4743 - SSL/TLS traffic
• 85.214.126[.]182 port 4743 - SSL/TLS traffic
• 89.110.157[.]78 port 4743 - SSL/TLS traffic

 

Click here to return to the main page.