dridex | 9e39f4494952dfedc6608ebad6c832474045bfaba3ccbb69f8194a2681311eac

Analysis

Target

l0sjk3o.dll
Size

329KB
MD5

68183c1d9929e5502729e95454eca8e0
SHA1

cfd4c7413fa9216afef60201895c3a620ea6801c
SHA256

9e39f4494952dfedc6608ebad6c832474045bfaba3ccbb69f8194a2681311eac
SHA512

98fa8564b0da7d8286819e1bf174ec84b4dc922f327e1397db8b08d5ab61637da39a79d0bf66f793e1381ca83de896c130bc03a45181bc4af237a5295ca738e7

Score

10^/10

Family

dridex

Botnet

10555

77.220.64.37:443

80.86.91.27:3308

5.100.228.233:3389

46.105.131.65:1512

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/1996-3-0x00000000007D0000-0x000000000080D000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1756 wrote to memory of 1996	1756	regsvr32.exe	regsvr32.exe
PID 1756 wrote to memory of 1996	1756	regsvr32.exe	regsvr32.exe
PID 1756 wrote to memory of 1996	1756	regsvr32.exe	regsvr32.exe
PID 1756 wrote to memory of 1996	1756	regsvr32.exe	regsvr32.exe
PID 1756 wrote to memory of 1996	1756	regsvr32.exe	regsvr32.exe
PID 1756 wrote to memory of 1996	1756	regsvr32.exe	regsvr32.exe
PID 1756 wrote to memory of 1996	1756	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\l0sjk3o.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\l0sjk3o.dll
2⤵
PID:1996

memory/604-4-0x000007FEF6010000-0x000007FEF628A000-memory.dmp

Filesize
2.5MB

Download
memory/1996-2-0x0000000000000000-mapping.dmp

Download
memory/1996-3-0x00000000007D0000-0x000000000080D000-memory.dmp

Filesize
244KB

Download