Dridex (Malware Family)

Dridex

URLhaus
OxCERT blog describes Dridex as "an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term."
According to MalwareBytes, "Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method."
IBM X-Force discovered "a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems."
References

https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/
https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/
https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/
https://securityintelligence.com/dridexs-cold-war-enter-atombombing/
https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf
https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps
https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/
https://viql.github.io/dridex/
https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/
https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/
Yara Rules

[TLP:WHITE] win_dridex_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_dridex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 84c0 74?? b9e8030000 e8???????? }
            // n = 4, score = 4300
            //   84c0                 | mov                 ebx, edx
            //   74??                 |                     
            //   b9e8030000           | dec                 eax
            //   e8????????           |                     

        $sequence_1 = { 84c0 74?? b9e8030000 e8???????? }
            // n = 4, score = 4300
            //   84c0                 | test                al, al
            //   74??                 |                     
            //   b9e8030000           | mov                 ecx, 0x3e8
            //   e8????????           |                     

        $sequence_2 = { e8???????? 84c0 74?? b9e8030000 }
            // n = 4, score = 4100
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   74??                 |                     
            //   b9e8030000           | mov                 ecx, 0x3e8

        $sequence_3 = { e8???????? 84c0 74?? b9e8030000 e8???????? }
            // n = 5, score = 4100
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   74??                 |                     
            //   b9e8030000           | mov                 ecx, 0x3e8
            //   e8????????           |                     

        $sequence_4 = { 84c0 74?? b9e8030000 e8???????? b301 }
            // n = 5, score = 3800
            //   84c0                 | test                al, al
            //   74??                 |                     
            //   b9e8030000           | mov                 ecx, 0x3e8
            //   e8????????           |                     
            //   b301                 | mov                 bl, 1

        $sequence_5 = { 53 53 53 6a01 53 ffd0 }
            // n = 6, score = 3100
            //   53                   | mov                 byte ptr [ebp - 0x55], bl
            //   53                   | mov                 dword ptr [ebp - 0x3c], edi
            //   53                   | mov                 dword ptr [ebp - 0x5c], esi
            //   6a01                 | mov                 dword ptr [ebp - 0x60], eax
            //   53                   | mov                 dword ptr [ebp - 0x40], eax
            //   ffd0                 | mov                 dword ptr [ebp - 0x44], edx

        $sequence_6 = { 53 53 53 6a01 53 ffd0 }
            // n = 6, score = 3100
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6a01                 | push                1
            //   53                   | push                ebx
            //   ffd0                 | call                eax

        $sequence_7 = { eb?? e8???????? eb?? 6a7f 58 }
            // n = 5, score = 3000
            //   eb??                 |                     
            //   e8????????           |                     
            //   eb??                 |                     
            //   6a7f                 | push                0x7f
            //   58                   | pop                 eax

        $sequence_8 = { ffd0 85c0 74?? 33c0 eb?? e8???????? eb?? }
            // n = 7, score = 3000
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax
            //   74??                 |                     
            //   33c0                 | xor                 eax, eax
            //   eb??                 |                     
            //   e8????????           |                     
            //   eb??                 |                     

        $sequence_9 = { eb?? e8???????? eb?? 6a7f }
            // n = 4, score = 3000
            //   eb??                 |                     
            //   e8????????           |                     
            //   eb??                 |                     
            //   6a7f                 | push                0x7f

        $sequence_10 = { ffd0 85c0 74?? 33c0 eb?? e8???????? }
            // n = 6, score = 3000
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax
            //   74??                 |                     
            //   33c0                 | xor                 eax, eax
            //   eb??                 |                     
            //   e8????????           |                     

        $sequence_11 = { 85c0 74?? 33c0 eb?? e8???????? eb?? }
            // n = 6, score = 3000
            //   85c0                 | test                eax, eax
            //   74??                 |                     
            //   33c0                 | xor                 eax, eax
            //   eb??                 |                     
            //   e8????????           |                     
            //   eb??                 |                     

        $sequence_12 = { eb?? e8???????? eb?? 6a7f 58 }
            // n = 5, score = 3000
            //   eb??                 |                     
            //   e8????????           |                     
            //   eb??                 |                     
            //   6a7f                 | mov                 dword ptr [ebp - 0x60], eax
            //   58                   | mov                 eax, dword ptr [ebp - 0x5c]

