Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
77
Global rank
150 infographic chevron month
Month rank
131 infographic chevron week
Week rank
0
IOCs

Dridex is a very evasive and technically complex banking trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.

Trojan
Type
ex-USSR territory
Origin
1 January, 2014
First seen
9 July, 2025
Last seen

How to analyze Dridex with ANY.RUN

Type
ex-USSR territory
Origin
1 January, 2014
First seen
9 July, 2025
Last seen

IOCs

IP addresses
67.8.79.243
104.23.98.190
67.8.24.101
67.8.205.190
67.8.146.64
67.8.199.111
67.8.136.173
23.46.238.194
67.8.6.206
67.8.213.156
45.138.26.8
77.68.64.13
62.149.158.252
69.93.243.5
37.59.52.64
2.138.111.86
152.66.249.132
216.177.132.93
108.29.37.11
85.214.113.207
Hashes
02106517466a59024a064ffefb42d7edb791fc2e7f5222f332428abd945318df
12e0ffd56039c1aaf222d091e946ab9bef66221e8b61f5ddaeb12f1ad8cecd23
23590f8dd0fc059605ac01483c520cd5260366b5c8edb5c70e645dbfb53d21cd
8ba64149cca230097d37d88115de4df457cf3e9bf36809a3fcd6637f9e52d9fb
bf311031482110cd2ac6341ca24ef65449c7a958892a7a6c1b5c4357479f8503
90e5133c08cc0a37925e6279c962f5b88a18a5eb864630ff9b9d4d082ceca08a
70cd5522ad374e87d7be0f439ed36defb73c997f1d469cfd518d0c4f8a165b45
03c962ebb541a709b92957e301ea03f1790b6a57d4d0605f618fb0be392c8066
8f5f71edebaf6f87589fa375be416b2821e8ec82e89ceb936b8380bc11ff6ca1
21d0762242818dc6d4213c046e13440780a1894cc548a56496ca789f474913be
4ad0998882a3fbd3412f0c740faebb8ef78bec4c3e566650424c40a878e6a23a
dd4c22bf57718c6fec75f45efe9d5d8b4f6d2c94d148a4e36570748362ff9427
ec37d48c02f7232e3d60b44220b1f4647a36f04526e7e440fa88e94d2d0bf9ed
b41583befde1f7ed15f7fbd27c1b30762e4ee3f466b13e306d665edafcac91d9
17a8a43f0821ac79dd88370cf45a904cb2982bb009d6ac00b08292a8529b62db
e97f6a5ff1cb7b3d8c3d0d113dd148de1a24b5268b5fe2c9375a3b162303ba6b
eb2c147c44265a3690c21048e4ac0a29acb05a30c3de0c8838b802ba9c893e65
aee2f6517fcc045e8da2a285bf8c5ac8dc360a95aef932f898a7fc644a6e2e68
53ed98aefe73cdfc4b3144f03d22f3f1cfd7592e49f41df4ae6c67f6a3f10bd7
fa747f9d2f329d16947eace988d440bc1ace2f8894dae0dfc5668f1283808e8f
Domains
fastdocusign.org
mydocumentscloud.xyz
azuredocs.org
docusignupdates.com
azuredocs.one
mydocumentscloud.com
fastdocusign.one
documentupdates.com
securityupdateserver4.com
kathbhnhnc.com
6h1mt9f2ns.com
dmed5sfhsk.com
agnkbjftop.com
uoetm1pdeg.com
ponestona.com
vtcbfmyokq.com
et4skzn5bs.com
morningwar.xyz
m2nlbyfhax.com
mkbrswn3vh.com
URLs
http://cjto.top/files/penelop/updatewin1.exe
http://cjto.top/sgfjsgdfgsgddagdpen4/get.php
http://cjto.top/sgfjsgdfgsgddagdpen4/1
http://cjto.top/files/penelop/1
http://cjto.top/files/penelop/updatewin2.exe
http://cjto.top/files/penelop/updatewin.exe
http://cjto.top/files/penelop/4.exe
http://cjto.top/files/penelop/3.exe
http://cjto.top/files/penelop/5.exe
http://go.trendmicro.com/free-tools/hijackthis/HiJackThis.exe
http://wieie.cn:8765/Down/List
http://58.23.215.23:8765/CardPwd/CardPWD.exe
http://wieie.cn:8765/CardPwd/CardPwd.exe
http://172.104.65.137/7z/setup.exe
http://172.104.65.137/7z/7zs.sfx
http://172.104.65.137/7z/7za.exe
http://zexeq.com/files/1/build3.exe
http://zexeq.com/test1/get.php
http://zexeq.com/raud/get.php
http://colisumy.com/dl/build2.exe
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 562
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 2428
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 1022
comments 0

What is Dridex malware?

Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.

Thanks to constant evolution, Dridex currently supports very advanced functions like the Atom Bombing injection technique, web injects into Chrome, and Microsoft Word zero-day exploit which helped the Dridex malware to make its way into countless machines despite available removal tools.

Dridex is classified to be the evolution of the GameOver ZeuS, borrowing a C&C architecture from this virus and further improving upon it, making control servers very hard to pinpoint. The Dridex banking trojan also features similarities to other malware – CRIDEX and Bugat. However, while the latest relies mostly on vulnerabilities as an attack vector, Dridex also uses mail spam to infect the machines of its victims.

General description of Dridex malware

According to the new information, US and UK law enforcement organizations uncovered the identities of people behind Evil Corp — the cybergang that developed Dridex and several other malicious programs. Maxim Yakubets who is living in Moscow is suspected to be the group’s leader. He has been seen driving a Lamborghini Huracan with a number plate that reads “thief” in Russian. As a result of the investigation, the US Department of State has announced a $5 million reward for turning in Yakubets. This is the largest reward ever offered for a cybercriminal.

