WinNT/Cridex (alias Dridex, Drixed) - Page 11

Re: WinNT/Cridex (alias Dridex, Drixed)

#26138 by Xylitol
Fri Jun 19, 2015 9:03 pm

https://www.virustotal.com/en/file/a2d1 ... 434747552/

<config botnet="220">
   <server_list>
37.143.11.165:4443
136.243.14.142:8443
94.23.53.23:2443
71.14.1.139:8443
   </server_list>
</config>

https://www.virustotal.com/en/file/dac1 ... 434747553/

Code: Select all

<config botnet="220">
   <server_list>
107.170.1.205:8443
146.185.128.226:8443
134.0.115.157:8443
144.76.238.214:4443
   </server_list>
</config>

Attachments

Dridex.zip

infected
(95.26 KiB) Downloaded 86 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: WinNT/Cridex (alias Dridex, Drixed)

#26140 by Cody Johnston
Fri Jun 19, 2015 9:53 pm

http://christophe.rieunier.name/securit ... alysis.php

Username

Cody Johnston

Posts

157

Joined

Sun May 01, 2011 4:33 pm

Location

Los Angeles, CA

Contact

Re: WinNT/Cridex (alias Dridex, Drixed)

#26149 by tim
Sun Jun 21, 2015 1:35 pm

Unpacked 32bit worker dll
https://www.virustotal.com/en/file/057e ... 434893516/

Attachments

worker_x32.zip

password:infected
(184.93 KiB) Downloaded 89 times

Username

tim

Posts

21

Joined

Sat Aug 31, 2013 8:38 am

Re: WinNT/Cridex (alias Dridex, Drixed)

#26228 by EP_X0FF
Fri Jul 03, 2015 6:04 am

It seems Dridex now uses more UAC autoelevation techniques on board, does anyone have *recent* dropper? Kind of curious to check if this is another copy-paste.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: WinNT/Cridex (alias Dridex, Drixed)

#26231 by tim
Fri Jul 03, 2015 7:43 am

15-07-01, from hxxp://demaiffe.be/75/85.exe

Attachments

malware.zip

pass:infected
(67.8 KiB) Downloaded 95 times

Username

tim

Posts

21

Joined

Sat Aug 31, 2013 8:38 am

Re: WinNT/Cridex (alias Dridex, Drixed)

#26232 by EP_X0FF
Fri Jul 03, 2015 6:17 pm

Thanks. It uses 2 UAC exploits:

sdb from Gootkit
IFileOperation from explorer.exe spawned process copy - sysprep.exe and fake cryptbase.dll as proxy dll to launch malware dropper elevated. Nothing interesting or new.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: WinNT/Cridex (alias Dridex, Drixed)

#26239 by tim
Mon Jul 06, 2015 8:27 pm

Latest loader
https://www.virustotal.com/en/file/eeb1 ... 436214321/

Config:

Code: Select all

<config botnet="220">
   <server_list>
62.210.214.106:448
176.99.6.10:8443
176.28.10.253:8443
   </server_list>
</config>

Decoded Strings:

