dridex | 3ab48ca45cd8a40aa0100279752afd3e89003bb85bf420c8b1be62e019f4c9eb

Analysis

Target

DRIDEX (2).dll
Size

320KB
MD5

26a799534430589b72111ccb335c2400
SHA1

7c6692e00af5e345c70d98862d6dacccc283e05e
SHA256

3ab48ca45cd8a40aa0100279752afd3e89003bb85bf420c8b1be62e019f4c9eb
SHA512

558f81bc111e3330c74762ae07af4737e719de6b486a48f89b72ceb111e0940c5317c9f71be4d0186c8178becdc346cec94ae33fb880a4b561cb891dd9058181

Score

10^/10

Family

dridex

Botnet

10444

151.236.219.181:443

142.4.6.57:14043

162.144.127.197:3786

103.40.116.68:5443

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral2/memory/3224-1-0x0000000073F30000-0x0000000073F6D000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3012 wrote to memory of 3224	3012	rundll32.exe	rundll32.exe
PID 3012 wrote to memory of 3224	3012	rundll32.exe	rundll32.exe
PID 3012 wrote to memory of 3224	3012	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DRIDEX (2).dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DRIDEX (2).dll",#1
  2⤵
  PID:3224

memory/3224-0-0x0000000000000000-mapping.dmp

Download
memory/3224-1-0x0000000073F30000-0x0000000073F6D000-memory.dmp

Filesize
244KB

Download