dridex | b6ab3011a740ead047ff5bdb242fff77cbc3c5cbee2757c1ab8f830ceaef24c9

Analysis

Target

b6ab3011a740ead047ff5bdb242fff77cbc3c5cbee2757c1ab8f830ceaef24c9.dll
Size

165KB
MD5

eb2a6b15ae783a06f63b258e6b1b5dea
SHA1

c6a15516ba0a987a71032522bbbb345d379001ac
SHA256

b6ab3011a740ead047ff5bdb242fff77cbc3c5cbee2757c1ab8f830ceaef24c9
SHA512

b54bdada86e7995ef6d1ce9b22ef5488254774a32b057f28a4672c884b4abf7e87a6957c67790f1f0b6f7230f9e94c4663c02f28d478236f611516868773cc1d

Score

10^/10

Family

dridex

Botnet

10555

199.66.90.63:443

85.214.26.7:3389

51.68.224.245:4646

107.175.87.150:3889

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral2/memory/1680-3-0x00000000736F0000-0x000000007371C000-memory.dmp	dridex_ldr

Dridex Loader 'dmod' strings 1 IoCs

Detects 'dmod' strings in Dridex loader.

Processes:

resource	yara_rule
behavioral2/memory/1680-3-0x00000000736F0000-0x000000007371C000-memory.dmp	dridex_ldr_dmod

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 984 wrote to memory of 1680	984	regsvr32.exe	regsvr32.exe
PID 984 wrote to memory of 1680	984	regsvr32.exe	regsvr32.exe
PID 984 wrote to memory of 1680	984	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b6ab3011a740ead047ff5bdb242fff77cbc3c5cbee2757c1ab8f830ceaef24c9.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\b6ab3011a740ead047ff5bdb242fff77cbc3c5cbee2757c1ab8f830ceaef24c9.dll
2⤵
PID:1680

memory/1680-2-0x0000000000000000-mapping.dmp

Download
memory/1680-3-0x00000000736F0000-0x000000007371C000-memory.dmp

Filesize
176KB

Download