SYMBOLCOMMON_NAMEaka. SYNONYMS
win.doppeldridex (Back to overview)

DoppelDridex

Actor(s): DOPPEL SPIDER


DoppelDridex is a fork of Indrik Spider's Dridex malware. DoppelDridex has been run as a parallel operation to Dridex with a different malware versioning system, different RSA key, and with different infrastructure.

References
2021-11-21Cyber-AnubisNidal Fikri
@online{fikri:20211121:drdiex:b9218fa, author = {Nidal Fikri}, title = {{Drdiex Trojan | Defeating Anti-Analysis | Strings Decryption | C&C Extraction}}, date = {2021-11-21}, organization = {Cyber-Anubis}, url = {https://cyber-anubis.github.io/malware%20analysis/dridex/}, language = {English}, urldate = {2021-11-25} } Drdiex Trojan | Defeating Anti-Analysis | Strings Decryption | C&C Extraction
DoppelDridex Dridex
2021-11-05BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20211105:hunter:3c7bab9, author = {The BlackBerry Research & Intelligence Team}, title = {{Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware}}, date = {2021-11-05}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/zebra2104}, language = {English}, urldate = {2021-11-08} } Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity
2021-11-03Team Cymrutcblogposts
@online{tcblogposts:20211103:webinject:f4d41bb, author = {tcblogposts}, title = {{Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance}}, date = {2021-11-03}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/}, language = {English}, urldate = {2021-11-08} } Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance
DoppelDridex IcedID QakBot Zloader
2021-10-28Twitter (@BrettCallow)Brett Callow
@online{callow:20211028:suspected:ae61e43, author = {Brett Callow}, title = {{Tweet on suspected actor behind Payorgrief ransomware}}, date = {2021-10-28}, organization = {Twitter (@BrettCallow)}, url = {https://twitter.com/BrettCallow/status/1453557686830727177?s=20}, language = {English}, urldate = {2021-11-08} } Tweet on suspected actor behind Payorgrief ransomware
DoppelDridex DoppelPaymer
2021-10-28ProofpointAxel F, Selena Larson
@online{f:20211028:ta575:c1cfdd7, author = {Axel F and Selena Larson}, title = {{TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware}}, date = {2021-10-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware}, language = {English}, urldate = {2021-11-03} } TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware
DoppelDridex
2021-10-260ffset BlogChuong Dong
@online{dong:20211026:dridex:e054dc4, author = {Chuong Dong}, title = {{DRIDEX: Analysing API Obfuscation Through VEH}}, date = {2021-10-26}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/dridex-veh-api-obfuscation/}, language = {English}, urldate = {2021-11-03} } DRIDEX: Analysing API Obfuscation Through VEH
DoppelDridex
2021-09-27Security Soup BlogRyan Campbell
@online{campbell:20210927:doppeldridex:daa5f69, author = {Ryan Campbell}, title = {{DoppelDridex Delivered via Slack and Discord}}, date = {2021-09-27}, organization = {Security Soup Blog}, url = {https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/}, language = {English}, urldate = {2021-09-29} } DoppelDridex Delivered via Slack and Discord
DoppelDridex
2021-09-10FortinetXiaopeng Zhang
@online{zhang:20210910:new:25d8475, author = {Xiaopeng Zhang}, title = {{New Dridex Variant Being Spread By Crafted Excel Document}}, date = {2021-09-10}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document?&web_view=true}, language = {English}, urldate = {2021-09-12} } New Dridex Variant Being Spread By Crafted Excel Document
DoppelDridex
2021-08-05Red CanaryTony Lambert, Brian Donohue, Dan Cotton
@online{lambert:20210805:when:aeb7b10, author = {Tony Lambert and Brian Donohue and Dan Cotton}, title = {{When Dridex and Cobalt Strike give you Grief}}, date = {2021-08-05}, organization = {Red Canary}, url = {https://redcanary.com/blog/grief-ransomware/}, language = {English}, urldate = {2021-09-10} } When Dridex and Cobalt Strike give you Grief
Cobalt Strike DoppelDridex DoppelPaymer
2021-02-15Medium s2wlabSojun Ryu
@online{ryu:20210215:operation:b0712b0, author = {Sojun Ryu}, title = {{Operation SyncTrek}}, date = {2021-02-15}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/operation-synctrek-e5013df8d167}, language = {English}, urldate = {2021-09-02} } Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
Yara Rules
[TLP:WHITE] win_doppeldridex_auto (20211008 | Detects win.doppeldridex.)
rule win_doppeldridex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.doppeldridex."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppeldridex"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c004 50 8b4c2408 e8???????? 8b4c2404 8b6b30 e8???????? }
            // n = 7, score = 1100
            //   83c004               | add                 eax, 4
            //   50                   | push                eax
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   e8????????           |                     
            //   8b4c2404             | mov                 ecx, dword ptr [esp + 4]
            //   8b6b30               | mov                 ebp, dword ptr [ebx + 0x30]
            //   e8????????           |                     

