{
	"id": "93b03bc9-1dd7-4384-bb4a-1729a15bfdc1",
	"created_at": "2026-04-06T02:11:01.560258Z",
	"updated_at": "2026-04-10T03:20:38.418894Z",
	"deleted_at": null,
	"sha1_hash": "7a45cdadecee73452952de96a2907361154fa024",
	"title": "Recent Dridex activity - SANS Internet Storm Center",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2353001,
	"plain_text": "Recent Dridex activity - SANS Internet Storm Center\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-06 01:38:29 UTC\r\nIntroduction\r\nFor the past month or so, I hadn't had any luck finding active malspam campaigns pushing Dridex malware. That\r\nchanged starting this week, and I've since found several examples. Today's diary reviews an infection from\r\nWednesday September 9th, 2020.\r\nThe Word documents\r\nWhile searching VirusTotal, I found three documents with the same template that generated the same type of\r\ntraffic (read: SHA256 hash - name):\r\nfee5bb973112d58445d9e267e0ceea137d9cc1fb8a7140cf9a67472c9499a30f - Info-3948683568.doc\r\n9b747e89874c0b080cf78ed61a1ccbd9c86045dc61b433116461e3e81eee1348 - Inform-34674869.doc'\r\n27379612c139d3c4a0c6614ea51d49f2495213c867574354d7851a86fdec2428 - Rep-Sept2020.doc\r\nShown above:  Screenshot with template used by all three of the above listed Word documents.\r\nMy lab environment revealed these documents are designed to infect a vulnerable Windows host with Dridex.\r\nhttps://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/\r\nPage 1 of 9\n\nEnabling macros caused Powershell to retrieve a DLL file from one of the following URLs over encrypted HTTPS\r\ntraffic:\r\nhxxps://teworhfoundation[.]com/4jvmow.zip\r\nhxxps://teworhfoundation[.]com/zd0pcc.rar\r\nhxxps://thecandidtales[.]com/doakai.zip\r\nhxxps://safaktasarim[.]com/7zcsfo.txt\r\nhxxps://thecandidtales[.]com/wuom4a.rar\r\nAfter the DLL was saved under the victim's profile, it was run using rundll32.exe.  The DLL is an installer for\r\nDridex, and it was run using the following command:\r\n\"C:\\Windows\\system32\\rundll32.exe\" C:\\Users\\[username]\\Mqfzqp8\\Opzvzn2\\Qzpic6r.dll 0\r\nShown above:  Location of the initial DLL to install Dridex on an infected Windows host.\r\nDridex infection traffic\r\nDridex post-infection traffic is all HTTPS. In this case, we saw HTTPS traffic over the following IP addresses and\r\nports:\r\n67.213.75[.]205 port 443\r\n54.39.34[.]26 port 453\r\nhttps://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/\r\nPage 2 of 9\n\nShown above:  Traffic from the Dridex infection filtered in Wireshark.\r\nMost of the Dridex post-infection traffic I've seen uses IP addresses without domain names, and issuer data for the\r\nSSL/TLS certificates is somewhat unusual.  Certificate issuer data for the Dridex post-infection traffic:\r\nCERTIFICATE ISSUER DATA FOR HTTPS TRAFFIC TO 67.213.75[.]205 OVER TCP PORT 443:\r\nid-at-countryName=HR\r\nid-at-localityName=Zagreb\r\nid-at-organizationName=Wageng Unltd.\r\nid-at-organizationalUnitName=obendmma\r\nid-at-commonName=Livedthtsthw.flights\r\nCERTIFICATE ISSUER DATA FOR HTTPS TRAFFIC TO 54.39.34[.]26 OVER TCP PORT 453:\r\nid-at-countryName=DE\r\nid-at-stateOrProvinceName=Sheso thanthefo\r\nid-at-localityName=Berlin\r\nid-at-organizationName=Thedelor Tbrra SICAV\r\nid-at-organizationalUnitName=5Coiesily Begtherdr istwarscon\r\nid-at-commonName=Bath7epran.toshiba\r\nhttps://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/\r\nPage 3 of 9\n\nShown above:  Certificate issuer data for HTTPS traffic to 67.213.75[.]205 over TCP port 443 found in\r\nWireshark.