Code: Select all

0 LoadLibraryA
1 LoadLibraryW
2 GetProcAddress
3 AllocConsole
4 AttachConsole
5 CancelIoEx
6 CloseHandle
7 CompareStringA
8 CompareStringW
9 CreateDirectoryW
10 CreateEventA
11 CreateFileMappingW
12 CreateFileA
13 CreateFileW
14 CreateMutexA
15 CreateProcessA
16 CreateProcessW
17 CreateRemoteThread
18 CreateThread
19 CreateToolhelp32Snapshot
20 DeleteFileA
21 DeleteFileW
22 DeviceIoControl
23 DisableThreadLibraryCalls
24 DuplicateHandle
25 ExitProcess
26 ExitThread
27 ExpandEnvironmentStringsA
28 ExpandEnvironmentStringsW
29 FileTimeToDosDateTime
30 FileTimeToLocalFileTime
31 FileTimeToSystemTime
32 FindClose
33 FindFirstFileA
34 FindFirstFileW
35 FindNextFileA
36 FindNextFileW
37 FormatMessageA
38 FreeConsole
39 FreeLibrary
40 GetCommandLineA
41 GetCommandLineW
42 GetCurrentProcess
43 GetCurrentProcessId
44 GetCurrentThread
45 GetCurrentThreadId
46 GetDriveTypeW
47 GetEnvironmentVariableA
48 GetEnvironmentVariableW
49 GetExitCodeProcess
50 GetExitCodeThread
51 GetFileAttributesW
52 GetFileInformationByHandle
53 GetFileSize
54 GetLastError
55 GetLocalTime
56 GetLogicalDrives
57 GetModuleFileNameA
58 GetModuleFileNameW
59 GetModuleHandleA
60 GetModuleHandleW
61 GetProcessHeap
62 GetShortPathNameA
63 GetShortPathNameW
64 GetStartupInfoW
65 GetStdHandle
66 GetSystemDirectoryW
67 GetSystemInfo
68 GetSystemTime
69 GetSystemTimeAsFileTime
70 GetTempFileNameA
71 GetTempFileNameW
72 GetTempPathW
73 GetThreadPriority
74 GetTickCount
75 GetVersionExW
76 GetWindowsDirectoryW
77 GlobalLock
78 GlobalUnlock
79 HeapCreate
80 HeapDestroy
81 HeapAlloc
82 HeapFree
83 HeapReAlloc
84 IsBadReadPtr
85 IsDebuggerPresent
86 IsProcessorFeaturePresent
87 IsWow64Process
88 LocalAlloc
89 LocalFree
90 MapViewOfFile
91 MultiByteToWideChar
92 OpenEventA
93 OpenMutexA
94 OpenProcess
95 OpenThread
96 OutputDebugStringA
97 OutputDebugStringW
98 PeekConsoleInputA
99 Process32FirstW
100 Process32NextW
101 QueryDosDeviceW
102 QueryPerformanceCounter
103 QueryPerformanceFrequency
104 ReadConsoleInputA
105 ReadFile
106 ReadProcessMemory
107 ReleaseMutex
108 RemoveDirectoryW
109 ResetEvent
110 ResumeThread
111 SetEvent
112 SetFileAttributesA
113 SetFileAttributesW
114 SetFilePointer
115 SetFileTime
116 SetLastError
117 SetThreadPriority
118 Sleep
119 SystemTimeToFileTime
120 SuspendThread
121 TerminateProcess
122 TerminateThread
123 TlsAlloc
124 TlsFree
125 TlsGetValue
126 TlsSetValue
127 Thread32First
128 Thread32Next
129 UnmapViewOfFile
130 VirtualAlloc
131 VirtualAllocEx
132 VirtualFree
133 VirtualFreeEx
134 VirtualProtect
135 VirtualQuery
136 WaitForMultipleObjects
137 WaitForSingleObject
138 WideCharToMultiByte
139 WriteConsoleA
140 WriteFile
141 WriteProcessMemory
142 AllocateAndInitializeSid
143 CloseServiceHandle
144 ConvertStringSecurityDescriptorToSecurityDescriptorW
145 CryptAcquireContextW
146 CryptCreateHash
147 CryptDecrypt
148 CryptDestroyHash
149 CryptDestroyKey
150 CryptEncrypt
151 CryptExportKey
152 CryptGenKey
153 CryptGenRandom
154 CryptGetHashParam
155 CryptGetUserKey
156 CryptHashData
157 CryptImportKey
158 CryptReleaseContext
159 CryptSignHashW
160 CryptVerifySignatureW
161 EqualSid
162 FreeSid
163 GetSidSubAuthority
164 GetSidSubAuthorityCount
165 GetTokenInformation
166 IsValidSid
167 OpenProcessToken
168 OpenSCManagerW
169 OpenServiceW
170 QueryServiceStatus
171 RegCloseKey
172 RegCreateKeyExA
173 RegDeleteValueA
174 RegEnumKeyA
175 RegEnumValueA
176 RegOpenKeyExA
177 RegQueryValueExA
178 RegQueryValueExW
179 RegSetValueExA
180 EnumProcessModulesEx
181 GetModuleBaseNameW
182 GetModuleInformation
183 GetProcessImageFileNameW
184 LdrGetDllHandle
185 LdrGetProcedureAddress
186 NtDuplicateObject
187 RtlComputeCrc32
188 RtlCreateUserThread
189 RtlFillMemory
190 RtlInitUnicodeString
191 RtlMoveMemory
192 RtlZeroMemory
193 RtlQueryElevationFlags
194 NtAllocateVirtualMemory
195 NtFreeVirtualMemory
196 NtProtectVirtualMemory
197 NtReadVirtualMemory
198 NtWriteVirtualMemory
199 NtQueryInformationProcess
200 NtQueryObject
201 NtQuerySystemInformation
202 NtQueryVirtualMemory
203 CommandLineToArgvW
204 SHCreateItemFromParsingName
205 ShellExecuteExW
206 SHGetFolderPathW
207 SHDeleteKeyA
208 StrChrIA
209 StrChrIW
210 StrStrIA
211 StrStrIW
212 StrToIntA
213 StrToIntW
214 StrToIntExA
215 StrToIntExW
216 wvnsprintfA
217 wvnsprintfW
218 CertCloseStore
219 CertEnumCertificatesInStore
220 CertOpenSystemStoreW
221 CryptBinaryToStringA
222 CryptDecodeObject
223 CryptDecodeObjectEx
224 CryptEncodeObject
225 CryptEncodeObjectEx
226 CryptExportPublicKeyInfo
227 CryptImportPublicKeyInfo
228 CryptStringToBinaryA
229 PFXExportCertStoreEx
230 BitBlt
231 CreateCompatibleBitmap
232 CreateCompatibleDC
233 DeleteDC
234 DeleteObject
235 SelectObject
236 __WSAFDIsSet
237 accept
238 bind
239 closesocket
240 connect
241 freeaddrinfo
242 getaddrinfo
243 gethostbyname
244 getsockopt
245 htons
246 ioctlsocket
247 listen
248 ntohs
249 recv
250 select
251 send
252 setsockopt
253 shutdown
254 socket
255 WSAEnumNetworkEvents
256 WSAEventSelect
257 WSAGetLastError
258 WSAGetOverlappedResult
259 WSARecv
260 WSASend
261 WSASetEvent
262 WSASetLastError
263 WSAStartup
264 CallWindowProcW
265 CharLowerA
266 CharLowerW
267 CharUpperA
268 CharUpperW
269 GetClipboardData
270 GetThreadDesktop
271 GetUserObjectInformationA
272 EnumWindows
273 ExitWindowsEx
274 GetClassNameW
275 GetCursorPos
276 GetDC
277 GetKeyboardState
278 GetSystemMetrics
279 GetWindowTextW
280 GetWindowThreadProcessId
281 MessageBoxA
282 MessageBoxW
283 ReleaseDC
284 SetForegroundWindow
285 SwitchToThisWindow
286 ToUnicode
287 TranslateMessage
288 InternetOpenUrlA
289 InternetOpenUrlW
290 InternetSetStatusCallbackA
291 InternetSetStatusCallbackW
292 InternetOpenA
293 InternetOpenW
294 InternetConnectA
295 InternetConnectW
296 HttpAddRequestHeadersA
297 HttpAddRequestHeadersW
298 HttpOpenRequestA
299 HttpOpenRequestW
300 HttpSendRequestA
301 HttpSendRequestW
302 InternetQueryOptionA
303 InternetQueryOptionW
304 InternetSetOptionA
305 InternetSetOptionW
306 HttpQueryInfoA
307 HttpQueryInfoW
308 InternetQueryDataAvailable
309 InternetReadFile
310 InternetReadFileExA
311 InternetReadFileExW
312 InternetCloseHandle
313 FCIAddFile
314 FCICreate
315 FCIDestroy
316 FCIFlushCabinet
317 SCardEstablishContext
318 SCardGetStatusChangeW
319 SCardListReadersW
320 SCardReleaseContext
321 WTSEnumerateSessionsW
322 WTSFreeMemory
323 WTSQueryUserToken
324 CoCreateInstance
325 CoGetObject
326 CoInitialize
327 CoUninitialize
328 GetWindowLongW
329 SetWindowLongW

