DoppelDridex (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.doppeldridex (Back to overview)

DoppelDridex

Actor(s): DOPPEL SPIDER

VTCollection

DoppelDridex is a fork of Indrik Spider's Dridex malware. DoppelDridex has been run as a parallel operation to Dridex with a different malware versioning system, different RSA key, and with different infrastructure.

References

2022-04-20 ⋅ CISA ⋅ Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), CISA, FBI, Government Communications Security Bureau, National Crime Agency (NCA), NCSC UK, NSA
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader

2022-04-20 ⋅ CISA ⋅ CISA
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet

2021-12-20 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Log4j vulnerability now used to install Dridex banking malware
DoppelDridex Meterpreter

2021-12-20 ⋅ InQuest ⋅ Nick Chalard
(Don't) Bring Dridex Home for the Holidays
DoppelDridex Dridex

2021-11-21 ⋅ Cyber-Anubis ⋅ Nidal Fikri
Dridex Trojan | Defeating Anti-Analysis | Strings Decryption | C&C Extraction
DoppelDridex Dridex

2021-11-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity

2021-11-03 ⋅ Team Cymru ⋅ tcblogposts
Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance
DoppelDridex IcedID QakBot Zloader

2021-10-28 ⋅ Proofpoint ⋅ Axel F, Selena Larson
TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware
DoppelDridex TA575

2021-10-28 ⋅ Twitter (@BrettCallow) ⋅ Brett Callow
Tweet on suspected actor behind Payorgrief ransomware
DoppelDridex DoppelPaymer

2021-10-26 ⋅ 0ffset Blog ⋅ Chuong Dong
DRIDEX: Analysing API Obfuscation Through VEH
DoppelDridex

2021-09-27 ⋅ Security Soup Blog ⋅ Ryan Campbell
DoppelDridex Delivered via Slack and Discord
DoppelDridex

2021-09-10 ⋅ Fortinet ⋅ Xiaopeng Zhang
New Dridex Variant Being Spread By Crafted Excel Document
DoppelDridex

2021-08-05 ⋅ Red Canary ⋅ Brian Donohue, Dan Cotton, Tony Lambert
When Dridex and Cobalt Strike give you Grief
Cobalt Strike DoppelDridex DoppelPaymer

2021-02-15 ⋅ Medium s2wlab ⋅ Sojun Ryu
Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2019-07-12 ⋅ CrowdStrike ⋅ Bex Hartley, Brett Stone-Gross, Sergei Frankoff
BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0
DoppelDridex DoppelPaymer Dridex FriedEx

Yara Rules

[TLP:WHITE] win_doppeldridex_auto (20260504 | Detects win.doppeldridex.)

rule win_doppeldridex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.doppeldridex."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppeldridex"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffb424a0010000 8d5380 e8???????? 8b842494010000 }
            // n = 4, score = 1200
            //   ffb424a0010000       | push                dword ptr [esp + 0x1a0]
            //   8d5380               | lea                 edx, [ebx - 0x80]
            //   e8????????           |                     
            //   8b842494010000       | mov                 eax, dword ptr [esp + 0x194]

        $sequence_1 = { 8b9998010000 895c2410 8ba984010000 896c2414 660fd6442418 660fd6442420 e8???????? }
            // n = 7, score = 1200
            //   8b9998010000         | mov                 ebx, dword ptr [ecx + 0x198]
            //   895c2410             | mov                 dword ptr [esp + 0x10], ebx
            //   8ba984010000         | mov                 ebp, dword ptr [ecx + 0x184]
            //   896c2414             | mov                 dword ptr [esp + 0x14], ebp
            //   660fd6442418         | movq                qword ptr [esp + 0x18], xmm0
            //   660fd6442420         | movq                qword ptr [esp + 0x20], xmm0
            //   e8????????           |                     

        $sequence_2 = { 89442404 660fd6442408 895c2410 8bb980000000 0fb602 897c2414 89442418 }
            // n = 7, score = 1200
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   660fd6442408         | movq                qword ptr [esp + 8], xmm0
            //   895c2410             | mov                 dword ptr [esp + 0x10], ebx
            //   8bb980000000         | mov                 edi, dword ptr [ecx + 0x80]
            //   0fb602               | movzx               eax, byte ptr [edx]
            //   897c2414             | mov                 dword ptr [esp + 0x14], edi
            //   89442418             | mov                 dword ptr [esp + 0x18], eax

        $sequence_3 = { 8b760c 89842494010000 89b424a8010000 6a00 8d8c24b0000000 }
            // n = 5, score = 1200
            //   8b760c               | mov                 esi, dword ptr [esi + 0xc]
            //   89842494010000       | mov                 dword ptr [esp + 0x194], eax
            //   89b424a8010000       | mov                 dword ptr [esp + 0x1a8], esi
            //   6a00                 | push                0
            //   8d8c24b0000000       | lea                 ecx, [esp + 0xb0]