        $sequence_13 = { eb?? e8???????? eb?? 6a7f }
            // n = 4, score = 3000
            //   eb??                 |                     
            //   e8????????           |                     
            //   eb??                 |                     
            //   6a7f                 | mov                 dword ptr [ebp - 0x5c], esi

        $sequence_14 = { e8???????? 85c0 74?? 53 53 53 6a01 }
            // n = 7, score = 2700
            //   e8????????           |                     
            //   85c0                 | mov                 dword ptr [ebp - 0x3c], ecx
            //   74??                 |                     
            //   53                   | mov                 eax, dword ptr [ebp - 0x44]
            //   53                   | mov                 dword ptr [ebp - 0x3c], ecx
            //   53                   | mov                 eax, dword ptr [ebp - 0x44]
            //   6a01                 | add                 eax, dword ptr [eax + 0x3c]

        $sequence_15 = { 85c0 74?? 53 53 53 6a01 53 }
            // n = 7, score = 2700
            //   85c0                 | pop                 eax
            //   74??                 |                     
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6a01                 | push                1
            //   53                   | push                ebx

        $sequence_16 = { 6a01 53 ffd0 a3???????? eb?? }
            // n = 5, score = 2700
            //   6a01                 | push                1
            //   53                   | push                ebx
            //   ffd0                 | push                ebx
            //   a3????????           |                     
            //   eb??                 |                     

        $sequence_17 = { 74?? 53 53 53 6a01 53 }
            // n = 6, score = 2700
            //   74??                 |                     
            //   53                   | call                eax
            //   53                   | test                eax, eax
            //   53                   | push                ebx
            //   6a01                 | push                ebx
            //   53                   | push                ebx

        $sequence_18 = { 53 53 6a01 53 ffd0 a3???????? eb?? }
            // n = 7, score = 2700
            //   53                   | mov                 ecx, dword ptr [ebp - 0x44]
            //   53                   | cmp                 word ptr [ecx], 0x5a4d
            //   6a01                 | mov                 dword ptr [ebp - 0x48], eax
            //   53                   | push                0x7f
            //   ffd0                 | push                0x7f
            //   a3????????           |                     
            //   eb??                 |                     

        $sequence_19 = { ffd0 85c0 74?? 8bc7 }
            // n = 4, score = 2600
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax
            //   74??                 |                     
            //   8bc7                 | mov                 eax, edi

        $sequence_20 = { 0f8????????? e9???????? b801000000 c3 31c0 c3 50 }
            // n = 7, score = 2500
            //   0f8?????????         |                     
            //   e9????????           |                     
            //   b801000000           | mov                 ecx, eax
            //   c3                   | test                al, al
            //   31c0                 | mov                 ecx, 0x3e8
            //   c3                   | mov                 eax, 1
            //   50                   | ret                 

        $sequence_21 = { 0f8????????? e9???????? b801000000 c3 31c0 c3 50 }
            // n = 7, score = 2500
            //   0f8?????????         |                     
            //   e9????????           |                     
            //   b801000000           | mov                 eax, 1
            //   c3                   | ret                 
            //   31c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   50                   | push                eax

        $sequence_22 = { ff36 ffd0 8bf8 85ff }
            // n = 4, score = 2500
            //   ff36                 | push                dword ptr [esi]
            //   ffd0                 | call                eax
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi

        $sequence_23 = { c3 31c0 c3 50 }
            // n = 4, score = 2500
            //   c3                   | inc                 sp
            //   31c0                 | mov                 edx, dword ptr [esp + 0x5e]
            //   c3                   | inc                 sp
            //   50                   | mov                 dword ptr [esp + 0x5c], edx

        $sequence_24 = { e9???????? b801000000 c3 31c0 c3 50 }
            // n = 6, score = 2500
            //   e9????????           |                     
            //   b801000000           | dec                 eax
            //   c3                   | mov                 dword ptr [esp + 0x50], ecx
            //   31c0                 | dec                 eax
            //   c3                   | mov                 dword ptr [esp + 0x48], edx
            //   50                   | xor                 eax, eax

