dridex | d1bbb5dee037f3f892b843bb16de30a63ada202842f7c7445bb3f62a14d1dd40

Analysis

max time kernel
82s
max time network
10s
platform
windows7_x64
resource
win7v20201028
submitted
14-01-2021 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GSB36ZV2sQVn.dll
Size

236KB
MD5

983c4f8c64cc3ffe72dfe6aefa921dee
SHA1

8babeab5037f7e3e7db5934a62bbcec4cb8dfda2
SHA256

d1bbb5dee037f3f892b843bb16de30a63ada202842f7c7445bb3f62a14d1dd40
SHA512

68b89efac7dd4807f0bf0711d8aaee8a308e018f374a3863bbfd1e61b73db7f3f034d5192441c41c0388f4d052bce31bb155875075f1102e4ef8af7a598b70c2

Score

10^/10

dridex 111 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

111

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1916-3-0x0000000074A10000-0x0000000074A2F000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 596 wrote to memory of 1916	596	rundll32.exe	rundll32.exe
PID 596 wrote to memory of 1916	596	rundll32.exe	rundll32.exe
PID 596 wrote to memory of 1916	596	rundll32.exe	rundll32.exe
PID 596 wrote to memory of 1916	596	rundll32.exe	rundll32.exe
PID 596 wrote to memory of 1916	596	rundll32.exe	rundll32.exe
PID 596 wrote to memory of 1916	596	rundll32.exe	rundll32.exe
PID 596 wrote to memory of 1916	596	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GSB36ZV2sQVn.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GSB36ZV2sQVn.dll,#1
2⤵
PID:1916

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1916-2-0x0000000000000000-mapping.dmp

Download
memory/1916-3-0x0000000074A10000-0x0000000074A2F000-memory.dmp

Filesize
124KB

Download