Win32/Dridex [Threat Name] go to Threat

Win32/Dridex.AA [Threat Variant Name]

Category trojan
Size 322963 B
Detection created Dec 01, 2015
Detection database version 12654
Aliases Trojan-Dropper.Win32.Injector.nybm (Kaspersky)
  Backdoor:Win32/Drixed.M (Microsoft)
  Troj/Dridex-MQ (Sophos)
Short description

Win32/Dridex.AA is a trojan which tries to download other malware from the Internet. The file is run-time compressed using RAR SFX .


When executed, the trojan creates the following files:

  • %temp%\­125.exe (167936 B, Win32/Dridex.AA)

The file is then executed.

The trojan may create copies of the following files (source, destination):

  • %temp%\­125.exe, %localappdata%\­%variable1%\­%variable2%.exe
  • %temp%\­125.exe, C:\­Users\­Administrator\­AppData\­LocalLow\­%variable3%\­%variable4%.exe
  • %temp%\­125.exe, C:\­Users\­Administrator\­AppData\­LocalLow\­%variable5%.sdb

A string with variable content is used instead of %variable1-5% .

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­{%variable6%\­ShellFolders]
    • "0" = "%variable7%"

A string with variable content is used instead of %variable6-7% .

The trojan searches for files with the following names:

  • %malwarefolder%\­version.dll
  • %malwarefolder%\­DXGIDebug.dll
  • %malwarefolder%\­sfc_os.dll
  • %malwarefolder%\­SSPICLI.DLL
  • %malwarefolder%\­rsaenh.dll
  • %malwarefolder%\­UXTheme.dll
  • %malwarefolder%\­lpk.dll
  • %malwarefolder%\­usp10.dll
  • %malwarefolder%\­clbcatq.dll
  • %malwarefolder%\­comres.dll
  • %malwarefolder%\­ws2_32.dll
  • %malwarefolder%\­ws2help.dll
  • %malwarefolder%\­psapi.dll
  • %malwarefolder%\­ieframe.dll
  • %malwarefolder%\­ntshrui.dll
  • %malwarefolder%\­atl.dll
  • %malwarefolder%\­setupapi.dll
  • %malwarefolder%\­apphelp.dll
  • %malwarefolder%\­userenv.dll
  • %malwarefolder%\­netapi32.dll
  • %malwarefolder%\­shdocvw.dll
  • %malwarefolder%\­crypt32.dll
  • %malwarefolder%\­msasn1.dll
  • %malwarefolder%\­cryptui.dll
  • %malwarefolder%\­wintrust.dll

When the trojan finds a file matching the search criteria, it displays following message:

  • Please remove %founddllfilename% from %malwarefolder% folder. It is unsecure to run %malwarefilename% until it is done.
Information stealing

The trojan collects the following information:

  • installed program components under  [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTP protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send gathered information

The trojan interferes with the operation of some security applications to avoid detection.

The trojan may create and run a new thread with its own program code within any running process.

Please enable Javascript to ensure correct displaying of this content and refresh this page.