Dridex Downloader Analysis

dridex malwareThis morning I received on my company box an email with an attached .xlsm file named D92724446.xlsm coming from [email protected]. Central and local AV engines did not found anything malicious and also a multiengine scan got 0/57 as result. I decided to investigate a little more in-depth in order to confirm that was a malicious file and to extract at least the code I was imagining being inside this document. These are some general info collected about the received file:

Name: D92724446.xlsm
MD5: fea3ab857813c0d65cd0b6b6233a834b
SHA1: 64eef048efe86fe35f673fd2d853a8a727934e6c
Origin: probably Russia
External Communications: HTTP – Remote addr: 5.196.243.7

Download the full report in English here or read the article on InfoSec Institute website:

Dridex Analysis

5 Comments

  1. Alex Barros

    Thinking at the face of these malware authors. Oh, guys, we were wrong the target ! They made us the picture ah ah ah. nice analysis. bravo :)

  2. Nice write-up! The C&C server appears to be down. Is there any chance you’ll share more information on JIOiodfhioIH.cab\JIOiodfhioIH.exe? I’m specifically interested in learning how it was persisting.

    Thanks!

  3. Emanuele

    Hello Kyle. I have not analyzed the exe yet as there are already some analysis online based on previous versions of dridex. However, giving a quick look, malware persistence is achieved creating first a .tmp file under “C:\” (in my case C:\2.tmp) and loading it through rundll32.exe. A regkey is then created. However, based on the behavior of previous versions, this key could be deleted as soon as the malware is running and set again at each shut down in order to not leave any direct trace of an infection when malware is executing.

  4. Redknock

    Yes. Dridex achieve persistance through reg keys. These are deleted once malware executed and re.created 1 second before the shutdown.

Leave a Reply

Your email address will not be published. Required fields are marked *


2 + 4 =