Analysis

  • max time kernel
    13s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    26-11-2020 05:19

General

  • Target

    pzxrk4325.dll

  • Size

    355KB

  • MD5

    457a2d0c13db31222c66c3e623d88063

  • SHA1

    15bd1122fe1a910c3b8f255bbe74de5ffed57fd2

  • SHA256

    a1658b979357f174c83dcd9867941d8cd917beb3ea67720fa43b6340b27762ba

  • SHA512

    5eeb2bfcfedd0703134196a3135bba5bbc59d67ab51bc847c837e4243c1c1a7fa1971a5602af5f6d946ef1a0f5c5f5f1f1807fa5e5d6dc723b6d5888336875c3

Malware Config

Extracted

Family

dridex

Botnet

10555

C2

194.225.58.216:443

178.254.40.132:691

216.172.165.70:3889

198.57.200.100:3786

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\pzxrk4325.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\pzxrk4325.dll,#1
      2⤵
        PID:1000

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1000-0-0x0000000000000000-mapping.dmp
    • memory/1000-1-0x0000000003410000-0x000000000344D000-memory.dmp
      Filesize

      244KB