The spike in the popularity of the Dridex trojan was recorded in the period between its first spotting in the wild until the year 2015. The subsequent malicious campaigns were fewer in number and perhaps not as global as the ones observed before 2015. Usually, the malware targets victims in Europe with over half of recorded infections taking place in the UK, though, German, French, and US users are also in danger. Notably Dridex banking trojan never attacks victims in the Russian Federation, which could indicate that the group behind this threat comes from this country. Dridex is one of the most popular banking trojans in the world, placing at the seventh spot out of the top ten most widely spread viruses of this type by the number of infections in 2015, according to the data of flashpoint-intel.

The malware can perform a series of data-stealing actions including Form-grabbing, clickshot taking, and site injections. This allows Dredex to steal sensitive data such as logins and passwords when the victim logs into their banking account. This data can then be used by the attackers in future campaigns or sold to other criminals. In addition, the malware is capable of taking screenshots, allowing hackers to collect personal information about the victim. What’s more, the malware is able to change the content of web pages that the user is viewing using web-inject techniques, so when the user enters his login and password, instead of logging into a personal account this sensitive data is sent directly to the attackers.

Dridex trojan uses a Botnet as a Service operation model which entitles that infected PCs can become attack sources for future campaigns. This helps the malware to spread more efficiently and makes its attacks more global.

Some of the previous versions of this malware used to have a fairly unique persistence mechanism which researchers called “invisible”. It was dubbed so because the malware’ dynamic link library (DLL) was saved on a disk, and a registry value was generated to run the malicious DLL at system startup just only before the PC would be turned off.

The new version of Dridex’s maldocs contains hundreds of URLs from which to download the malware. This approach makes malware hard to take down by hosting providers, removal tools, and domain registers. It also increases the chances of downloading the payload. Security controls need to block a big number of URLs to prevent the malware from being downloaded.

Dridex was once again updated and stopped using the debug output message loop. Malware actors also switched their defense evasion technique from the usage of XSL Script Processing (ID T1220) to Signed Binary Proxy Execution using Rundll32 (ID T1218.011).

During 2020 the "team" behind Dridex heavily used Excel malicious documents with Macro 4.0 in its campaigns. Often these maldocs checked the language of the system in which they were opened and quit execution if it didn’t match.

Malware analysis of Dridex trojan

A video simulation recorded on ANY.RUN allows us to examine the lifecycle of the Dridex malware. You can also investigate other cyber threats like FormBook and Lokibot.

process graph of the dridex execution Figure 1: Process graph generated by ANY.RUN allows us to see the main processes of Dridex execution.

text report of the dridex analysis Figure 2: Displays the customizable text report generated by ANY.RUN.

Execution of Dridex malware

The execution process of Dridex is pretty short and straightforward. Similar to a lot of malware nowadays, the banking trojan makes its way into the victim's system as a malicious attachment, usually a Microsoft Office file, which is delivered in spam emails. After the user downloads and opens such a file and enables macros, the infection process begins. Dridex trojan is capable of utilizing different techniques to deliver the main payload. The payload can be downloaded directly by Microsoft Office or by injected system applications, for example, explorer.exe, or leveraged by the vulnerabilities exploit such as Microsoft Equation Editor. After the downloaded payload starts execution, it begins the main malicious activity such as writing itself into autorun in the registry, searching for installed software, executing scripts, connecting to the C2 server, and more.

Prevention of Dridex attacks

Users can avoid getting infected by banking trojans such as Dridex by staying clear of suspiciously-looking emails. To stay completely safe one should never launch files downloaded from emails that were delivered from unknown senders. A clear indication of the malicious nature of downloaded files can be that when opened, Microsoft Office files will prompt the user to enable macros – something users should never do to avoid infection. Additionally, it is advised to keep an updated version of a trusted antivirus product and removal tools on a machine at all times.

How does Dridex trojan spread?

Dridex mainly spreads using spam email campaigns and makes its way into targeted machines in the form of malicious email attachments. The emails are designed to resemble financial-related messages, such as invoice delivery from real businesses, and usually contain a malicious Microsoft Office document as an attachment.

Social engineering is used to trick potential victims into downloading and opening attached files, which when run execute a malicious macro that installs the Dridex banking trojan on the machine.

How to detect Dridex using ANY.RUN?

If Dridex detection trojan wasn't successful or you want to double-check you can use additional ANY.RUN functionality to get more from your analysis. During execution, Dridex unpacks itself in memory and enters the long-drawn-out loop. On each loop iteration malware output debug string "Installing...", so if you run into this first, think that Dridex detection is complete.

dridex debug output Figure 3: Dridex debug output

Conclusion

Even though Dridex popularity has declined somewhat since its initial release, it is still an extremely popular and capable malware that is used in several attacks targeting companies in Europe and North America. Thanks to advanced persistence mechanisms and almost untraceable C&C servers, Dridex attacks are very hard to battle, making this virus extremely effective.

Thankfully, malware hunting services like ANY.RUN allow researchers to perform detection and analysis of threats similar to Dridex to set up effective countermeasures.

HAVE A LOOK AT

GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Ransomware screenshot
Ransomware
ransomware
Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.
Read More
RedLine screenshot
RedLine
redline stealer redline stealer malware
RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.
Read More
Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More
Spynote screenshot
Spynote
spynote
SpyNote, also known as SpyMax and CypherRat, is a powerful Android malware family designed primarily for surveillance and data theft, often categorized as a Remote Access Trojan (RAT). Originally emerged in 2016, SpyNote has evolved significantly, with new variants continuing to appear as recently as 2023–2025.
Read More
Loader screenshot
Loader
loader downloader
A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.
Read More