\r\nShown above:  Certificate issuer data for HTTPS traffic to 54.39.34[.]26 over TCP port 453 found in Wireshark.\r\nDridex persistent on an infected Windows host\r\nhttps://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/\r\nPage 4 of 9\n\nDridex is made persistent on an infected Windows host using 3 methods simultaneously:\r\nWindows registry update\r\nScheduled task\r\nWindows startup menu shortcut\r\nDridex uses copies of legitimate Windows system files (EXEs) to load and run malware.  Dridex DLL files are\r\nnamed as DLLs that would normally be run by these copied system EXEs.\r\nFor this infection, all of the persistent Dridex DLL files were 64-bit DLL files.\r\nWINDOWS REGISTRY UPDATE:\r\n- Registry Key: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\n- Value name: Vwqmkqmr\r\n- Value type: REG_SZ\r\n- Value data: C:\\Users\\[username]\\AppData\\Roaming\\Thunderbird\\Profiles\\1ovarfyl.default-release\\\r\n ImapMail\\.outlook.com\\Uw0NWHoOi\\DWWIN.EXE\r\nNOTE: DWWIN.EXE loads and runs a Dridex DLL file named VERSION.dll in the same directory.\r\nShown above:  Windows registry update used to keep Dridex persistent on an infected host.\r\nShown above:  Legitimate EXE called by registry update, and Dridex DLL in the same directory.\r\nSCHEDULED TASK:\r\n- Task name: Qgdopf\r\n- Action: Start a program\r\nhttps://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/\r\nPage 5 of 9\n\n- Details: C:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\\r\n 0pFtxbOGXwr\\DmNotificationBroker.exe\r\nNOTE: DmNotificationBroker.exe loads and runs a Dridex DLL file named DUI70.dll in the same directory.\r\nShown above:  Scheduled task on the same infected Windows host also used to keep Dridex persistent.\r\nShown above:  Legitimate EXE called by scheduled task, and Dridex DLL in the same directory.\r\nWINDOWS STARTUP MENU SHORTCUT:\r\nShortcut: C:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Somdjvzvjfch.lnk\r\nTarget: C:\\Users\\[username]\\AppData\\Roaming\\Mozilla\\Extensions\\r0F\\msinfo32.exe\r\nNOTE: msinfo32.exe loads and runs a Dridex DLL file named MFC42u.dll in the same directory.\r\nhttps://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/\r\nPage 6 of 9\n\nShown above:  Windows start menu shortcut also used to keep Dridex persistent on the same infected Windows\r\nhost.\r\nShown above:  Legitimate EXE called by start menu shortcut, and Dridex DLL in the same directory.\r\nIndicators of Compromise (IOCs)\r\nThree examples of Microsoft Word documents with macros for Dridex:\r\nSHA256 hash: fee5bb973112d58445d9e267e0ceea137d9cc1fb8a7140cf9a67472c9499a30f\r\nFile size: 136,262 bytes\r\nFile name: Info-3948683568.doc\r\nSHA256 hash: 9b747e89874c0b080cf78ed61a1ccbd9c86045dc61b433116461e3e81eee1348\r\nhttps://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/\r\nPage 7 of 9\n\nFile size: 136,182 bytes\r\nFile name: Inform-34674869.doc\r\nSHA256 hash: 27379612c139d3c4a0c6614ea51d49f2495213c867574354d7851a86fdec2428\r\nFile size: 135,053 bytes\r\nFile name: Rep-Sept2020.doc\r\nInstaller DLL for Dridex called by Word macro:\r\nSHA256 hash: 