dridex | 9f38af84820dc29e805029409bbb2a5765036775973e3898b6db1f66c1b47270

Resubmissions

26-11-2020 08:55

26-11-2020 04:06

Target

nsetldk.dll
Size

630KB
MD5

3ce5469a7a34b52cc10fd3f17c29b3a5
SHA1

d6b121e7a8ed0e94c2e89e33ea6828290f858e90
SHA256

9f38af84820dc29e805029409bbb2a5765036775973e3898b6db1f66c1b47270
SHA512

6e9746d0377d6a5d09ee0d8cc7cb8660443420868e6be21cb587293b4869fc45793a55a9c6d44b46fce7dcbb722535954882dd6f4f126448b1f03e56fb916bb2

Score

10^/10

Family

dridex

Botnet

10555

194.225.58.216:443

178.254.40.132:691

216.172.165.70:3889

198.57.200.100:3786

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/764-1-0x00000000746A0000-0x00000000746DD000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1432 wrote to memory of 764	1432	regsvr32.exe	regsvr32.exe
PID 1432 wrote to memory of 764	1432	regsvr32.exe	regsvr32.exe
PID 1432 wrote to memory of 764	1432	regsvr32.exe	regsvr32.exe
PID 1432 wrote to memory of 764	1432	regsvr32.exe	regsvr32.exe
PID 1432 wrote to memory of 764	1432	regsvr32.exe	regsvr32.exe
PID 1432 wrote to memory of 764	1432	regsvr32.exe	regsvr32.exe
PID 1432 wrote to memory of 764	1432	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\nsetldk.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\nsetldk.dll
2⤵
PID:764

memory/764-0-0x0000000000000000-mapping.dmp

Download
memory/764-1-0x00000000746A0000-0x00000000746DD000-memory.dmp

Filesize
244KB

Download
memory/1944-2-0x000007FEF61D0000-0x000007FEF644A000-memory.dmp

Filesize
2.5MB

Download