What is this Website?

This website lists configuration files, supernodes and modules of the Dridex v4 malware. The collection includes data from these 5 botnets:

Some of the information is also available as Suricata rules, Yara rules and CSV lists, see Exports . The displayed information does have the aspiration to completeness, actuality, or quality. Use the information at your own discretion. All timestamps are given in UTC.

Configs

Dridex is configured with configuration files. These files specify, among other things, which website urls should be redirected and where. The targets of the redirects are also listed in section redirects. Now and then, the config files also deliver new supernodes. Those are separately listed in the supernodes section.

The configuration files can also deliver executables. Those are listed in section modules. The modules blocks originally contained full binaries. I replaced them with hashes. All modules in Dridex are identified by crc32 checksums, when known, the "name" matching the CRC32 is also listed. Neither the hashes, nor name are part of the config delivered by Dridex.

In version 3 of Dridex, the configuration files where delivered in XML format with descriptive tag and attribute names. In the current version 4, the configuration is delivered in a binary format without the helpful textual hints as to what the fields do. I tried to replicate the format from v3 as good as possible, but not all fields might be named appropriately.

Only config files from the last 31 days are shown.

timestamp botnet view
2018-04-10 02:40:17 23005 show
2018-04-09 18:40:23 4200 show
2018-04-09 18:40:22 7200 show
2018-04-09 18:20:36 7200 show
2018-04-09 18:10:45 23005 show
2018-04-09 06:30:19 7200 show
2018-04-08 15:40:27 4200 show
2018-04-08 15:40:26 7200 show
2018-04-04 21:50:20 23005 show
2018-04-03 21:40:23 4200 show
2018-04-03 21:40:22 7200 show
2018-04-03 14:40:11 3122 show
2018-04-03 14:40:11 11122 show
2018-04-03 13:10:22 4200 show
2018-04-03 08:00:22 4200 show
2018-04-03 08:00:13 3122 show
2018-04-03 05:33:35 23005 show
2018-04-03 02:02:24 23005 show
2018-04-02 09:10:19 23005 show
2018-04-02 01:20:18 23005 show
2018-04-01 12:40:19 23005 show
2018-03-29 13:30:22 23005 show
2018-03-29 11:15:12 3122 show
2018-03-29 11:15:03 23005 show
2018-03-29 05:00:17 23005 show
2018-03-28 13:20:20 23005 show
2018-03-28 12:50:17 23005 show
2018-03-28 12:10:19 23005 show
2018-03-28 12:04:49 3122 show
2018-03-28 10:00:22 23005 show
2018-03-27 12:10:17 23005 show
2018-03-27 05:10:20 23005 show
2018-03-26 17:20:24 23005 show
2018-03-21 18:20:21 4200 show

Network

Redirect Servers

Traffic to the targeted websites is redirected to servers controlled by the Dridex operators. The following table shows servers from the config files of the last 31 days.

ip port botnet added last seen in config
78.47.47.196 443 7200 2018-04-09 18:20:36 2018-04-09 18:20:36
92.207.100.244 4843 7200 2018-04-03 21:40:22 current config
104.131.187.88 4143 3122, 11122 2018-04-03 14:40:11 current config
67.207.142.38 4431 4200, 7200 2018-04-03 13:10:22 current config
46.105.131.70 443 3122, 4200, 7200, 11122 2018-04-03 13:10:22 current config
121.84.151.68 443 4200 2018-04-03 08:00:22 2018-04-03 08:00:22
46.105.131.76 443 4200, 7200 2018-04-03 08:00:22 current config
178.63.84.81 443 3122, 4200 2018-04-03 08:00:13 2018-04-03 08:00:22
45.55.25.107 3889 3122 2018-04-03 08:00:13 2018-04-03 08:00:13
178.62.12.13 443 23005 2018-04-03 05:33:35 current config
133.242.208.183 443 23005 2018-04-02 09:10:19 current config
178.62.140.5 443 23005 2018-03-28 12:50:17 2018-03-28 12:50:17
178.62.232.185 443 3122 2018-03-28 12:04:49 2018-03-29 11:15:12
220.227.247.39 443 23005 2018-03-26 17:20:24 2018-04-03 02:02:24
139.59.185.21 443 23005 2018-03-26 17:20:24 2018-04-02 01:20:18
178.33.109.227 443 3122, 4200 2018-03-21 18:20:21 2018-03-29 11:15:12
45.55.201.174 8443 4200 2018-03-21 18:20:21 2018-03-21 18:20:21
216.51.232.176 4043 4200 2018-03-21 18:20:21 current config
51.255.49.240 3889 4200, 7200 2018-03-21 18:20:21 2018-04-09 18:20:36

