dridex | b6061934972e541bf1f421f92c7342892661ebb98f75bd833b4c14ddbdd9291f

Analysis

Target

DRIDEX (3).dll
Size

320KB
MD5

eafb12224f9a1b16fff806e40b252c5d
SHA1

4485cea69f77e0054d3bc75b7fa74ba4110f4333
SHA256

b6061934972e541bf1f421f92c7342892661ebb98f75bd833b4c14ddbdd9291f
SHA512

5d3b37bafcc69434fb9378ca42bd8cd7ecf1e7e3a41367d783fa42c816ecae1042db5be53d81cda4c12c23779010e5d989261ee9caf52898fa8476c6d8361ee9

Score

10^/10

Family

dridex

Botnet

10444

151.236.219.181:443

142.4.6.57:14043

162.144.127.197:3786

103.40.116.68:5443

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/1032-1-0x00000000750D0000-0x000000007510D000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1420 wrote to memory of 1032	1420	rundll32.exe	rundll32.exe
PID 1420 wrote to memory of 1032	1420	rundll32.exe	rundll32.exe
PID 1420 wrote to memory of 1032	1420	rundll32.exe	rundll32.exe
PID 1420 wrote to memory of 1032	1420	rundll32.exe	rundll32.exe
PID 1420 wrote to memory of 1032	1420	rundll32.exe	rundll32.exe
PID 1420 wrote to memory of 1032	1420	rundll32.exe	rundll32.exe
PID 1420 wrote to memory of 1032	1420	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DRIDEX (3).dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DRIDEX (3).dll",#1
  2⤵
  PID:1032

memory/1032-0-0x0000000000000000-mapping.dmp

Download
memory/1032-1-0x00000000750D0000-0x000000007510D000-memory.dmp

Filesize
244KB

Download