dridex | fdf50dbb288d2bd4a325783e72c1e5c598c87ed11725131f14f449dd6cc22cb1

Analysis

max time kernel
41s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
13-01-2021 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mfyxb.dll
Size

236KB
MD5

8e821425efac1d3f2f905f4bfa76424f
SHA1

50c773785cb17532f3d4d04d6b0efc43fc22c3ee
SHA256

fdf50dbb288d2bd4a325783e72c1e5c598c87ed11725131f14f449dd6cc22cb1
SHA512

a3052984d3b029f461048f132e7d9c00e30a7d892e82ae8bc6e191c4047bf3d80e678f8892ba5be0a51b902a1deddf5773218c8a38d66295b585cf476f48f03c

Score

10^/10

dridex 111 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

111

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/900-3-0x0000000074220000-0x000000007423F000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 640 wrote to memory of 900	640	rundll32.exe	rundll32.exe
PID 640 wrote to memory of 900	640	rundll32.exe	rundll32.exe
PID 640 wrote to memory of 900	640	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfyxb.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfyxb.dll,#1
2⤵
PID:900

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/900-2-0x0000000000000000-mapping.dmp

Download
memory/900-3-0x0000000074220000-0x000000007423F000-memory.dmp

Filesize
124KB

Download