Supernodes

Supernodes are ordinary infected clients, that were "promoted" by Dridex to relay traffic of regular infected clients. The owners of the IPs are in no way related to the Dridex operation. Do not block these IP addresses, only use them to detect Dridex infections in your own network.

The supernodes from the last 100 days. The columns added and removed show the time whenthe supernodes appeared in and disappeared from a config file. The columns firstseen and lastseen show when the supernode last responded to a Dridex ping. These pings are encrypted by the Dridex network protocol, hence, responding clients arealmost certainly infected by Dridex.Those marked with "" were active with the last 3 days, i.e.,either responded to a ping or were seen in Dridex config. those with "" were inactive.

st. ip port botnet added removed firstseen lastseen
104.231.38.241 443 4200, 7200 2018-02-15 20:46:52 2018-02-15 20:46:52 2018-04-24 21:56:53
41.193.159.41 443 4200, 7200 2018-02-05 15:29:04 2018-03-18 21:45:41 2018-04-24 21:55:39
66.186.52.2 443 23005 2018-03-18 21:52:06 2018-03-18 21:52:06 2018-04-24 21:52:03
76.184.3.225 443 23005 2018-02-05 15:40:30 2018-02-05 15:40:30 2018-04-24 21:51:53
71.98.248.128 443 23005 2018-02-05 15:40:51 2018-02-16 13:20:09 2018-02-05 15:40:51 2018-04-24 21:51:42
67.84.204.83 443 3122, 11122 2018-02-05 15:11:11 2018-02-05 15:11:11 2018-04-24 21:46:46
193.251.189.134 443 3122, 11122 2018-02-05 15:09:35 2018-02-05 15:09:35 2018-04-24 19:45:12
50.251.187.217 443 3122, 11122 2018-02-05 15:08:53 2018-02-05 15:08:53 2018-04-24 18:43:48
81.254.168.177 443 3122, 11122 2018-02-14 16:41:18 2018-02-14 16:41:18 2018-04-23 16:41:36
184.183.29.147 443 4200, 7200 2018-02-15 20:45:26 2018-04-01 19:15:19 2018-02-15 20:45:26 2018-04-22 22:55:39
68.202.93.198 443 3122, 11122 2018-02-23 00:43:50 2018-02-27 15:10:21 2018-02-27 17:43:59 2018-04-18 18:45:56
172.249.88.69 443 3122, 11122 2018-02-05 15:09:56 2018-03-30 14:10:17 2018-02-05 19:43:17 2018-04-12 10:46:04
37.153.92.6 8443 3122, 11122 2018-03-18 21:41:50 2018-03-30 14:10:17 2018-03-19 08:41:59 2018-04-11 14:41:53
75.128.238.38 443 4200, 7200 2018-02-15 20:46:19 2018-04-01 19:15:19 2018-02-15 20:46:19 2018-04-11 02:56:30
37.153.92.6 444 3122, 11122 2018-03-18 21:47:16 2018-03-30 14:10:17 2018-03-19 13:47:36 2018-04-10 16:48:26
98.127.252.183 443 3122, 11122 2018-02-05 15:12:06 2018-03-20 13:10:15 2018-02-05 15:12:06 2018-04-09 16:48:34
212.237.42.204 443 3122, 11122 2018-03-18 21:44:07 2018-03-18 21:44:07 2018-04-07 12:44:34
151.0.179.218 8443 4200, 7200 2018-04-01 19:47:39 2018-04-01 19:47:39 2018-04-05 08:47:49