        $sequence_1 = { 32db 8d842488000000 c6408c01 50 8d4c2434 e8???????? }
            // n = 6, score = 1100
            //   32db                 | xor                 bl, bl
            //   8d842488000000       | lea                 eax, dword ptr [esp + 0x88]
            //   c6408c01             | mov                 byte ptr [eax - 0x74], 1
            //   50                   | push                eax
            //   8d4c2434             | lea                 ecx, dword ptr [esp + 0x34]
            //   e8????????           |                     

        $sequence_2 = { 807b1000 741c 8b430c 85c0 7405 }
            // n = 5, score = 1100
            //   807b1000             | cmp                 byte ptr [ebx + 0x10], 0
            //   741c                 | je                  0x1e
            //   8b430c               | mov                 eax, dword ptr [ebx + 0xc]
            //   85c0                 | test                eax, eax
            //   7405                 | je                  7

        $sequence_3 = { 687ec40208 6845451510 e8???????? 85c0 7411 33d2 52 }
            // n = 7, score = 1100
            //   687ec40208           | push                0x802c47e
            //   6845451510           | push                0x10154545
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7411                 | je                  0x13
            //   33d2                 | xor                 edx, edx
            //   52                   | push                edx

        $sequence_4 = { 660fefc0 8d8188000000 c700fc6a84f7 660fd64008 e8???????? 83c010 }
            // n = 6, score = 1100
            //   660fefc0             | pxor                xmm0, xmm0
            //   8d8188000000         | lea                 eax, dword ptr [ecx + 0x88]
            //   c700fc6a84f7         | mov                 dword ptr [eax], 0xf7846afc
            //   660fd64008           | movq                qword ptr [eax + 8], xmm0
            //   e8????????           |                     
            //   83c010               | add                 eax, 0x10

        $sequence_5 = { 0f94c2 896808 895804 8850fc 53 8d4c2404 e8???????? }
            // n = 7, score = 1100
            //   0f94c2               | sete                dl
            //   896808               | mov                 dword ptr [eax + 8], ebp
            //   895804               | mov                 dword ptr [eax + 4], ebx
            //   8850fc               | mov                 byte ptr [eax - 4], dl
            //   53                   | push                ebx
            //   8d4c2404             | lea                 ecx, dword ptr [esp + 4]
            //   e8????????           |                     

        $sequence_6 = { 6a06 5a 8d4c2440 e8???????? 6a00 ff742444 8d4c2424 }
            // n = 7, score = 1100
            //   6a06                 | push                6
            //   5a                   | pop                 edx
            //   8d4c2440             | lea                 ecx, dword ptr [esp + 0x40]
            //   e8????????           |                     
            //   6a00                 | push                0
            //   ff742444             | push                dword ptr [esp + 0x44]
            //   8d4c2424             | lea                 ecx, dword ptr [esp + 0x24]

        $sequence_7 = { 50 e8???????? 83c40c 8b3c24 8bcf baffffff7f c744241818000000 }
            // n = 7, score = 1100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b3c24               | mov                 edi, dword ptr [esp]
            //   8bcf                 | mov                 ecx, edi
            //   baffffff7f           | mov                 edx, 0x7fffffff
            //   c744241818000000     | mov                 dword ptr [esp + 0x18], 0x18

        $sequence_8 = { 8d8c2498000000 e8???????? 8bbc2490000000 8d8c2480000000 e8???????? 50 8d4c2474 }
            // n = 7, score = 1100
            //   8d8c2498000000       | lea                 ecx, dword ptr [esp + 0x98]
            //   e8????????           |                     
            //   8bbc2490000000       | mov                 edi, dword ptr [esp + 0x90]
            //   8d8c2480000000       | lea                 ecx, dword ptr [esp + 0x80]
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d4c2474             | lea                 ecx, dword ptr [esp + 0x74]

        $sequence_9 = { 52 8d4a24 e8???????? 8d542440 68f56d1891 }
            // n = 5, score = 1100
            //   52                   | push                edx
            //   8d4a24               | lea                 ecx, dword ptr [edx + 0x24]
            //   e8????????           |                     
            //   8d542440             | lea                 edx, dword ptr [esp + 0x40]
            //   68f56d1891           | push                0x91186df5

    condition:
        7 of them and filesize < 360448
}
Download all Yara Rules