        $sequence_25 = { e9???????? b801000000 c3 31c0 c3 50 }
            // n = 6, score = 2500
            //   e9????????           |                     
            //   b801000000           | mov                 eax, 1
            //   c3                   | ret                 
            //   31c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   50                   | push                eax

        $sequence_26 = { 85c0 74?? 33f6 eb?? e8???????? }
            // n = 5, score = 2500
            //   85c0                 | push                ebp
            //   74??                 |                     
            //   33f6                 | mov                 ebp, esp
            //   eb??                 |                     
            //   e8????????           |                     

        $sequence_27 = { 74?? 33f6 eb?? e8???????? }
            // n = 4, score = 2500
            //   74??                 |                     
            //   33f6                 | ret                 
            //   eb??                 |                     
            //   e8????????           |                     

        $sequence_28 = { c3 31c0 c3 50 }
            // n = 4, score = 2500
            //   c3                   | ret                 
            //   31c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   50                   | push                eax

        $sequence_29 = { b801000000 c3 31c0 c3 50 }
            // n = 5, score = 2500
            //   b801000000           | mov                 eax, 1
            //   c3                   | ret                 
            //   31c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   50                   | push                eax

        $sequence_30 = { b801000000 c3 31c0 c3 50 }
            // n = 5, score = 2500
            //   b801000000           | mov                 dword ptr [esp + 0xb8], ecx
            //   c3                   | dec                 esp
            //   31c0                 | mov                 dword ptr [esp + 0xb0], eax
            //   c3                   | dec                 esp
            //   50                   | mov                 dword ptr [esp + 0xa8], edx

        $sequence_31 = { 74?? 33f6 eb?? e8???????? 8bf0 }
            // n = 5, score = 2400
            //   74??                 |                     
            //   33f6                 | push                edi
            //   eb??                 |                     
            //   e8????????           |                     
            //   8bf0                 | push                esi

        $sequence_32 = { 74?? 33f6 eb?? e8???????? 8bf0 eb?? }
            // n = 6, score = 2400
            //   74??                 |                     
            //   33f6                 | push                ebx
            //   eb??                 |                     
            //   e8????????           |                     
            //   8bf0                 | sub                 esp, 0x54
            //   eb??                 |                     

        $sequence_33 = { 33f6 eb?? e8???????? 8bf0 eb?? 6a7f 5e }
            // n = 7, score = 2400
            //   33f6                 | pop                 ebp
            //   eb??                 |                     
            //   e8????????           |                     
            //   8bf0                 | ret                 
            //   eb??                 |                     
            //   6a7f                 | push                ebp
            //   5e                   | mov                 ebp, esp

        $sequence_34 = { 85c0 74?? 33f6 eb?? e8???????? 8bf0 eb?? }
            // n = 7, score = 2400
            //   85c0                 | push                ebx
            //   74??                 |                     
            //   33f6                 | sub                 esp, 0x54
            //   eb??                 |                     
            //   e8????????           |                     
            //   8bf0                 | push                esi
            //   eb??                 |                     

        $sequence_35 = { eb?? e8???????? 8bf0 eb?? 6a7f }
            // n = 5, score = 2400
            //   eb??                 |                     
            //   e8????????           |                     
            //   8bf0                 | xor                 ecx, ecx
            //   eb??                 |                     
            //   6a7f                 | lea                 edx, [ebp - 0x28]

        $sequence_36 = { 33f6 eb?? e8???????? 8bf0 eb?? }
            // n = 5, score = 2400
            //   33f6                 | push                edi
            //   eb??                 |                     
            //   e8????????           |                     
            //   8bf0                 | xor                 esi, esi
            //   eb??                 |                     

        $sequence_37 = { 66448b54245e 66448954245c 48894c2450 4889542448 eb?? 31c0 89c1 }
            // n = 7, score = 1900
            //   66448b54245e         | mov                 dword ptr [esp + 0x40], eax
            //   66448954245c         | dec                 eax
            //   48894c2450           | mov                 dword ptr [esp + 0x38], ecx
            //   4889542448           | dec                 esp
            //   eb??                 |                     
            //   31c0                 | mov                 dword ptr [esp + 0x30], ebx
            //   89c1                 | dec                 esp

