dridex | 57bfee1e4e0ab516bba59255c176e9d9f39de17458833b6c05f43b46c404175b

Analysis

max time kernel
12s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
13-01-2021 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ymuyks.rar.dll
Size

311KB
MD5

3932842c83bdae09d7beb3525d0bbd50
SHA1

4820ed71a8f66aaa01ef08c742258389a6c4f895
SHA256

57bfee1e4e0ab516bba59255c176e9d9f39de17458833b6c05f43b46c404175b
SHA512

1d3c8214d65c0206dd8fe150ac237ebf81b74181eb35c47733f5b890fecf3dd9d353e97627eeaf8d5e7c567835d0cee3cb0277a346b1a52fecbd3661eb9758aa

Score

10^/10

dridex 10444 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

10444

77.220.64.37:443

80.86.91.27:3308

5.100.228.233:3389

46.105.131.65:1512

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/1596-3-0x0000000002E40000-0x0000000002E7D000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 412 wrote to memory of 1596	412	rundll32.exe	rundll32.exe
PID 412 wrote to memory of 1596	412	rundll32.exe	rundll32.exe
PID 412 wrote to memory of 1596	412	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ymuyks.rar.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ymuyks.rar.dll,#1
2⤵
PID:1596

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-2-0x0000000000000000-mapping.dmp

Download
memory/1596-3-0x0000000002E40000-0x0000000002E7D000-memory.dmp

Filesize
244KB

Download