dridex | 65b77f03c8dcc095dc51d0bd3a273a94b0c616187440f2fcdd2c3e9da1f7e787

Analysis

Target

Rvlx1evnUjlGIy.dll
Size

236KB
MD5

cd743ffac9e64c81fc1fc7bc8b5bd92e
SHA1

6147955bf60f4ba501b820e972c0efb237df5ed0
SHA256

65b77f03c8dcc095dc51d0bd3a273a94b0c616187440f2fcdd2c3e9da1f7e787
SHA512

5a1830d816c2f73602fdc55371c14bb332a9ca753da9a17572dffb4f66c8f6832794c7394f9817a4983c7f73f0d94978ddf68a204393a2e289775ff3d007eb76

Score

10^/10

Family

dridex

Botnet

111

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral2/memory/3300-3-0x0000000073E00000-0x0000000073E1F000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4076 wrote to memory of 3300	4076	rundll32.exe	rundll32.exe
PID 4076 wrote to memory of 3300	4076	rundll32.exe	rundll32.exe
PID 4076 wrote to memory of 3300	4076	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Rvlx1evnUjlGIy.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Rvlx1evnUjlGIy.dll,#1
2⤵
PID:3300

memory/3300-2-0x0000000000000000-mapping.dmp

Download
memory/3300-3-0x0000000073E00000-0x0000000073E1F000-memory.dmp

Filesize
124KB

Download