        $sequence_38 = { 4589c1 4c8b5c2470 4d01cb 89442440 48894c2438 4c895c2430 }
            // n = 6, score = 1900
            //   4589c1               | dec                 ebp
            //   4c8b5c2470           | add                 edx, ecx
            //   4d01cb               | inc                 esp
            //   89442440             | movzx               eax, cx
            //   48894c2438           | inc                 ebp
            //   4c895c2430           | mov                 ecx, eax

        $sequence_39 = { 4c89d3 48898c24b8000000 4c898424b0000000 4c899424a8000000 }
            // n = 4, score = 1900
            //   4c89d3               | dec                 esp
            //   48898c24b8000000     | mov                 ebx, dword ptr [esp + 0x70]
            //   4c898424b0000000     | dec                 ebp
            //   4c899424a8000000     | add                 ebx, ecx

        $sequence_40 = { 4589c1 4c8b542470 4d01ca 440fb7c1 }
            // n = 4, score = 1900
            //   4589c1               | inc                 ebp
            //   4c8b542470           | mov                 ecx, eax
            //   4d01ca               | dec                 esp
            //   440fb7c1             | mov                 edx, dword ptr [esp + 0x70]

        $sequence_41 = { 890424 e8???????? 31c0 83c420 5e }
            // n = 5, score = 1100
            //   890424               | xor                 eax, eax
            //   e8????????           |                     
            //   31c0                 | ret                 
            //   83c420               | push                eax
            //   5e                   | ret                 

        $sequence_42 = { 01ca 83c205 807c0805e9 8955cc 74?? 8b45cc 31c9 }
            // n = 7, score = 600
            //   01ca                 | xor                 eax, eax
            //   83c205               | ret                 
            //   807c0805e9           | push                eax
            //   8955cc               | mov                 eax, 1
            //   74??                 |                     
            //   8b45cc               | ret                 
            //   31c9                 | xor                 eax, eax

        $sequence_43 = { 897dc4 8975a4 8945a0 74?? eb?? 8b45a4 }
            // n = 6, score = 600
            //   897dc4               | pop                 esi
            //   8975a4               | add                 edx, ecx
            //   8945a0               | add                 edx, 5
            //   74??                 |                     
            //   eb??                 |                     
            //   8b45a4               | cmp                 byte ptr [eax + ecx + 5], 0xe9

        $sequence_44 = { 885dab 897dc4 8975a4 8945a0 74?? }
            // n = 5, score = 600
            //   885dab               | mov                 dword ptr [ebp - 0x34], edx
            //   897dc4               | mov                 eax, dword ptr [ebp - 0x34]
            //   8975a4               | xor                 ecx, ecx
            //   8945a0               | mov                 dword ptr [ebp - 0x3c], ecx
            //   74??                 |                     

        $sequence_45 = { 8b4dbc 6681394d5a 8945b8 894dc4 0f8????????? 8b45b8 813850450000 }
            // n = 7, score = 600
            //   8b4dbc               | test                eax, eax
            //   6681394d5a           | xor                 esi, esi
            //   8945b8               | xor                 esi, esi
            //   894dc4               | mov                 esi, eax
            //   0f8?????????         |                     
            //   8b45b8               | test                eax, eax
            //   813850450000         | xor                 esi, esi

        $sequence_46 = { 8945c0 8955bc 894dc4 0f8????????? 8b45bc }
            // n = 5, score = 600
            //   8945c0               | mov                 eax, dword ptr [ebp - 0x48]
            //   8955bc               | add                 eax, 0x18
            //   894dc4               | mov                 ecx, dword ptr [ebp - 0x48]
            //   0f8?????????         |                     
            //   8b45bc               | mov                 edx, dword ptr [ecx + 0x78]

        $sequence_47 = { 894dc4 0f8????????? 8b45b8 83c018 8b4db8 8b5178 8b75bc }
            // n = 7, score = 600
            //   894dc4               | ret                 
            //   0f8?????????         |                     
            //   8b45b8               | push                eax
            //   83c018               | mov                 eax, 1
            //   8b4db8               | ret                 
            //   8b5178               | xor                 eax, eax
            //   8b75bc               | ret                 

        $sequence_48 = { 8b510c 8b75bc 01d6 8b7dbc }
            // n = 4, score = 600
            //   8b510c               | push                eax
            //   8b75bc               | mov                 dword ptr [esp], eax
            //   01d6                 | xor                 eax, eax
            //   8b7dbc               | add                 esp, 0x20

