A forum for reverse engineering, OS internals and malware analysis 

WinNT/Cridex (alias Dridex, Drixed)

Forum for analysis and discussion about malware.

Re: Win32/Cridex

 #18795  by EP_X0FF
 Mon Apr 01, 2013 4:43 pm
Cridex, payload of BH EK.

Detection ratio: 2 / 46

AhnLab-V3 Downloader/Win32.Andromeda
Kingsoft Win32.Heur.KVMF58.hy.(kcloud)

SHA256: 4c05465801f7da23ddc8d6220fdd1734e9207f08db4d4d6e08ebf92b396366ca
SHA1: 39095cd787ea3815df6e0cf00ef89ce4dc8478ae
MD5: 2b04bea28ebaf806f20582ecc9b54af0

https://www.virustotal.com/en/file/4c05 ... 364833020/
Attachments
pass: infected
(81.17 KiB) Downloaded 96 times

Re: Win32/Cridex

 #20715  by patriq
 Wed Sep 04, 2013 5:19 pm
maybe this is old/unwanted info..

more details on the previous sample
Code: Select all
http://anubis.iseclab.org/?action=result&task_id=1ef9d0eda5b4d0c843121c82fea60b045
sample makes an http post:
(bad request)
Code: Select all
http://37.59.36.93:8080/FPOJJAAAA/0duD1BAA/xnp1u/
ISPConfig panel
Code: Select all
https://37.59.36.93:8080/
37.59.36.93
Country: FR

Re: Win32/Cridex

 #20762  by unixfreaxjp
 Tue Sep 10, 2013 4:53 am
Funny. Can't see new Cridex in anywhere..
Good news indeed, but can't help to wonder why?

Any idea why? @EP_X0FF

Re: Win32/Cridex

 #20763  by EP_X0FF
 Tue Sep 10, 2013 5:44 am
Previously it was distributed mostly (if not only) from BH EK's along with Sirefef. What is the most prevalent bot distributed today from BH EK?

Re: Win32/Cridex

 #20793  by forty-six
 Thu Sep 12, 2013 1:59 pm
BEK. /closest/ 100KB = dropped 165KB = update. Pulled down ZA as well. Looks like code update. Standard pass.
Attachments
(191.14 KiB) Downloaded 90 times

Re: Win32/Cridex

 #20812  by EP_X0FF
 Fri Sep 13, 2013 4:28 am
unixfreaxjp wrote:Any idea why? @EP_X0FF
From the above post (decrypted Cridex.L sample)
img1.png
img1.png (13.39 KiB) Viewed 716 times
It is alive and under active development.

Re: Win32/Cridex

 #20840  by unixfreaxjp
 Sun Sep 15, 2013 8:28 pm
EP_X0FF wrote:Previously it was distributed mostly (if not only) from BH EK's along with Sirefef. What is the most prevalent bot distributed today from BH EK?
Fareit, Zbot(Gameover), ZeroAccess, and recently they start to use Medfos in their malvertisement,
PoC of Medfos exists (yes is rare): http://malwaremustdie.blogspot.com/2013 ... -plan.html
Sometimes found Cutwails among those too.
EP_X0FF wrote:From the above post (decrypted Cridex.L sample)
It is alive and under active development.
Copy that. Thank's for your confirmation + to @forty-six for the sample. On it.

Rgds!

Re: Win32/Cridex

 #21452  by markusg
 Mon Nov 25, 2013 6:44 pm
hi its only needed to put infected links in code taks, links to vt you can post without.

Re: Win32/Cridex

 #21479  by forty-six
 Fri Nov 29, 2013 5:05 am
Unpacked blub's sample and re-attached.

hxtp://renataltd[.]ru
hxtp://montierco[].ru
hxtp://pianiykrolik[.]ru
hxtp://masterupdate[.]ru
hxtp://updatecheck[.]co[.]ua
Attachments
(34.95 KiB) Downloaded 83 times
  • 1
  • 6
  • 7
  • 8
  • 9
  • 10
  • 15
 Return to “Malware”