104.34.220.68 443 3122, 11122 2018-02-05 15:07:31 2018-04-02 16:10:22 2018-02-05 15:07:31 2018-04-03 12:41:21
5.226.111.135 444 4200, 7200 2018-04-01 19:45:40 2018-04-01 19:45:40 2018-04-02 20:45:40
47.42.53.110 443 4200, 7200 2018-02-15 20:46:30 2018-02-15 20:46:30 2018-03-29 13:46:33
24.239.82.73 443 23005 2018-02-05 15:41:02 2018-02-16 13:20:09 2018-02-17 16:51:51 2018-03-23 17:51:27
66.65.47.220 443 3122, 11122 2018-02-05 15:10:07 2018-04-04 02:10:17 2018-02-05 15:10:07 2018-03-23 17:45:36
184.186.193.162 443 3122, 11122 2018-02-05 15:09:25 2018-02-14 09:42:29 2018-03-23 17:44:31
217.13.106.51 443 23005 2018-02-05 15:39:34 2018-03-31 18:20:18 2018-02-05 15:39:34 2018-03-23 15:50:36
91.110.73.48 443 4200, 7200 2018-03-18 21:47:23 2018-04-01 19:15:19 2018-03-19 08:47:25 2018-03-22 14:47:21
108.205.215.92 443 3122, 11122 2018-02-05 15:09:04 2018-03-20 13:10:15 2018-02-05 15:09:04 2018-03-20 09:44:05
51.52.81.84 443 4200 2018-02-05 15:28:57 2018-02-05 15:28:57 2018-03-19 08:45:26
74.66.65.127 443 3122, 11122 2018-02-05 15:08:10 2018-03-20 13:10:15 2018-02-05 22:44:44 2018-03-07 11:47:14
185.93.183.30 443 3122, 11122 2018-02-16 14:44:23 2018-03-14 23:10:16 2018-02-16 14:44:23 2018-03-07 11:45:48
172.75.27.140 443 3122, 11122 2018-02-05 15:09:46 2018-02-16 11:10:06 2018-02-05 15:09:46 2018-03-07 11:44:39
58.167.83.30 443 3122, 11122 2018-02-19 13:43:01 2018-03-20 13:10:15 2018-02-19 13:43:01 2018-03-07 11:43:34
70.184.66.94 443 3122, 11122 2018-02-05 15:08:21 2018-03-23 21:10:14 2018-02-05 17:41:59 2018-03-07 11:43:00
129.89.57.197 443 3122, 11122 2018-02-14 16:41:50 2018-02-19 10:10:15 2018-02-14 16:41:50 2018-03-07 11:42:07
209.151.143.34 443 3122, 11122 2018-02-05 15:07:42 2018-02-16 11:10:06 2018-02-05 16:41:09 2018-03-07 11:41:24
174.109.201.186 443 23005 2018-02-05 15:40:08 2018-02-16 13:20:09 2018-02-05 15:40:08 2018-03-05 18:51:06
107.185.217.40 443 23005 2018-02-05 15:39:12 2018-02-16 13:20:09 2018-02-13 03:50:14 2018-03-05 07:50:17
186.179.99.134 443 3122, 11122 2018-02-27 18:42:22 2018-03-06 23:10:25 2018-02-27 18:42:22 2018-03-02 13:42:32
131.104.120.60 443 3122, 11122 2018-02-28 01:44:03 2018-03-06 23:10:25 2018-02-28 01:44:03 2018-02-28 07:43:50
12.110.252.50 443 3122, 11122 2018-02-14 16:42:01 2018-03-06 22:10:28 2018-02-14 16:42:01 2018-02-27 21:42:23
150.176.120.43 443 4200, 7200 2018-02-15 20:45:15 2018-03-11 08:15:13 2018-02-20 12:45:26 2018-02-26 17:45:18
2.31.131.232 443 4200, 7200 2018-02-15 20:46:41 2018-03-11 08:15:13 2018-02-16 07:45:38 2018-02-26 16:45:48
208.58.127.110 443 23005 2018-02-05 15:40:19 2018-03-11 08:20:12 2018-02-05 16:51:17 2018-02-22 20:51:08
23.249.164.165 443 3122, 11122 2018-02-16 11:44:08 2018-03-10 02:10:23 2018-02-16 11:44:08 2018-02-21 05:42:08