        $sequence_49 = { 894dc4 0f8????????? 8b45bc 03403c 8b4dbc 6681394d5a 8945b8 }
            // n = 7, score = 600
            //   894dc4               | mov                 esi, dword ptr [ebp - 0x44]
            //   0f8?????????         |                     
            //   8b45bc               | mov                 edx, dword ptr [ecx + 0xc]
            //   03403c               | mov                 esi, dword ptr [ebp - 0x44]
            //   8b4dbc               | add                 esi, edx
            //   6681394d5a           | mov                 edi, dword ptr [ebp - 0x44]
            //   8945b8               | mov                 dword ptr [ebp - 0x3c], edi

        $sequence_50 = { 5b 5e 5d c3 55 89e5 6a00 }
            // n = 7, score = 500
            //   5b                   | mov                 eax, ecx
            //   5e                   | add                 esp, 0x2c
            //   5d                   | pop                 ebx
            //   c3                   | pop                 ebp
            //   55                   | ret                 
            //   89e5                 | mov                 eax, dword ptr [ebp - 0x30]
            //   6a00                 | mov                 ecx, dword ptr [ebp - 0x2c]

        $sequence_51 = { 5b 5e 5d c3 55 89e5 6a00 }
            // n = 7, score = 500
            //   5b                   | mov                 ecx, dword ptr [ebp + 8]
            //   5e                   | mov                 dword ptr [ebp - 0x10], eax
            //   5d                   | mov                 edx, dword ptr fs:[0x18]
            //   c3                   | xor                 eax, eax
            //   55                   | push                edi
            //   89e5                 | sub                 esp, 0x38
            //   6a00                 | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_52 = { 83c454 5b 5e 5f 5d }
            // n = 5, score = 500
            //   83c454               | push                1
            //   5b                   | push                ebx
            //   5e                   | push                1
            //   5f                   | push                ebx
            //   5d                   | call                eax

        $sequence_53 = { c7424800b00400 8b7de4 c787cc00000000000000 c787c800000000000000 8945dc }
            // n = 5, score = 500
            //   c7424800b00400       | mov                 ecx, dword ptr [ebp + 8]
            //   8b7de4               | mov                 dword ptr [ebp - 0x10], eax
            //   c787cc00000000000000     | mov    edx, dword ptr fs:[0x18]
            //   c787c800000000000000     | mov    eax, dword ptr [ebp - 0x20]
            //   8945dc               | add                 esp, 0x38

        $sequence_54 = { c7424800b00400 8b7de4 c787cc00000000000000 c787c800000000000000 }
            // n = 4, score = 500
            //   c7424800b00400       | pop                 edi
            //   8b7de4               | mov                 dword ptr [ebp - 0x20], ecx
            //   c787cc00000000000000     | mov    eax, dword ptr [ebp - 0x20]
            //   c787c800000000000000     | add    esp, 0x38

        $sequence_55 = { c7424800b00400 8b7de4 c787cc00000000000000 c787c800000000000000 8945dc 89c8 }
            // n = 6, score = 500
            //   c7424800b00400       | pop                 edi
            //   8b7de4               | pop                 ebx
            //   c787cc00000000000000     | pop    esi
            //   c787c800000000000000     | pop    ebp
            //   8945dc               | ret                 
            //   89c8                 | push                ebp

        $sequence_56 = { 83c454 5b 5e 5f 5d c3 55 }
            // n = 7, score = 500
            //   83c454               | push                ebp
            //   5b                   | mov                 ebp, esp
            //   5e                   | push                edi
            //   5f                   | push                esi
            //   5d                   | push                ebx
            //   c3                   | sub                 esp, 0x54
            //   55                   | add                 esp, 0x54

        $sequence_57 = { 83c454 5b 5e 5f 5d c3 }
            // n = 6, score = 500
            //   83c454               | push                ebx
            //   5b                   | push                1
            //   5e                   | push                ebx
            //   5f                   | push                ebx
            //   5d                   | push                ebx
            //   c3                   | push                ebx

