qz0h69pdf
General
Target
Filesize
Completed
qz0h69pdf.dll
539KB
19-11-2020 13:07
Score
10
/10
MD5
SHA1
SHA256
ba7ddbd663a50b149b22d810f4211207
06faf7fce11b89e4119c70c5a8cb56d97ab68bab
eb1a0c3677f4b416e43e2c4d88a30d1f5bd4d9b00b1e0c48efef31b034465e3c
Malware Config
Extracted
| Family | dridex |
| Botnet | 10555 |
| C2 |
162.241.44.26:9443 192.232.229.53:4443 77.220.64.34:443 193.90.12.121:3098 |
| rc4.plain |
|
| rc4.plain |
|
Signatures 3
Filter: none
-
Dridex
Description
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
Tags
-
Dridex Loader
Description
Detects Dridex both x86 and x64 loader in memory.
Tags
Reported IOCs
resource yara_rule behavioral2/memory/4832-1-0x0000000004020000-0x000000000405D000-memory.dmp dridex_ldr -
Suspicious use of WriteProcessMemoryrundll32.exe
Reported IOCs
description pid process target process PID 4752 wrote to memory of 4832 4752 rundll32.exe rundll32.exe PID 4752 wrote to memory of 4832 4752 rundll32.exe rundll32.exe PID 4752 wrote to memory of 4832 4752 rundll32.exe rundll32.exe
Processes 2
-
C:\Windows\system32\rundll32.exePID:4752rundll32.exe C:\Users\Admin\AppData\Local\Temp\qz0h69pdf.dll,#1Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exePID:4832rundll32.exe C:\Users\Admin\AppData\Local\Temp\qz0h69pdf.dll,#1
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
memory/4832-0-0x0000000000000000-mapping.dmp
-
memory/4832-1-0x0000000004020000-0x000000000405D000-memory.dmp
Title
Loading Data