790b0d9e2b17f637c3e03e410aa22d16eccfefd28d74b226a293c9696edb60ad\r\nFile size: 331,776 bytes\r\nFile location: hxxps://thecandidtales[.]com/doakai.zip\r\nFile location: C:\\Users\\[username]\\MqFZqp8\\OpZVzn2\\Qzpic6r.dll\r\nRun method: rundll32.exe [file name] 0\r\nDridex 64-bit DLL files persistent on the infected Windows host:\r\nSHA256 hash: fd8049d573c056b92960ba7b0949d9f3a97416d333fa602ce683ef822986ad58\r\nFile size: 1,580,032 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Accessories\\0pFtxbOGXwr\\DUI70.dll\r\nRun method: Loaded and run by legitimate system file DmNotificationBroker.exe in the same directory\r\nNote: Made persistent through scheduled task\r\nSHA256 hash: 719a8634a16beb77e6d5c6bb7f82a96c6a49d5cfa64463754fd5f0e5eb0581be\r\nFile size: 1,325,056 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\Mozilla\\Extensions\\r0F\\MFC42u.dll\r\nRun method: Loaded and run by legitimate system file msinfo32.exe in the same directory\r\nNote: Made persistent through start menu shortcut\r\nSHA256 hash: 4d7d8d1790d494a1a29dae42810a3a10864f7c38148c3600c76491931c767c5c\r\nFile size: 1,297,920 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\Thunderbird\\Profiles\\1ovarfyl.default-release\\ImapMail\\.outlook.com\\Uw0NWHoOi\\VERSION.dll\r\nRun method: Loaded and run by legitimate system file DWWIN.EXE in the same directory\r\nNote: Made persistent through Windows registry update\r\nURLs from Word macro to retrieve Dridex DLL installer:\r\nhxxps://teworhfoundation[.]com/4jvmow.zip\r\nhxxps://teworhfoundation[.]com/zd0pcc.rar\r\nhxxps://thecandidtales[.]com/doakai.zip\r\nhttps://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/\r\nPage 8 of 9\n\nhxxps://safaktasarim[.]com/7zcsfo.txt\r\nhxxps://thecandidtales[.]com/wuom4a.rar\r\nCertificate data for Dridex HTTPS traffic to 67.213.75[.]205 port 443:\r\nid-at-countryName=HR\r\nid-at-localityName=Zagreb\r\nid-at-organizationName=Wageng Unltd.\r\nid-at-organizationalUnitName=obendmma\r\nid-at-commonName=Livedthtsthw.flights\r\nCertificate data for Dridex HTTPS traffic to 54.39.34[.]26 port 453:\r\nid-at-countryName=DE\r\nid-at-stateOrProvinceName=Sheso thanthefo\r\nid-at-localityName=Berlin\r\nid-at-organizationName=Thedelor Tbrra SICAV\r\nid-at-organizationalUnitName=5Coiesily Begtherdr istwarscon\r\nid-at-commonName=Bath7epran.toshiba\r\nFinal words\r\nAfter a period of inactivity, malspam pushing Dridex malware is back, so this blog post reviewed traffic and\r\nmalware from an infected Windows host.  While not much has changed, it's always good to have a refresher.\r\nAs usual, up-to-date Windows hosts with the latest security patches and users who follow best security practices\r\nare not likely to get infected with this malware.  However, I've seen so much come through in the past two or three\r\ndays that even a small percentage of success will likely be profitable for the criminals behind it.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/\r\nhttps://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/"
	],
	"report_names": [
		"26550"
	],
	"threat_actors": [],
	"ts_created_at": 1775441461,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7a45cdadecee73452952de96a2907361154fa024.pdf",
		"text": "https://archive.orkl.eu/7a45cdadecee73452952de96a2907361154fa024.txt",
		"img": "https://archive.orkl.eu/7a45cdadecee73452952de96a2907361154fa024.jpg"
	}
}