        $sequence_58 = { 89e5 57 56 53 83ec54 }
            // n = 5, score = 500
            //   89e5                 | pop                 ebx
            //   57                   | pop                 esi
            //   56                   | pop                 edi
            //   53                   | pop                 ebp
            //   83ec54               | ret                 

        $sequence_59 = { c7424800b00400 8b7de4 c787cc00000000000000 c787c800000000000000 8945dc 89c8 }
            // n = 6, score = 500
            //   c7424800b00400       | xor                 esi, esi
            //   8b7de4               | mov                 esi, eax
            //   c787cc00000000000000     | push    0x7f
            //   c787c800000000000000     | pop    esi
            //   8945dc               | xor                 esi, esi
            //   89c8                 | mov                 esi, eax

        $sequence_60 = { 5b 5e 5d c3 55 89e5 83ec0c }
            // n = 7, score = 500
            //   5b                   | mov                 eax, dword ptr [ebp - 0x48]
            //   5e                   | cmp                 dword ptr [eax], 0x4550
            //   5d                   | mov                 dword ptr [edx + 0x48], 0x4b000
            //   c3                   | mov                 edi, dword ptr [ebp - 0x1c]
            //   55                   | mov                 dword ptr [edi + 0xcc], 0
            //   89e5                 | mov                 dword ptr [edi + 0xc8], 0
            //   83ec0c               | mov                 dword ptr [ebp - 0x24], eax

        $sequence_61 = { c7424800b00400 8b7de4 c787cc00000000000000 c787c800000000000000 8945dc }
            // n = 5, score = 500
            //   c7424800b00400       | mov                 esi, eax
            //   8b7de4               | xor                 esi, esi
            //   c787cc00000000000000     | mov    esi, eax
            //   c787c800000000000000     | mov    esi, eax
            //   8945dc               | push                0x7f

        $sequence_62 = { c7424800b00400 8b7de4 c787cc00000000000000 c787c800000000000000 }
            // n = 4, score = 500
            //   c7424800b00400       | mov                 ecx, dword ptr [ebp - 0x44]
            //   8b7de4               | cmp                 word ptr [ecx], 0x5a4d
            //   c787cc00000000000000     | mov    dword ptr [ebp - 0x48], eax
            //   c787c800000000000000     | mov    dword ptr [ebp - 0x3c], ecx

        $sequence_63 = { 55 89e5 57 56 53 83ec54 }
            // n = 6, score = 500
            //   55                   | push                1
            //   89e5                 | push                ebx
            //   57                   | call                eax
            //   56                   | test                eax, eax
            //   53                   | push                ebx
            //   83ec54               | push                ebx

        $sequence_64 = { c3 55 89e5 57 56 53 83ec54 }
            // n = 7, score = 500
            //   c3                   | add                 esp, 0x54
            //   55                   | pop                 ebx
            //   89e5                 | pop                 esi
            //   57                   | pop                 edi
            //   56                   | pop                 ebp
            //   53                   | add                 esp, 0x54
            //   83ec54               | pop                 ebx

        $sequence_65 = { 5b 5d c3 8b45d0 }
            // n = 4, score = 400
            //   5b                   | ret                 
            //   5d                   | push                ebp
            //   c3                   | mov                 ebp, esp
            //   8b45d0               | sub                 esp, 0xc

        $sequence_66 = { 5b 5d c3 8b45d0 8b4dd4 }
            // n = 5, score = 400
            //   5b                   | mov                 dword ptr [edx + 0x48], 0x4b000
            //   5d                   | mov                 edi, dword ptr [ebp - 0x1c]
            //   c3                   | mov                 dword ptr [edi + 0xcc], 0
            //   8b45d0               | mov                 dword ptr [edi + 0xc8], 0
            //   8b4dd4               | mov                 dword ptr [ebp - 0x24], eax

        $sequence_67 = { 5b 5d c3 8b45d0 8b4dd4 668b55d8 }
            // n = 6, score = 400
            //   5b                   | mov                 edi, dword ptr [ebp - 0x1c]
            //   5d                   | mov                 dword ptr [edi + 0xcc], 0
            //   c3                   | mov                 dword ptr [edi + 0xc8], 0
            //   8b45d0               | pop                 ebx
            //   8b4dd4               | pop                 esi
            //   668b55d8             | pop                 ebp