        $sequence_4 = { c78424a401000000000000 83c4d8 660fefc0 893424 }
            // n = 4, score = 1200
            //   c78424a401000000000000     | mov    dword ptr [esp + 0x1a4], 0
            //   83c4d8               | add                 esp, -0x28
            //   660fefc0             | pxor                xmm0, xmm0
            //   893424               | mov                 dword ptr [esp], esi

        $sequence_5 = { 50 8d4890 e8???????? 8b8424a4010000 8d9c24e8010000 }
            // n = 5, score = 1200
            //   50                   | push                eax
            //   8d4890               | lea                 ecx, [eax - 0x70]
            //   e8????????           |                     
            //   8b8424a4010000       | mov                 eax, dword ptr [esp + 0x1a4]
            //   8d9c24e8010000       | lea                 ebx, [esp + 0x1e8]

        $sequence_6 = { 33c0 48 8bfe 8bda 2bf8 2bd8 0bfb }
            // n = 7, score = 1200
            //   33c0                 | xor                 eax, eax
            //   48                   | dec                 eax
            //   8bfe                 | mov                 edi, esi
            //   8bda                 | mov                 ebx, edx
            //   2bf8                 | sub                 edi, eax
            //   2bd8                 | sub                 ebx, eax
            //   0bfb                 | or                  edi, ebx

        $sequence_7 = { 8d8c248c010000 e8???????? 8d8c24d0010000 e8???????? 8d8c24c8010000 }
            // n = 5, score = 1200
            //   8d8c248c010000       | lea                 ecx, [esp + 0x18c]
            //   e8????????           |                     
            //   8d8c24d0010000       | lea                 ecx, [esp + 0x1d0]
            //   e8????????           |                     
            //   8d8c24c8010000       | lea                 ecx, [esp + 0x1c8]

        $sequence_8 = { e8???????? 8b4588 2b45f0 8b4da8 890c24 89442404 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b4588               | mov                 eax, dword ptr [ebp - 0x78]
            //   2b45f0               | sub                 eax, dword ptr [ebp - 0x10]
            //   8b4da8               | mov                 ecx, dword ptr [ebp - 0x58]
            //   890c24               | mov                 dword ptr [esp], ecx
            //   89442404             | mov                 dword ptr [esp + 4], eax

        $sequence_9 = { 83f800 8945f4 894df0 8955ec 752b }
            // n = 5, score = 100
            //   83f800               | cmp                 eax, 0
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx
            //   752b                 | jne                 0x2d

        $sequence_10 = { 8955ec 752b 8b45ec 83c418 5b 5d }
            // n = 6, score = 100
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx
            //   752b                 | jne                 0x2d
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   83c418               | add                 esp, 0x18
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp

        $sequence_11 = { 8b45d4 0fb708 8b55dc 83c201 }
            // n = 4, score = 100
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   0fb708               | movzx               ecx, word ptr [eax]
            //   8b55dc               | mov                 edx, dword ptr [ebp - 0x24]
            //   83c201               | add                 edx, 1

        $sequence_12 = { 8b0d???????? 8945c8 ffd1 8b4dec }
            // n = 4, score = 100
            //   8b0d????????         |                     
            //   8945c8               | mov                 dword ptr [ebp - 0x38], eax
            //   ffd1                 | call                ecx
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]

        $sequence_13 = { 83fe00 0f94c3 39ce 0f94c7 08fb f6c301 8975d8 }
            // n = 7, score = 100
            //   83fe00               | cmp                 esi, 0
            //   0f94c3               | sete                bl
            //   39ce                 | cmp                 esi, ecx
            //   0f94c7               | sete                bh
            //   08fb                 | or                  bl, bh
            //   f6c301               | test                bl, 1
            //   8975d8               | mov                 dword ptr [ebp - 0x28], esi

        $sequence_14 = { 8b4508 b902000000 8d55cc bed092c50d 31ff c745f0d08ec50d }
            // n = 6, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   b902000000           | mov                 ecx, 2
            //   8d55cc               | lea                 edx, [ebp - 0x34]
            //   bed092c50d           | mov                 esi, 0xdc592d0
            //   31ff                 | xor                 edi, edi
            //   c745f0d08ec50d       | mov                 dword ptr [ebp - 0x10], 0xdc58ed0

        $sequence_15 = { 57 83ec44 8b4508 31c9 ba00100000 beb0af4e67 c745f0b09f4c67 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   83ec44               | sub                 esp, 0x44
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   31c9                 | xor                 ecx, ecx
            //   ba00100000           | mov                 edx, 0x1000
            //   beb0af4e67           | mov                 esi, 0x674eafb0
            //   c745f0b09f4c67       | mov                 dword ptr [ebp - 0x10], 0x674c9fb0

    condition:
        7 of them and filesize < 360448
}

Download all Yara Rules

DoppelDridex Propose Change

References

Yara Rules

DoppelDridex