Ascii strings at 0x01010b50
---------------------------
0 SYSTEM/CurrentControlSet/Control/ComputerName/ComputerName
1 SOFTWARE/Microsoft/Windows NT/CurrentVersion
2 <loader><get_module unique="%s" botnet="%d" system="%d" name="%s" bit="%d"/>
3 SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall
4 <soft><![CDATA[
5 ]]></soft>
6 </loader>
7 <module
8 Software/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders
9 botnet="
10 <server_list>
11 </server_list>
12 rundll32.exe "%S" NotifierInit
13 $&=-+?,~ +=&_.$~@abcsefghijklmnopqrstuvwxyz0123456789ABCSEFGHIJKLMNOPQRSTUVWXYZ
14 <cfg net="%d" build="0"><startup>%s</startup><del>%S</del></cfg>
15 Software/Microsoft/Windows/CurrentVersion/Explorer/CLSID/%s/ShellFolder
16 ComputerName
17 Volatile Environment
18 InstallDate
19 USERNAME
20 <nodes>
21 </nodes>
22 ALLUSERSPROFILE
23 \Malwarebytes\Malwarebytes Anti-Malware\
24 exclusions.dat
25 Configuration\settings.conf
26 Configuration\scheduler.conf
27 SYSTEM/CurrentControlSet/services/MBAMProtector/Parameters
28 ProductPath
29 \mbam.dll
30 ProtectionStop
31 SchedulerStop
32 SelfProtectionDisable
33 .KB
34 DisplayName
35 DisplayVersion
36 SOFTWARE/ESET/ESET Security/CurrentVersion/Info
37 SYSTEM/CurrentControlSet/services/Avg/SystemValues
38 SOFTWARE/Avira/Antivir Desktop
39 49E908752A216D26486BFFA9E2D6EF2D368975D62A7B7532B76E547A14FDBAAD8062E3CE8838CEB5E414A393662135499048B521F24528A13923CB2B17DCD943C28F8E
40 68F81F7F2D7E5D0C4830C3D6FAD8F1381D8D79FB2D6E6836BF5D1A3B15A6F6E7810DF4DEA56182F1B75FD9CC38616113CE37B123A75A3FB67E60DF2C29C89D6FCEC3DEB0DAD5ECA48F0F4966CFDEBF10BAE76ED2577A02434E25A597FB473535C4F5BF7B783784AABD9CB6F491A6DA8B00498FD4F0A791B1FF79ABDBBA4A26DD8672AFD74667EFBEFB8A9EA406063DB21C1352ED1A7869F8ECA3EEB5744C84B6772F266D2AE7BF2BC436DA688F9BAF9CAB6E9370BF8C6018B1F55C88ED15A8E4E74D9F4324DA5F6241F7AE7E0DE05D4CAF83AE0CCFFCEB7A1C47796013D1C16F314B17EBBF4E2D2EF54B89FD9E1B94400072E88B7469C5D2F0D9C892625C582E53A96760096B857E8FA51BBCE98DF4150467F0358C660AF1AFB44AA20A7324892A334786CF450F734853E0A6317FFDA0A71927122CF3AEED3741A1A8CAABDDCF0C094DD03E2A74A64EC86E2689D5CA6D77ABFFF7C0FA97186831037840ADF0EEB61309B8AA65FF1628B8B7ED3C3F5ED66AE9711DA38BF0CA6AF768F352E71F392D57D5B3989E10FC4513DB3594120988FDC361AFE9F4741087F1CC58E1F3D5E1D5660D46A24C2B7B9B8138A2DB4A0E57CDDCD0AE3DFBCA2F3A9C7CDD69A915F57DB467627478DF604177CD2A2F83B52B105F8751ADB9D8B3C1EF4FF4FEAFE20BA94634F0918DD04810431A7E3CD42882CE9BB365B4C94785521FDBFE77006E9B1D3E78FE4452B2F5830AE0CBBF664BF44DF70E5B6AD8701516BCBD1D84A746A83ADE1CDA933C8EA800D5A76038C3CB940E25A38DF4867516CAB4301BDC3B564637341F3D971A765F0EE3F15308B1F3487E3BB32C921301FCD014DAB001F2C23FB93F57D1D58152821694A7347F02F5BE2ACF16AA63AD17B061DFF253FBD71306ABF40124A6E87ED148CE005F94D5EA11E094EC0D6620415BBB87FE7BAE8D947A5CE23B2BB8944F95C627DF07E909018C6D579C012DA69526A9EB92AF2F1CAA39035BA877A4C26CFEA25A310FBD81F0FBB0237CAC19D012F09891208848AE4338F530CD59C0730E46A36A40EF5D7FFF8BBF4EE95236C77F442F7633F46A76ADB1767CDC18CE7BF8E2F42C20E213A189478F2D3CFA6628C4C770F56C05BB6C7D4EC886CAFCA019DAAD72B1FA2A4C92D1EADD5F8A318095F8328A3B30120980E2AB6410DE9C927AE8CA86E0758BAE1576AC04038B863A97AFCB08E9179F85506DAC60F28461E958F7F74CE15DE69D56D18FA679A9C6217880315EAC50F43365ABA394BDD6BB0527363B610A43CC5B204070BB7F8656A7B3559CC841920F4791A6DE0A4A6A883284827A5393A18DDC1967F58C3B3168CA8E260B7B2D909B76161EF63228D6BD24D942F1DA98B236CE57700688F44843B4EE8EAD945C254ABDAF6D1670CBE3A183773691F5531630A8091C9606F8F9F17DB44EE9551F942E030EADCBBEE8C381BB529737F14E2EEBD4CC4F7FD1B3BB6D41918FD864F530EF867F5FA3CBAC423821C4CE7C476572BB2D033032DD54F2513518C37127148E1C6FDE5A6BE01FDA2C760398839A901CD78E7DF612C1D1849779AE8B9051A2AAEAF44ED281127783EBF7DABF188A6232217A9F01307D3E5356E29A63C323BCF6AA53C10C1FA03CFE29576947D1F68E2EEA6BF0E8F7276325E69A0A52900E0F00F335B57C2D4900999DA16188D2E393FB17CF9059FD022F2753DEB8E9E4D273419C5BC57D9BCD502D893670DF9B5A535EEAC18F423A350BE97748DCACC57B149F6D89899E5294B150E9904042AE51F538CFC5E112429F56024422D611DF888601E42D65604FE5F9FF31F7AC3A31D269F38ED65330C178E0DC6376F87711064D9AF275A590B7348E18533E4FC52DF97457DEF22B47E8A303C8C19CFAD54C47746E1ECE8A6B2FFE4D81CBA6C46D4F9999D37358020FF024F9A4AC915C40801F03987544EB2D377A58F9F97E3B44D78EC3B392D93AE7F4FBE092A0BCB9D06DB041FF448A1D71047BA80A8F6F5E502030BC0D09746F5CEA0B2688EE4E13184196DE7BB32F57CAE31C97778F6B8943A10C9EBDB37385AA7A8AD53D659BD69121075FDEF85684BA69166FD3F91B7E6FE09C3A9B2B9DEECA38DE9F962021A661CDB9E798B5ED2A70D5F738C8C19C042127A7D509E4FB6F4EF7EE4B15663E4CF0F6F7F05DB0C2A10F2B4650FF6CF07640B3587BD7635B47967C5816C61130B30887B3577718505A67CA2A153A01F6739D061BFCD8B798CE8EE332DA2D1FEB886D11F5D4AE4950E8B9FF24C4AA0F97E8BE0115E8DA6F2F8AF3E5BC99298A76F4D620229C4A23E321C877D69481A3BEC90B30F9CEC08A387E4AE793B66DBCB0CE9B153D3A2439D6F1AF8247721FEFF4F6F25003DA2040C6C97282026F04FECC061248A067D9D8F9478220377DF61E23549684D32428DC52C92506FECB2F13CAE5D91F8F8478BE4C544CE37BF6C109C84CE8D6B274FFB5F952E7989E9FE57F21C0DF2F8CD187795ADF28DEF82DDCF7A727DADA145126E08A3AF446D2703C232815CB1A2F51B75477A02E4CD648B885996AAC2C029788FB1991E65855615AC3A4C660ECC3B8ED81C68520EB26BEEAFF7C8EB78B4CED5E46E4F0D24C71FEDBDA3B9D95C99DF0B1F346D767955C4A7117888AA54E1104F23B68E3F0B7F4B616CB89611CBF7D831300B3596D31A82FA7DBAD247C01D909D4A1060F7193ECC8