        $sequence_68 = { e9???????? 8b45e0 83c438 5f }
            // n = 4, score = 400
            //   e9????????           |                     
            //   8b45e0               | sub                 esp, 0x38
            //   83c438               | mov                 eax, dword ptr [ebp + 0xc]
            //   5f                   | mov                 ecx, dword ptr [ebp + 8]

        $sequence_69 = { 8b4dc8 894de0 75?? e9???????? 8b45e0 83c438 5f }
            // n = 7, score = 400
            //   8b4dc8               | mov                 dx, word ptr [ebp - 0x28]
            //   894de0               | pop                 ebx
            //   75??                 |                     
            //   e9????????           |                     
            //   8b45e0               | pop                 ebp
            //   83c438               | ret                 
            //   5f                   | mov                 eax, dword ptr [ebp - 0x30]

        $sequence_70 = { 57 83ec38 8b450c 8b4d08 8945f0 648b1518000000 }
            // n = 6, score = 400
            //   57                   | add                 esp, 0x38
            //   83ec38               | pop                 edi
            //   8b450c               | mov                 eax, dword ptr [ebp - 0x20]
            //   8b4d08               | add                 esp, 0x38
            //   8945f0               | pop                 edi
            //   648b1518000000       | push                edi

        $sequence_71 = { 57 83ec38 8b450c 8b4d08 8945f0 }
            // n = 5, score = 400
            //   57                   | mov                 eax, dword ptr [ebp - 0x30]
            //   83ec38               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   8b450c               | pop                 ebx
            //   8b4d08               | pop                 esi
            //   8945f0               | pop                 ebp

        $sequence_72 = { 75?? e9???????? 8b45e0 83c438 5f }
            // n = 5, score = 400
            //   75??                 |                     
            //   e9????????           |                     
            //   8b45e0               | pop                 ebx
            //   83c438               | pop                 ebp
            //   5f                   | ret                 

        $sequence_73 = { 57 83ec38 8b450c 8b4d08 8945f0 648b1518000000 31c0 }
            // n = 7, score = 400
            //   57                   | ret                 
            //   83ec38               | push                ebp
            //   8b450c               | mov                 ebp, esp
            //   8b4d08               | push                0
            //   8945f0               | mov                 ecx, dword ptr [ebp - 0x38]
            //   648b1518000000       | mov                 dword ptr [ebp - 0x20], ecx
            //   31c0                 | mov                 eax, dword ptr [ebp - 0x20]

        $sequence_74 = { c7424800b00400 8b7de4 c787cc00000000000000 c787c800000000000000 8945dc 89c8 83c42c }
            // n = 7, score = 400
            //   c7424800b00400       | mov                 dword ptr [edx + 0x48], 0x4b000
            //   8b7de4               | mov                 edi, dword ptr [ebp - 0x1c]
            //   c787cc00000000000000     | mov    dword ptr [edi + 0xcc], 0
            //   c787c800000000000000     | mov    dword ptr [edi + 0xc8], 0
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   89c8                 | mov                 eax, ecx
            //   83c42c               | mov                 dword ptr [edx + 0x48], 0x4b000

        $sequence_75 = { 894de0 75?? e9???????? 8b45e0 83c438 5f }
            // n = 6, score = 400
            //   894de0               | mov                 dword ptr [ebp - 0x10], eax
            //   75??                 |                     
            //   e9????????           |                     
            //   8b45e0               | push                edi
            //   83c438               | sub                 esp, 0x38
            //   5f                   | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_76 = { 8d05???????? 5d c3 55 89e5 57 }
            // n = 6, score = 300
            //   8d05????????         |                     
            //   5d                   | mov                 ebp, esp
            //   c3                   | push                edi
            //   55                   | push                esi
            //   89e5                 | push                ebx
            //   57                   | sub                 esp, 0x54

        $sequence_77 = { 56 53 83ec54 8d05???????? 31c9 8d55d8 }
            // n = 6, score = 300
            //   56                   | pop                 esi
            //   53                   | pop                 edi
            //   83ec54               | pop                 ebp
            //   8d05????????         |                     
            //   31c9                 | ret                 
            //   8d55d8               | push                ebp

    condition:
        7 of them
}
Download all Yara Rules
Dridex Propose Change

References

Yara Rules

Dridex
