ef5ai1p.dll

General
Target

ef5ai1p.dll

Filesize

539KB

Completed

19-11-2020 18:08

Score
10 /10
MD5

1ba0b20a2d03d8af03a7faa42b06417f

SHA1

4c528bb2afd93d8cb1199d05dc33d77e08f0ee88

SHA256

f5951b345050e10fa0d3b70b42e6b56d5a720a7a67c381345e33c145e2ba2452

Malware Config

Extracted

Family dridex
Botnet 10444
C2

162.241.44.26:9443

192.232.229.53:4443

77.220.64.34:443

193.90.12.121:3098

rc4.plain
rc4.plain
Signatures 3

Filter: none

  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader

    Description

    Detects Dridex both x86 and x64 loader in memory.

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/4828-1-0x0000000000AC0000-0x0000000000AFD000-memory.dmpdridex_ldr
  • Suspicious use of WriteProcessMemory
    rundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4768 wrote to memory of 48284768rundll32.exerundll32.exe
    PID 4768 wrote to memory of 48284768rundll32.exerundll32.exe
    PID 4768 wrote to memory of 48284768rundll32.exerundll32.exe
Processes 2
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ef5ai1p.dll,#1
    Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ef5ai1p.dll,#1
      PID:4828
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/4828-0-0x0000000000000000-mapping.dmp

                          • memory/4828-1-0x0000000000AC0000-0x0000000000AFD000-memory.dmp