41 15BD8DF1CF68952A618DA1AE82BBCE99F27C897605763FC37B53B5CEAFD12CF340E4A08F5AEBC540D5D4E71B9A22A0E7F21346A6B6061BF4474A1F9EDD5C7A8BA057F506F6C74AC031CC61850161C9E7F2455148409F392F072F8C40B495C76BDA48424D977381C05884DB2DF83CFB832D56CDC874B3C50A25B7281688F66AFAD1166632842AB471F25DF69AD3C8C769CDC83CBAA2A5D79C81A817A09E0DF4D8D1C68DE77C4356FF371442299EC4AC957CEEEB2F4BCB9D2285A6B542734986D86A9A3449B46FD64636FE4894DD38E55B142B3AD6EAAD6F93E9162ADC47E963F9FF1D60CB9CFB5B970469327A8D3107B2D6549D4737B8E4C46F937FA4234325C880A9
42 2300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023000D000A0023002000240041005600240043004F004E00460049004700550052004100540049004F004E00240049004E0049000D000A002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023000D000A002300200054006800690073002000660069006C006500200068006100730020006200650065006E002000630072006500610074006500640020006100750074006F006D00610074006900630061006C006C0079002E000D000A002300200044004F0020004E004F00540020004D004F004400490046005900210021000D000A002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023002300230023000D000A000D000A005B00430046004700500052004F00460049004C0045005D000D000A000D000A005B0043004F004D004D004F004E005D000D000A000D000A005B005300430041004E004E00450052005D000D000A004200650066006F007200650041006300740069006F006E0054006F00510075006100720061006E00740069006E0065003D0030000D000A0042006F006F007400730065006B0074006F007200530074006100720074003D0030000D000A004D006100730074006500720042006F006F00740053006500630074006F00720073003D0030000D000A004E006F004E00650074004400720076003D0030000D000A005000720069006D0061007200790041006300740069006F006E0046006F00720049006E006600650063007400650064003D0035000D000A005300630061006E0041006300740069006F006E004D006F00640065003D0030000D000A005300630061006E0041006C006C00460069006C00650073003D0030000D000A005300630061006E0041007200630068006900760053006D0061007200740045007800740065006E00730069006F006E0073003D0031000D000A005300630061006E00410072006300680069007600650043007500740052006500630075007200730069006F006E00440065007000740068003D0031000D000A005300630061006E0041007200630068006900760065004500780063006C007500640065003D000D000A005300630061006E00410072006300680069007600650052006500630075007200730069006F006E00440065007000740068003D00320030000D000A005300630061006E0041007200630068006900760065005300630061006E003D0030000D000A005300630061006E0043006800650063006B00530079007300740065006D00460069006C00650073003D0030000D000A005300630061006E00440069006600660045007800740065006E00730069006F006E003D000D000A005300630061006E00480065007500720069007300740069006300460069006C0065003D0031000D000A005300630061006E00480065007500720069007300740069006300460069006C00650045006E00610062006C00650064003D0030000D000A005300630061006E004800650075007200690073007400690063004D006100630072006F0045006E00610062006C00650064003D0030000D000A005300630061006E0049006E007400650072006100630074006900760065004D006F00640065003D0031000D000A005300630061006E005000720069006F0072006900740079003D0031000D000A005300630061006E00520065006700690073007400720079003D0030000D000A005300630061006E005200650070006F00720074004C006500760065006C003D0030000D000A005300630061006E0052006F006F0074006B006900740073003D0030000D000A005300630061006E0053006B00690070004F00660066006C0069006E006500460069006C00650073003D0030000D000A005300630061006E0053006B0069007000520065007000610072007300650050006F0069006E0074003D0031000D000A005300650063006F006E00640061007200790041006300740069006F006E0046006F00720049006E006600650063007400650064003D0035000D000A00530068006F0077005700610072006E0069006E0067004D0065007300730061006700650073003D0030000D000A00530074006F00700041006C006C006F007700650064003D0031000D000A0055007300650050006500720066006F0072006D0061006E00630065005300630061006E003D0030000D000A000D000A005B0053004B0049005000460049004C00450053005D000D000A00500061007400680030003D0043003A005C00500072006F006700720061006D002000460069006C00650073002000280078003800360029000D000A00500061007400680031003D0063003A005C00700072006F006700720061006D002000660069006C00650073005C000D000A00500061007400680032003D0043003A005C00500072006F006700720061006D0044006100740061005C000D000A00500061007400680033003D0063003A005C00770069006E0064006F00770073000D000A000