76.94.146.77 443 3122, 11122 2018-02-05 15:07:10 2018-02-16 11:10:06 2018-02-05 16:40:37 2018-02-20 22:40:47
73.138.14.216 443 3122, 11122 2018-02-05 15:11:22 2018-02-05 15:11:22 2018-02-20 17:45:49
108.188.73.120 443 23005 2018-02-05 15:39:45 2018-03-11 08:20:12 2018-02-05 15:39:45 2018-02-20 15:50:47
72.240.66.196 443 3122, 11122 2018-02-05 15:06:33 2018-02-05 15:06:33 2018-02-18 18:40:16
74.50.133.9 443 4200, 7200 2018-02-05 15:30:06 2018-03-11 08:15:13 2018-02-05 15:30:06 2018-02-17 21:46:51
72.196.121.198 443 4200, 7200 2018-02-15 20:47:14 2018-03-11 08:15:13 2018-02-15 20:47:14 2018-02-16 01:47:04
108.188.147.84 443 4200, 7200 2018-02-15 20:47:25 2018-03-11 08:15:13 2018-02-15 20:47:25 2018-02-15 20:47:25
73.205.129.116 443 3122, 11122 2018-02-05 15:10:29 2018-02-19 07:10:11 2018-02-14 03:43:39 2018-02-14 03:43:39
71.190.203.72 443 3122, 11122 2018-02-05 15:07:20 2018-02-16 11:10:06 2018-02-05 16:40:48 2018-02-13 01:40:47
45.49.124.54 443 3122, 11122 2018-02-05 15:10:50 2018-02-05 16:43:43 2018-02-08 22:43:35
73.14.144.224 443 23005 2018-02-05 15:39:57 2018-03-11 08:20:12 2018-02-05 15:39:57 2018-02-06 09:50:56
95.150.74.40 443 4200 2018-02-05 15:29:55
108.188.0.7 443 3122, 11122 2018-02-05 15:08:42
41.193.159.41 444 4200, 7200 2018-02-05 15:29:32
128.83.114.21 443 3122, 11122 2018-02-05 15:11:33
83.152.105.116 443 3122, 11122 2018-02-05 15:08:09
66.63.85.26 443 3122, 11122 2018-02-05 15:11:55
43.231.250.172 3389 23005 2018-02-05 15:40:40
109.21.222.28 443 3122, 11122 2018-03-23 22:42:12
103.1.216.246 8443 3122, 11122 2018-02-05 15:07:52 2018-02-16 11:10:06
90.45.27.34 443 3122, 11122 2018-02-05 15:11:01
174.76.22.140 443 23005 2018-02-05 15:39:23
73.138.81.95 443 3122, 11122 2018-03-06 22:45:39 2018-04-02 16:10:22
70.184.73.157 443 3122, 11122 2018-02-05 15:06:59
155.186.105.68 443 4200, 7200 2018-02-05 15:29:15 2018-03-11 08:15:13
70.182.65.230 443 3122, 11122 2018-02-05 15:11:44
179.108.87.11 443 4200, 7200 2018-02-05 15:29:44
70.182.76.241 443 3122, 11122 2018-02-05 15:06:49
46.17.3.237 443 3122, 11122 2018-02-05 15:08:31 2018-02-23 00:10:18
71.41.24.246 443 3122, 11122 2018-03-18 21:40:57 2018-03-23 21:10:14
185.93.183.30 444 3122, 11122 2018-02-16 14:44:03 2018-02-16 15:10:08
190.208.42.36 443 4200 2018-02-05 15:30:17
69.75.114.66 443 4200 2018-02-05 15:29:43
91.189.43.152 443 3122, 11122 2018-03-18 21:46:34 2018-03-20 13:10:15
137.118.165.215 443 3122, 11122 2018-02-05 15:10:19
139.78.21.232 443 3122, 11122 2018-03-18 21:43:45 2018-03-14 19:10:15
150.176.120.42 443 4200, 7200 2018-03-18 21:46:17 2018-04-01 19:15:19
47.22.1.187 443 3122, 11122 2018-02-05 15:10:40

