2019-06-03 Dridex IOCs

1. ANALYST NOTES
2. Oddly, today I saw no Emotet malspam but I did receive 1 email that I thought was going to be Emotet.
3. The email claimed to be a "notification" and the text of the email claimed that the attached file was a bill.
4. The email was clumsily worded but that was not unexpected.
5. The attachment was named Invoice-JVUIFtl.doc.
6. The Word document was using the teal document template that I've seen Emotet using periodically in recent days.
7. The document had a few document object artifacts in the upper left as we've also seen lately with Emotet.
8. When the VBA macros ran, the result was an attempt to download a file from a payload "trio".
9. I still thought it might be Emotet and the threat actors were using a "trio" instead of the usual "payload quintet".
10. When I looked more closely at the URLs, however, it was apparent that this was not Emotet.
11. The payload URLs were trying to download a file named waterMark.bin.
12. A closer look at the Powershell script shows that the file is then being renamed with a .exe extension and launched.
13. X-MS-Exchange-Organization-Originating-Country: RU
14.  
15. SUBJECTS OBSERVED
16. Notification_96793020
17.  
18. SENDERS OBSERVED
19. info@xenompotanpollswecheapp.club
20.  
21. SENDER IPs OBSERVED
22. 193.233.72.177 (Russia)
23.  
24. DRIDEX PAYLOAD DISTRIBUTION URLS FROM POWERSHELL/VB
25. http://vaigacafe.com/app/webroot/assets/images/about/team/waterMark.bin
26. http://bienangel.com/bienangel/templates/beez3/html/com_contact/categories/waterMark.bin
27. http://85.214.32.153:8080/2tK59px0yrPP49Xp14fRx50c
28.  
29. WORD DOCUMENT FILE HASH
30. 9011d9e0360ee2d29feedfa5a505651a
31.  
32. DRIDEX EXE FILE HASH
33. 0dad665d561bacd1fdc5750f14f1b437
34.  
35. SUPPORTING EVIDENCE
36. https://urlhaus.abuse.ch/url/205806/
37. https://urlhaus.abuse.ch/url/205805/
38. https://www.virustotal.com/gui/file/2c04c849908e241a87084ca254309fd8a74a8b744928f1a2dc2c081ae241a436/detection