D000A005B00470055004100520044005D000D000A004100720063004D0061007800460069006C00650063006F0075006E0074003D00310030000D000A004100720063004D006100780052006100740069006F003D003200350030000D000A004100720063004D006100780052006500630075007200730069006F006E003D0031000D000A004100720063004D0061007800530069007A0065003D0031003000300030000D000A004100720063005300630061006E003D0030000D000A004700750061007200640044006500610063007400690076006100740065006400420079005700530043003D0030000D000A004D006100630072006F00560069007200750073004800650075007200690073007400690063003D0030000D000A004D006100780069006D0075006D004C006F006700460069006C006500530069007A0065003D0030000D000A004F006E004100630063006500730073004200610063006B00750070004C006F0067003D0030000D000A004F006E00410063006300650073007300430061006300680065004E006500740077006F0072006B004100630063006500730073003D0031000D000A004F006E004100630063006500730073004500780063006C00750064006500500072006F0063006500730073004E0061006D00650073003D000D000A004F006E004100630063006500730073004500780063006C007500640065006400500072006F00630065007300730030003D006500780070006C006F007200650072002E006500780065000D000A004F006E004100630063006500730073004500780063006C007500640065006400500072006F00630065007300730031003D0073006400620069006E00730074002E006500780065000D000A004F006E004100630063006500730073004500780063006C007500640065006400500072006F00630065007300730032003D00730070006F006F006C00730076002E006500780065000D000A004F006E004100630063006500730073004500780063006C007500640065006400500072006F00630065007300730033003D0073007600630068006F00730074002E006500780065000D000A004F006E004100630063006500730073004500780063006C007500640065006400500072006F00630065007300730034003D00770069006E006C006F0067006F006E002E006500780065000D000A004F006E0041006300630065007300730045007800740065006E00730069006F006E004C006900730074003D000D000A004F006E00410063006300650073007300460069006C0065004500780063006C007500730069006F006E0043006F0075006E0074003D0031000D000A004F006E004100630063006500730073005300630061006E0041006C006C00460069006C00650073003D0030000D000A004F006E004100630063006500730073005300630061006E004C006F00630061006C004400720069007600650073003D0031000D000A004F006E004100630063006500730073005300630061006E004E006500740077006F0072006B004400720069007600650073003D0030000D000A004F006E004100630063006500730073005700720069007400650043006F006E0066006900670054006F004C006F0067003D0030000D000A00500061007400680030003D0063003A005C000D000A005200650070006F007200740069006E0067004C006500760065006C003D0030000D000A005500730065004500760065006E0074006C006F0067003D0030000D000A00550073006500570068006900740065006C006900730074005300650072007600650072003D0030000D000A00570069006E00330032004800650075007200690073007400690063003D0030000D000A00570069006E00330032004800650075007200690073007400690063004D006F00640065003D0031000D000A000D000A005B0050004F005000330043004F004E004600490047005D000D000A000D000A005B00530045004E0044004D00530047005D000D000A000D000A005B005500500044004100540045005D000D000A0043006C006F007300650043006F006E006E0065006300740069006F006E003D0031000D000A00440055004E0043006F006E006E0065006300740069006F006E003D002A00440055004E002A00570049004E002A0043004F004E004E004500430054002A000D000A00440055004E00500068006F006E00650062006F006F006B003D000D000A004400690061006C00550070004C006F00670069006E003D000D000A004400690061006C0055007000500061007300730077006F00720064003D000D000A0044006F0077006E006C006F00610064004C006F0063006100740069006F006E003D0031000D000A00500072006F0064007500630074005500700064006100740065004D006F00640065003D0030000D000A000D000A005B0056004400460043004800450043004B005D000D000A000D000A005B004500560045004E0054004C004F0047005D000D000A000D000A005B005200450050004F005200540053005D000D000A000D000A005B00570045004200470055004100520044005D000D000A000D000A005B004200410043004B00550050005D000D000A000D000A005B0057004D0049005D000D000A000D000A005B0048004900500053005D000D000A005B004D0041004E0041004700450044004600490052004500570041004C004C005D000D000A004600690072006500770061006C006C0043006F006E00660069006700750072006100740069006F006E003D007B0022006D0061006E0061006700650064004600690072006500770061006C006C00220020003A0020007B0022007000750062006C0069006300220020003A0020007B00220073007400610074006500220020003A00200031002C0022006E006F007400690066007900220020003A00200031002C00220062006C006F0063006B0049006E00220020003A00200030007D002C0022007000720069007600610074006500220020003A0020007B00220073007400610074006500220020003A00200031002C0022006E006F007400690066007900220020003A00200031002C00220062006C006F0063006B0049006E00220020003A00200030007D007D007D000D000A00
43 Global\
44 Starting path: 
45 Accept
46 bot
47 9X49PnJWXWeUG5nmuVmuEd7ADe5yQeyh;CYffS4JDbP06oBY6Bk0E7pNeegLwl4JvvtfIVKWeKwT7TC5qOGt8puX8pNXwyH

