dridex | 2e8384b979521ab1a3ac17745f81d9a18fa084294d242d4a6918db4413e313c6

Resubmissions

04-01-2021 16:33

04-01-2021 15:29

Target

e5gwe.dll
Size

164KB
MD5

97235c5153c1e1a988df36a8db83ef87
SHA1

5768261af0eb9c293d29b5a9106762b1b4859aad
SHA256

2e8384b979521ab1a3ac17745f81d9a18fa084294d242d4a6918db4413e313c6
SHA512

ad6f66e63ca693b0d3644eafb68b9969d7b4f70d885781b98ae2391bab5425770d5172f95e818a8c771f201b7548035c7d77d81c96abf28a0ae388a5dc706dde

Score

10^/10

Family

dridex

Botnet

111

172.86.186.22:3889

46.105.131.78:14431

103.244.206.74:33443

139.162.53.147:4443

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral2/memory/828-3-0x0000000073770000-0x000000007378F000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1812 wrote to memory of 828	1812	rundll32.exe	rundll32.exe
PID 1812 wrote to memory of 828	1812	rundll32.exe	rundll32.exe
PID 1812 wrote to memory of 828	1812	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5gwe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5gwe.dll,#1
  2⤵
  PID:828

memory/828-2-0x0000000000000000-mapping.dmp

Download
memory/828-3-0x0000000073770000-0x000000007378F000-memory.dmp

Filesize
124KB

Download