Modules

Dridex uses various modules:

The modules from the last 365 days are listed.

Bots

Dridex bots are distinguished by a version number and timestamp. For each version, there are often multiple different hashes and timestamps, which is a result of recompiling and repacking the modules.

timestamp botnet architecture version md5 virustotal
2018-03-23 18:14:53 11122 64bit 4.85 b2555356e1695a975b8fbd75d1be73ac VT
2018-03-23 18:14:53 3122 64bit 4.85 033d7486b43935a8adf5796835d088d4 VT
2018-03-23 18:14:41 3122 32bit 4.85 de6425b9b266455b8009129085f99117 VT
2018-03-23 18:14:41 11122 32bit 4.85 5bb318f28821576e3975b13b9eebf617 VT
2018-03-23 18:13:54 23005 64bit 4.85 ceeb0c36d1eeb5f35f82ddd3bce58716 VT
2018-03-23 18:13:27 23005 32bit 4.85 d819d6785b313258f4434b5e3db7b268 VT
2018-03-20 09:35:23 3122 64bit 4.85 a8d7b2014fa44252967635c15f8cab50 VT
2018-03-20 09:33:41 3122 32bit 4.85 e755a16547585be1e7338762828c88f0 VT
2018-03-14 21:36:57 3122 64bit 4.85 7ee2fbfee2623de1bc5b7ae3a0633891 VT
2018-03-14 21:36:42 3122 32bit 4.85 879d3069145d6276f2a1cb8135f4078a VT
2018-03-11 07:48:28 23005 64bit 4.85 df80d463f19b61f2bc10622e2172fd36 VT
2018-03-11 07:48:28 23005 64bit 4.85 f41fb1019007c5e03ff3d38ee91523dd VT
2018-03-11 07:48:14 23005 32bit 4.85 3113f7ca01b174211eae1a3a8f1614df VT
2018-03-11 07:48:14 23005 32bit 4.85 306b584f2b6189699b9597a14734fa95 VT
2018-03-11 07:45:56 3122 64bit 4.85 8d26bc42ba1906fefe4c4f63c4b0802e VT
2018-03-11 07:45:42 3122 32bit 4.85 537d5a22641f4816bb566cb505d084f6 VT
2018-03-11 07:22:01 4200 64bit 4.85 bc303564876fb407642032cf93a93058 VT
2018-03-11 07:22:01 7200 64bit 4.85 123ca5b9d0858aa5e67c79f483ec1cea VT
2018-03-11 07:22:01 4200 64bit 4.85 e12b7bbb65aa0b1c1d63c3ebd59ad115 VT
2018-03-11 07:21:42 4200 32bit 4.85 93bfdb5b9810387f1769a6f76461f550 VT
2018-03-11 07:21:42 7200 32bit 4.85 4e29341b39d1f32e50546a8ac2ac8871 VT
2018-03-11 07:21:42 4200 32bit 4.85 b773caf389f2da2e4aeadc1f9fd69b2a VT
2018-03-06 22:04:42 3122 64bit 4.85 ba9472537e6404849dddf9341d155928 VT
2018-03-06 22:04:31 3122 32bit 4.85 6b68cb8768d8c6a0badcd1bbdafb8af7 VT
2018-03-06 10:05:33 4200 64bit 4.85 0a4ef87b5ab1593121f3e3cfad9ea476 VT
2018-03-06 10:05:22 4200 32bit 4.85 85d3adf228524bb7bc6ea66d12ef18cd VT
2018-02-27 09:23:53 3122 64bit 4.85 6d3b2c5ee970e7c37d24dce9d9f70666 VT
2018-02-27 09:23:39 3122 32bit 4.85 32b2e94cb2f7d4a71123b4f9585c63b3 VT
2018-02-20 13:02:42 4200 64bit 4.85 7ca54a11bf979832c19000d53874bb23 VT
2018-02-20 13:02:28 4200 32bit 4.85 876fa2bab0a90e8d84045f71bb84f734 VT
2018-02-19 06:53:59 3122 64bit 4.85 b23a9bd3ee31af8b78d18bb92e7f2257 VT
2018-02-19 06:53:37 3122 32bit 4.85 353053924fb970d00e3ad897eeaa1ff5 VT
2018-02-16 07:13:10 23005 64bit 4.83 d053911bbc6865377eb70720aa4c4d4d VT