Ascii strings at 0x0101ed78
---------------------------
0 error %d(%08X): 
1 Connection: Close
2 -----BEGIN PUBLIC KEY-----
3 -----END PUBLIC KEY-----
4 -----BEGIN RSA PRIVATE KEY-----
5 -----END RSA PRIVATE KEY-----
6 0200000001000000736462660278DE000000037820000000023807700338016016400100000001980C000000494C4349534353492E01000003780E0000000238077003380B6001980000000003780E000000023807700338206001980000000003780E000000023804700338016001980000000003780E00000002380D7003381540019800000000037814000000023810700338016016400100000001980000000003780E0000000238127003380690019800000000037814000000023812700338049016400100000001980000000003781A000000023807700338049001980C00000081D7C890E204ACC92E0100000170840000000150098058E73BE3CF0122600600000001601C000000234001000000079010000000570C8AF4487C1C469957AB255DDC986E0270000000000770460000000160340000000660540000000560660000000490100000003C824AB861231D41BD5582288327B18808700600000001608000000009700C00000001608A0000000860A80000000178FA00000001881000000032002E0031002E0030002E00330000000188120000006900730063007300690063006C006900000001881A0000006900730063007300690063006C0069002E00650078006500000001880C0000005000610074006300680000000188140000004D006900630072006F0073006F006600740000000188040000002A00000001881800000052006500640069007200650063007400450058004500000001885200000025004C004F00430041004C00410050005000440041005400410025004C006F0077005C00
7 start %S
sdbinst /q /u "%S"
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iscsicli.exe" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}" /f
del C:\Windows\AppPatch\Custom\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb
del %%LOCALAPPDATA%%Low\%S.sdb
del %%LOCALAPPDATA%%Low\%S.bat
8 SOFTWARE/Microsoft/Windows/CurrentVersion/Component Based Servicing/Packages
9 KB%d
10 Software/Microsoft/Windows NT/CurrentVersion
11 CurrentVersion
12 Software/Microsoft/Windows/CurrentVersion/Policies/System
13 ConsentPromptBehaviorAdmin
14 OK
15 Transfer-Encoding
16 0day-1342
17 0day-1883c
18 0day-2331

