Manuel Statik Analiz — Dridex | Tehdit: CRÍTICO

Archivo Kimliği

SHA256123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff
Tamaño1.007.633 byte (984KB)
String Sayisi6.342

fromChrome9September9 + oHbullshitibChromej2 + boobsrChromeannouncedFirefox: Geliştiricinin Küfürlü Obfuscation

GELİŞTİRİCİ KÜFÜR: Nadir: obfuscated string içinde vulgar developer yorumları!
fromChrome9September9                          -- "Chrome" + tarih ref
oHbullshitibChromej2                           -- "bullshit" + "Chrome"
boobsrChromeannouncedFirefoxatheofaultedM      -- "boobs" + "Chrome" + "Firefox"
-- Obfuscation tekniği: meşru kelimeler ("Chrome", "September") + vulgar sözcükler
-- "bullshit" + "boobs" = geliştiricinin yorumları string içinde kaybolmuş
-- Karakterler araya sıkıştırılmış: "from" + "Chrome" + "9" + "September" + "9"
-- Hedef: Chrome + Firefox credential extraction
-- Developer: vulgar string'leri obfuscation malzemesi olarak kullandı
-- Benzer pattern: Dridex'in karakteristik string encoding tekniği

DuiNavigate@DirectUI: C++ RTTI — Windows Shell Framework

??4DuiNavigate@DirectUI@@QEAAAEAV01@A
-- "DuiNavigate" = DirectUI navigation (Windows shell UI framework)
-- "DirectUI" = Windows shell rendering engine (IE, Explorer)
-- C++ RTTI mangled name: "??4" = assignment operator
-- "@@QEAAAEAV01@A" = x64 C++ calling convention
-- Dridex: DirectUI hook → tarayıcı form verisi hook için Windows shell UI kullanır
-- Browser form hooking: kullanıcı web form doldururken şifreleri yakalar

IOC

SHA256123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff
HedefChrome + Firefox (form hooking)

Dridex — Perfil del malware

Dridex Bugat TA505 banking trojan. Chrome/Firefox form hooking with obfuscated strings. DirectUI RTTI.

Tipo de malware
Other
Lenguaje de programación
C++
Protocolo C2
HTTPS
Sistemas objetivo
Windows
También conocido como (AKA)
Bugat

Detalles técnicos

Dridex (Bugat/Cridex) is a modular banking trojan operated by TA505/Evil Corp since 2011. Uses peer-to-peer botnet architecture for C2 communication to resist takedowns. Modules: form grabber, VNC backdoor, network proxy, credential stealer, spread module. Encrypted communication: RC4 + custom protocol over HTTP. Delivered via Microsoft Office macro phishing (VBA macros). Used to deliver: BitPaymer, WastedLocker, Grief (PayOrGrief) ransomware. Evil Corp sanctioned by US Treasury October 2019, making ransom payments illegal for US entities. Dridex infrastructure heavily overlaps with Locky ransomware campaigns. Botnet IDs (bot IDs): 220, 444, 7777, multiple active botnets simultaneously.

Atribución / Actor de amenaza

Evil Corp (TA505), Maksim Yakubets (indicted by FBI)

Capacidades y comportamiento

Zararlı Yazılım Aktivitesi
Kalıcılık Mekanizması
C2 İletişimi
Anti-Analiz

Lista IOC (1 indicadores)

IOC — Dridex
# SHA256 123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff
TipoValorNota
sha256 123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff

Servidores C2 (3 servidores registrados para esta familia)

Dirección Tipo Puerto Protocolo Estado País
79.141.164.52 ip 4444 TCP sinkholed RO
185.234.218.151 ip 4444 HTTPS sinkholed RU
77.73.133.84 ip 443 HTTPS sinkholed BG

Las direcciones C2 se proporcionan únicamente a partir de muestras de malware verificadas manualmente por el equipo KEYDAL. Se prohíbe el uso comercial.

Etiquetas
dridexdridex3fromchrome9september9-obfuscated-chromebullshit-boobs-developer-profanityoHbullshitibChromej2duinavigate-directui-rttibrowser-targeting-obfuscationchrome-firefox-interleaved