2018-02-16 07:12:54 23005 32bit 4.83 964e6212ab22e166a343f5417514f62d VT
2018-02-16 07:10:56 4200 64bit 4.83 4796d47eb1ae2c03c98d31c4bb9e7327 VT
2018-02-16 07:10:44 4200 32bit 4.83 66034294e67c0465453fc080b22ae76a VT
2018-02-16 07:07:38 3122 64bit 4.83 491cb5e246e51c01d30840ce75a7a8fb VT
2018-02-16 07:07:06 3122 32bit 4.83 7c7d957fcd93ef3d1b78054aa2fb4472 VT
2018-02-15 15:18:43 4200 64bit 4.82 a889fc46b4eed4a031343706ea731157 VT
2018-02-15 15:18:22 4200 32bit 4.82 8bc3faf395280ce664c21bff1e019959 VT
2018-02-14 09:17:49 3122 64bit 4.82 2ef3236e531301a52756d262c7a3249f VT
2018-02-14 09:16:41 3122 32bit 4.82 70b71d97bcd65b27c7e6f44797672318 VT
2018-02-05 09:28:13 3122 64bit 4.82 011687661ecc9673141e8ffafb7004af VT
2018-02-05 09:27:42 3122 32bit 4.82 94fd7c297e7ddc4dc2ba51af095685d0 VT
2018-02-05 09:24:10 23005 64bit 4.82 32ac659d0f4233bc4bf98ada3f550406 VT
2018-02-05 09:23:23 23005 32bit 4.82 3fa18db246e3766ca221858e44d4a0fc VT
2018-02-05 08:48:40 4200 64bit 4.82 3f7155b3a742fdf5d8539ec384090510 VT
2018-02-05 08:48:30 4200 32bit 4.82 1677932806f6cad5af01fa3a58bed742 VT
2018-01-18 13:04:13 3122 64bit 4.80 1264dbcf9106b7adab3682b9b42bdfcf VT
2018-01-18 13:04:02 3122 32bit 4.80 a40ba82daea1dce261b2231d2eb8fd70 VT
2018-01-09 20:01:21 3122 64bit 4.80 2967e39fe0b22f020489028f159c620b VT
2018-01-09 20:01:07 3122 32bit 4.80 e0b43753cf06c3ccd65c9e5b54fb74ee VT
2017-12-22 22:29:34 3122 64bit 4.80 f441b8d2f70ef84e8cc71556f293ff7a VT
2017-12-22 22:29:19 3122 32bit 4.80 44d7924d72eb125d71d194415f585016 VT
2017-12-16 13:23:00 3122 64bit 4.80 cffb11367fa1833d4b8fd74fc3b48f06 VT
2017-12-16 13:22:48 3122 32bit 4.80 063ef17c48eae1c326e6cd97364e5f9f VT
2017-12-08 20:44:40 3122 64bit 4.77 fa593738687c4de41562e962fb4ca9c1 VT
2017-12-08 20:44:29 3122 32bit 4.77 edba64cb2157ddb77cb33cc428a48076 VT
2017-12-04 07:37:53 3122 64bit 4.75 dcf43e6642171ac71b4664846636e5dd VT
2017-12-04 07:37:40 3122 32bit 4.75 f93155d82bdbdd513f93106240b35b17 VT
2017-11-25 13:14:49 3122 64bit 4.74 2415a6f409c9572f7eda4ba789359c56 VT
2017-11-25 13:14:38 3122 32bit 4.74 ed570695236713a847a81fb62e54f782 VT
2017-11-21 13:52:04 3122 64bit 4.74 a0e62320c474e6df73fc032686e6c97e VT
2017-11-21 13:51:49 3122 32bit 4.74 d25709b54bb78ed8e34652bf23072dae VT
2017-11-16 15:02:36 3122 64bit 4.73 213861f6c38cf79771a4cc136474bf67 VT
2017-11-16 15:02:24 3122 32bit 4.73 ba191e35a260f6d106ccbe82a10aa5cc VT
2017-11-16 10:49:31 3122 64bit 4.72 eeace3e72424b8c3592bca8ecb32555d VT
2017-11-16 10:49:17 3122 32bit 4.72 1dcfab5e9a43ce0320bf05e2bed0e8f3 VT
2017-11-08 12:31:23 3122 64bit 4.71 ec58af9975f6322fbe54ef8861c4ab25 VT
2017-11-08 12:31:10 3122 32bit 4.71 b63214353184663530521e41f1452078 VT