Unicode strings at 0x0100eba8
-----------------------------
0 LOCALAPPDATA
1 S:(ML;;NW;;;LW)
2 Low\%s
3 .sdb
4 .bat
5 open
6 sdbinst.exe
7 iscsicli.exe
8 /q "%s"
9 \System32\
10 \SysWOW64\
11 GET
12 POST
13 sysprep
14 cryptbase.dll
15 Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
16 cmd.exe
17 /c
18 runas

Unicode strings at 0x01010b50
-----------------------------
0 -
1 kernel32.dll
2 ntdll.dll
3 ws2_32.dll
4 user32.dll
5 advapi32.dll
6 cabinet.dll
7 shlwapi.dll
8 wininet.dll
9 shell32.dll
10 crypt32.dll
11 psapi.dll
12 gdi32.dll
13 WinSCard.dll
14 wtsapi32.dll
15 ole32.dll

Unicode Strings at 0x0100b038
-----------------------------
0 MBAMService
1 $$$Secure UAP
2 Program Manager
3 Progman
4 edg
5 .tmp
6 .exe
7 updfiles\
8 upd.ver
9 lastupd.ver
10 \Avg20%d\update\
11 download
12 \TEMP\avwin.ini
13 "%savconfig.exe" /SAVEAVWININI="avwin.ini;"
14 Local AppData
15 {A520A1A4-1780-4FF6-BD18-167343C5AF16}
16 AppDataDir
17 AppDataDirectory
18 Path
19 Low

