2021-10-13 Dridex IOCs

THREAT ATTRIBUTION:  DRIDEX

SENDER EMAILS
accomplish138@o3.e.notification.intuit.com
agustinzwg@o4.e.notification.intuit.com
allovern7@o3.e.notification.intuit.com
barbarousn4@omptrans.e.digicomm.intuit.com
bassinets6@omptrans.e.digicomm.intuit.com
brassingr13@mta.notifications.intuit.com
briquetteoo6@o4.e.notification.intuit.com
caged@o4.e.notification.intuit.com
chihuahuasrqa8@o3.e.notification.intuit.com
covetouslywsrn13@o2.e.notification.intuit.com
crickedf870@o4.e.notification.intuit.com
drunks30@mta.notifications.intuit.com
duisburgt33@o3.e.notification.intuit.com
easelrs783@o3.e.notification.intuit.com
editorializevz@omptrans.e.digicomm.intuit.com
effusiveyn62@mta.notifications.intuit.com
emulatorw5@omptrans.e.digicomm.intuit.com
glottispa56@o4.e.notification.intuit.com
goadsdr4@o1.e.notification.intuit.com
gushers9@o1.e.notification.intuit.com
hammedbs789@o2.e.notification.intuit.com
hindemith811@mta.notifications.intuit.com
imitating@omptrans.e.digicomm.intuit.com
inhabitl17@o3.e.notification.intuit.com
intrigue313@o3.e.notification.intuit.com
koreano08@o1.e.notification.intuit.com
leanedk0@o2.e.notification.intuit.com
manacle6@o2.e.notification.intuit.com
meritorious05@o4.e.notification.intuit.com
microsecondnb87@o3.e.notification.intuit.com
mongrelv5@o2.e.notification.intuit.com
nourishingf400@o3.e.notification.intuit.com
nukesmgrc7@o1.e.notification.intuit.com
numerology17@o3.e.notification.intuit.com
optometry404@o2.e.notification.intuit.com
parvenusib528@mta.notifications.intuit.com
perambulatingo89@o1.e.notification.intuit.com
probatest82@o2.e.notification.intuit.com
progressede3@mta.notifications.intuit.com
railstt@o4.e.notification.intuit.com
relied9@o2.e.notification.intuit.com
revlonls5@omptrans.e.digicomm.intuit.com
rubik212@o1.e.notification.intuit.com
sixes90@omptrans.e.digicomm.intuit.com
suavityp18@o2.e.notification.intuit.com
subsideey2@o2.e.notification.intuit.com
teenagew@o3.e.notification.intuit.com
toadjl@o1.e.notification.intuit.com
tracksbq4365@mta.notifications.intuit.com
trialledb19@o3.e.notification.intuit.com
whey17@mta.notifications.intuit.com
woolliness60@o1.e.notification.intuit.com
yamahat669@o1.e.notification.intuit.com

SUBJECTS
Invoice/Sales Receipt
Purchase Order Receipt
Sales Receipt

MALDOC FILE NAMES
Payment_Receipt ####.xls
Purchase_Order ####.xls
Sales_Receipt ####.xls

MALDOC FILE HASHES
e63deaea51f7cc2064ff808e11e1ad55
(all maldoc file hashes are the same)

PAYLOAD DOWNLOAD URLS
https://itadlearning.com
https://mas.hertzceylonsoftware.com

PAYLOAD FILE HASHES
ltqmcyjo
a289f26f09690ec48b1970204f8757c8

On the second run, I saw this:
wztxxfrr
9d6d2e3d5cd27fcec3a875c7cf8b7062

Then the third time:
tnlbmvxt
017ba8a27483a3ab3679c5161faf1d6a

DRIDEX C2
https://51.83.3.52:13786/
https://174.128.245.202/
https://69.64.50.41:6602/

EMAIL BODY
Your sales receipt is attached. Your credit card on file has been charged and this invoice is now paid. 
Thank you for your business - we appreciate it very much.
Sincerely,
-------------------------   
Sales Receipt Summary  
---------------------------
Purchase Order # : 0292
Purchase Order Date: 10/13/2021
Total: $3,710.00

The complete version has been provided as an attachment to this email.
----------------------------------------------------------------------

MEMORY STRINGS
https://az667904.vo.msecnd.net/pub/Default/v2/dyntelconfig.json
http://www.burnsurface.ru