Resubmissions

04-01-2021 16:33

210104-dt76fatrme 10

04-01-2021 15:29

210104-h36y88a27j 10

Analysis

  • max time kernel
    97s
  • max time network
    8s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    04-01-2021 15:29

General

  • Target

    e5gwe.dll

  • Size

    164KB

  • MD5

    97235c5153c1e1a988df36a8db83ef87

  • SHA1

    5768261af0eb9c293d29b5a9106762b1b4859aad

  • SHA256

    2e8384b979521ab1a3ac17745f81d9a18fa084294d242d4a6918db4413e313c6

  • SHA512

    ad6f66e63ca693b0d3644eafb68b9969d7b4f70d885781b98ae2391bab5425770d5172f95e818a8c771f201b7548035c7d77d81c96abf28a0ae388a5dc706dde

Score
10/10

Malware Config

Extracted

Family

dridex

Botnet

111

C2

172.86.186.22:3889

46.105.131.78:14431

103.244.206.74:33443

139.162.53.147:4443

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5gwe.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5gwe.dll,#1
      2⤵
        PID:1200

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1200-2-0x0000000000000000-mapping.dmp

    • memory/1200-3-0x0000000075300000-0x000000007531F000-memory.dmp

      Filesize

      124KB