Attachments

malware.zip

pass:infected
(42.3 KiB) Downloaded 93 times

Username

tim

Posts

21

Joined

Sat Aug 31, 2013 8:38 am

Re: WinNT/Cridex (alias Dridex, Drixed)

#26249 by roubachof
Tue Jul 07, 2015 9:58 pm

New botnet 120 config today with what seems to be a new C&C : 176.9.118.201:449

Code: Select all

<config botnet="120"> 
  <server_list>
    176.9.118.201:449
    69.164.213.85 :1443
    79.143.191.147 :6443
    118.174.151.27 :943
  </server_list>
</config>

Virustotal : https://www.virustotal.com/en/file/a473 ... 436304872/

Username

roubachof

Posts

1

Joined

Tue Jul 07, 2015 9:24 pm

Re: WinNT/Cridex (alias Dridex, Drixed)

#26604 by Xylitol
Tue Aug 25, 2015 1:32 pm

RtlDecompressBuffer()
dumped: https://www.virustotal.com/en/file/024f ... 440506988/

Source: claudio.locatelli.free.fr/45gf3/7uf3ref.exe - VxVault
→ https://www.hybrid-analysis.com/sample/ ... onmentId=2

Code: Select all

<loader>
<get_module unique="DIEBOLD_b1f0359041678a9069c404f808fcd303" botnet="220" system="23128" name="bot" bit="32"/>
<soft>
<![CDATA[Fiddler (4.4.5.8);Notepad++ (6.6.9);NuMega SoftICE;Syser 1.99 (1.99);WampServer 2.2;Java Auto Updater (2.1.6.0);Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - FRA (3.1.21022);Microsoft .NET Framework 3.5 LanguagePack - fra (3.5.21022);Adobe Reader 9.3 (9.3.0);Microsoft .NET Framework 2.0 Service Pack 1 (2.1.21022);DIEBOLD (9.6.1.1378637);PL-2303 USB-to-Serial (1.4.17);Starting path: 5]]>
</soft>
</loader>

Attachments

7uf3ref.exe.ViR.zip

infected
(129.14 KiB) Downloaded 84 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: WinNT/Cridex (alias Dridex, Drixed)

#26607 by comak
Wed Aug 26, 2015 3:35 pm

and cnc's for completeness

Code: Select all

    {
      "cnc": "91.239.232.9",
      "port": "8448"
    },
    {
      "cnc": "212.47.196.149",
      "port": "543"
    },
    {
      "cnc": "78.47.119.85",
      "port": "543"
    },
    {
      "cnc": "31.131.251.33",
      "port": "743"
    }
  ],

mak - @maciekkotowicz

Username

comak

Posts

43

Joined

Mon Oct 14, 2013 8:25 am

Contact