Manuel Statik Analiz — Dridex | Tehdit: CRITIQUE

Fichier Kimliği

SHA256123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff
Taille1.007.633 byte (984KB)
String Sayisi6.342

fromChrome9September9 + oHbullshitibChromej2 + boobsrChromeannouncedFirefox: Geliştiricinin Küfürlü Obfuscation

GELİŞTİRİCİ KÜFÜR: Nadir: obfuscated string içinde vulgar developer yorumları!
fromChrome9September9                          -- "Chrome" + tarih ref
oHbullshitibChromej2                           -- "bullshit" + "Chrome"
boobsrChromeannouncedFirefoxatheofaultedM      -- "boobs" + "Chrome" + "Firefox"
-- Obfuscation tekniği: meşru kelimeler ("Chrome", "September") + vulgar sözcükler
-- "bullshit" + "boobs" = geliştiricinin yorumları string içinde kaybolmuş
-- Karakterler araya sıkıştırılmış: "from" + "Chrome" + "9" + "September" + "9"
-- Hedef: Chrome + Firefox credential extraction
-- Developer: vulgar string'leri obfuscation malzemesi olarak kullandı
-- Benzer pattern: Dridex'in karakteristik string encoding tekniği

DuiNavigate@DirectUI: C++ RTTI — Windows Shell Framework

??4DuiNavigate@DirectUI@@QEAAAEAV01@A
-- "DuiNavigate" = DirectUI navigation (Windows shell UI framework)
-- "DirectUI" = Windows shell rendering engine (IE, Explorer)
-- C++ RTTI mangled name: "??4" = assignment operator
-- "@@QEAAAEAV01@A" = x64 C++ calling convention
-- Dridex: DirectUI hook → tarayıcı form verisi hook için Windows shell UI kullanır
-- Browser form hooking: kullanıcı web form doldururken şifreleri yakalar

IOC

SHA256123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff
HedefChrome + Firefox (form hooking)

Dridex — Profil du malware

Dridex Bugat TA505 banking trojan. Chrome/Firefox form hooking with obfuscated strings. DirectUI RTTI.

Type de malware
Other
Langage de programmation
C++
Protocole C2
HTTPS
Systèmes ciblés
Windows
Aussi connu sous (AKA)
Bugat

Détails techniques

Dridex (Bugat/Cridex) is a modular banking trojan operated by TA505/Evil Corp since 2011. Uses peer-to-peer botnet architecture for C2 communication to resist takedowns. Modules: form grabber, VNC backdoor, network proxy, credential stealer, spread module. Encrypted communication: RC4 + custom protocol over HTTP. Delivered via Microsoft Office macro phishing (VBA macros). Used to deliver: BitPaymer, WastedLocker, Grief (PayOrGrief) ransomware. Evil Corp sanctioned by US Treasury October 2019, making ransom payments illegal for US entities. Dridex infrastructure heavily overlaps with Locky ransomware campaigns. Botnet IDs (bot IDs): 220, 444, 7777, multiple active botnets simultaneously.

Attribution / Acteur de la menace

Evil Corp (TA505), Maksim Yakubets (indicted by FBI)

Capacités et comportement

Zararlı Yazılım Aktivitesi
Kalıcılık Mekanizması
C2 İletişimi
Anti-Analiz

Liste IOC (1 indicateurs)

IOC — Dridex
# SHA256 123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff
TypeValeurNote
sha256 123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff

Serveurs C2 (3 serveurs enregistrés pour cette famille)

Adresse Type Port Protocole Statut Pays
79.141.164.52 ip 4444 TCP sinkholed RO
185.234.218.151 ip 4444 HTTPS sinkholed RU
77.73.133.84 ip 443 HTTPS sinkholed BG

Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.

Tags
dridexdridex3fromchrome9september9-obfuscated-chromebullshit-boobs-developer-profanityoHbullshitibChromej2duinavigate-directui-rttibrowser-targeting-obfuscationchrome-firefox-interleaved