2017-10-30 07:04:49 3122 64bit 4.68 81135fa4b14a33cdbda15ebc1ec58294 VT
2017-10-30 07:04:31 3122 32bit 4.68 ad343e1aa8fb15c5cf04dd817fd3a1dd VT
2017-10-24 05:15:49 3122 64bit 4.68 996c8c52b5aa9626cbbff991d86ced57 VT
2017-10-24 05:15:11 3122 32bit 4.68 6683059357268d4a28ea8f4adb587ef5 VT
2017-10-20 15:55:07 3122 64bit 4.68 4e6c207f0f069934b8da7fa48c235a44 VT
2017-10-20 15:54:32 3122 32bit 4.68 ce82508dece9d26ce3fb84ea826a9eff VT
2017-10-18 11:34:02 3122 64bit 4.68 a0de22f3b01556deeae2c90a690b5845 VT
2017-10-18 11:33:35 3122 32bit 4.68 2a02912728b77f6a5cc57812dac7be62 VT
2017-10-12 23:32:10 3122 64bit 4.67 d957cda6190e8e04e7ed6d3cb8f79326 VT
2017-10-12 23:31:56 3122 32bit 4.67 bf91a9159929614de2f9dc95c59de516 VT
2017-10-02 22:23:23 3122 64bit 4.67 0caaae681f61ba974bd5d4a013312ee2 VT
2017-10-02 22:19:39 3122 32bit 4.67 58692ccca8e32b7c7f48e76be001bfa0 VT
2017-09-18 05:13:14 3122 64bit 4.66 d8c6f5d7d60a8c10fe1773c50d426079 VT
2017-09-18 05:13:00 3122 32bit 4.66 8cfa2bc7ce6cc76fb7252392d29e9a21 VT
2017-09-10 16:17:45 3122 64bit 4.66 303299aca690f1d5de966b542c89e10f VT
2017-09-10 16:17:16 3122 32bit 4.66 4823da9b1fa44bf06b5a1dfcf52ee03e VT
2017-09-04 18:29:51 3122 64bit 4.65 8319f4b39bd607041bc71e6b748fb533 VT
2017-09-04 18:28:42 3122 32bit 4.65 8deb67a267969ce49f87cc3623849507 VT
2017-08-27 11:14:58 3122 64bit 4.65 d0436a7e50f39e42f00eee73a9ba7be6 VT
2017-08-27 11:13:34 3122 32bit 4.65 f520c0c589a255df597f240c37837f81 VT
2017-08-20 16:03:51 3122 64bit 4.62 3df2e31681a7e529139a9fed7f733ad6 VT
2017-08-20 16:03:41 3122 32bit 4.62 56152d48f52c337e2348c75254f142db VT
2017-08-12 22:22:06 3122 64bit 4.62 20cb606139fa6f13b87b32997dc5aa95 VT
2017-08-12 22:21:54 3122 32bit 4.62 a05c5b9f11453fc8090e2d2d9d73d4c0 VT
2017-08-03 20:33:08 3122 64bit 4.62 67290af5a4d60537720e54a4fc6b4d97 VT
2017-08-03 20:32:06 3122 32bit 4.62 5705837474d6126e8e0781b1656e7415 VT
2017-07-31 21:36:25 3122 64bit 4.61 b62d54c8bd2c2d6b6b2a6cf81b0fb097 VT
2017-07-31 21:36:04 3122 32bit 4.61 14aa615a9be3edc86e12f6fa6ac0b154 VT
2017-07-25 16:30:40 3122 32bit 4.61 0f676b95ae81e27ae286194fc2c90fb6 VT
2017-07-25 16:27:55 3122 64bit 4.61 1fbbcd16d07fa55c40db393e0916dd1c VT
2017-07-17 07:30:52 3122 64bit 4.60 383d4d582ae31a5bcca5fbef4068c61c VT
2017-07-17 07:30:28 3122 32bit 4.60 b032f7854057613e856fa4c487c70c42 VT
2017-07-09 17:02:37 3122 64bit 4.60 365d8ce82f257d9489a6db7f6cf01517 VT
2017-07-09 17:02:02 3122 32bit 4.60 a58cbf4866ceb2e86e839970cd684328 VT
2017-06-28 21:58:25 3122 64bit 4.60 1daa6d0c122f78d2069b5df536e26508 VT
2017-06-28 21:58:14 3122 32bit 4.60 cc7e2f70a966f286723c8009ba55f853 VT
2017-06-26 06:06:22 3122 64bit 4.59 d27b89048aee714e65f506bf744493d6 VT
2017-06-26 06:04:50 3122 32bit 4.59 1af43327df1853278496baa53190380b VT

