dridex | 905960957f03c7a56deaee448ac8fff59f7aad97619ee5a98eb220b9cebee849 | Triage

Analysis

max time kernel
19s
max time network
135s
platform
windows10_x64
resource
win10v20201028
submitted
05-11-2020 07:27

Sharing

Report Analysis Logs

General

Target

e5a1785a5b06c596107a75eb1e51454b.dll
Size

638KB
MD5

e5a1785a5b06c596107a75eb1e51454b
SHA1

3e44a3cb67613f11aae1f9189cbd9ea100d3a1f2
SHA256

905960957f03c7a56deaee448ac8fff59f7aad97619ee5a98eb220b9cebee849
SHA512

b046c5a02446652df5271b97b3785ba6d5e593cc639388f3c22e4c3ef9ecf2fab3fc08c761e9c167e8840aa12fcdfa9a978d9409e165890306a64d987e7c373f

Score

10^/10

dridex 10444 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

10444

C2

193.37.215.79:443

81.2.235.131:1688

178.63.156.139:3388

rc4.plain

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral2/memory/1000-1-0x0000000000D30000-0x0000000000D6D000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1924 wrote to memory of 1000	1924	rundll32.exe	rundll32.exe
PID 1924 wrote to memory of 1000	1924	rundll32.exe	rundll32.exe
PID 1924 wrote to memory of 1000	1924	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5a1785a5b06c596107a75eb1e51454b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5a1785a5b06c596107a75eb1e51454b.dll,#1
2⤵
PID:1000

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1000-0-0x0000000000000000-mapping.dmp

Download
memory/1000-1-0x0000000000D30000-0x0000000000D6D000-memory.dmp

Filesize
244KB

Download