dridex | 7a91d43923b23b640842519263ff8dc2eb0f411f2f1688727db5c7dfacbab7be

Analysis

Target

yqsc2kqmgif.dll
Size

176KB
MD5

f0a0d2f0d368a07171e5a3b74cb365c5
SHA1

27e722207cdd804675b9555d9fa1767733f4fa61
SHA256

7a91d43923b23b640842519263ff8dc2eb0f411f2f1688727db5c7dfacbab7be
SHA512

abe42dc28a6a0c112cfdab36bb51da9215abab6ec4df54a4b31da3ce84eff90f70d9e618a787bead65038eb394ba762207d2ddc1b28e6f2d48428f0c289e8b62

Score

10^/10

Family

dridex

Botnet

10444

77.220.64.39:443

69.164.207.140:3388

78.47.139.43:4443

103.244.206.74:33443

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral2/memory/2292-1-0x0000000073DB0000-0x0000000073DCD000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 508 wrote to memory of 2292	508	rundll32.exe	rundll32.exe
PID 508 wrote to memory of 2292	508	rundll32.exe	rundll32.exe
PID 508 wrote to memory of 2292	508	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\yqsc2kqmgif.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:508
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\yqsc2kqmgif.dll,#1
  2⤵
  PID:2292

memory/2292-0-0x0000000000000000-mapping.dmp

Download
memory/2292-1-0x0000000073DB0000-0x0000000073DCD000-memory.dmp

Filesize
116KB

Download