Auxiliary Modules

The auxiliary modules are often off-the-shelf, legitimate binaries (e.g., VNC or the socks proxy). These modules are updated much less frequently than Dridex bots.

Dridex v4 uses CRC32 checksum in lieu of names. In some instance, the names behind the CRC checksums are known. In other cases, the names are missing. In these cases only the CRC32 checksum is shown.

timestamp name botnet architecture md5 virustotal
2018-02-16 07:11:18 vnc 4200, 7200 64bit c63af594f1ca740e2b57d0bd4eead601 VT
2018-02-16 07:11:13 vnc 4200, 7200 32bit 67feb77f8a0958a12655765ef9744c86 VT
2018-02-15 19:28:44 vnc 23005 64bit 9e2dcff64c9c000b06dd327b5838b885 VT
2018-02-15 19:28:31 vnc 23005 32bit 1cf32534fe2bcd55420301fe18a1dfc1 VT
2018-02-15 19:27:11 vnc 3122, 11122 64bit 4a0b19b2a6ccad8491f9692bc4429b9a VT
2018-02-15 19:27:03 vnc 3122, 11122 32bit a449cce578a68550c19b9f29de7872f3 VT
2018-02-07 12:52:45 vnc 3122 64bit b29c9c88b52693213303c6d0364442ee VT
2018-02-07 12:52:23 vnc 3122 32bit 1cedc79b60dedbf9462279027a9a575c VT
2018-01-29 14:44:07 vnc 23005 64bit fde741f87afd2dbf3babce86b2abc55f VT
2018-01-29 14:43:57 vnc 23005 32bit 8c70d12fe79a6860b2ef28de45aa201c VT
2018-01-28 13:08:30 n/a 23005 32bit 88ffbfb96c645904f1f7ec3336bbaa01 VT
2018-01-28 13:07:40 n/a 23005 64bit f501fe0bb0dd2816d4107ba11fcb136b VT
2018-01-28 13:01:20 socks 23005 64bit 55550b908499159083986fc0678a1c2c VT
2018-01-28 13:01:16 socks 23005 32bit dc80969ec4f3a778e3b32da1b42daebb VT
2017-12-30 23:01:35 n/a 3122, 11122 64bit 937a7ba06ed92aee14e11c457a11e322 VT
2017-12-30 23:01:28 n/a 3122, 11122 32bit c39d8295ce6d81c57e7f3044b5feeaae VT
2017-12-27 15:32:56 n/a 4200 32bit 97cf4507315546c5105db08e017f2412 VT
2017-11-08 12:35:48 n/a 3122 64bit d99113d6a87989570fa95b03df0415ee VT
2017-11-08 12:35:43 n/a 3122 32bit 3022b146b34dde5f81e8eaf46c22e046 VT
2017-05-12 19:19:16 grabber 3122, 11122 64bit 2680cd66b98910d26bfd815d83ca330f VT
2017-05-12 19:19:09 grabber 3122 32bit 40c09f26cf52d0185f03ccc5f351953c VT

Exports

Yara Rules

Yara-Rules for the botnet modules, based only on md5 sum, no pattern match.
Dridex Modules

Snort Rules

Dridex Supernodes Dridex Redirects

CSV

CSV file of the bot MD5s, the supernodes of the last 100 days, and the redirects of the 31 days.

CSV