dridex | 24d6327c85aaba6e15d4815c3de9b5503ecd727da8105525afd859548190b3eb

Analysis

max time kernel
86s
max time network
46s
platform
windows7_x64
resource
win7v20201028
submitted
14-01-2021 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

V701kINZ491h.dll
Size

236KB
MD5

852c9134444062073128dc5a6effa7f7
SHA1

c09150e35f0d71c59e41fff786cb40c3524e2134
SHA256

24d6327c85aaba6e15d4815c3de9b5503ecd727da8105525afd859548190b3eb
SHA512

9f0c85ff710943d8dfaa88b7d58b76530ca498782894a754a51a6738cb9dcbf4ac19b2e3f7ca029da93601dda06fe6dbea1eb1ee28aa8806f4506c0eda736a33

Score

10^/10

dridex 111 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

111

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1864-3-0x00000000749B0000-0x00000000749CF000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1008 wrote to memory of 1864	1008	rundll32.exe	rundll32.exe
PID 1008 wrote to memory of 1864	1008	rundll32.exe	rundll32.exe
PID 1008 wrote to memory of 1864	1008	rundll32.exe	rundll32.exe
PID 1008 wrote to memory of 1864	1008	rundll32.exe	rundll32.exe
PID 1008 wrote to memory of 1864	1008	rundll32.exe	rundll32.exe
PID 1008 wrote to memory of 1864	1008	rundll32.exe	rundll32.exe
PID 1008 wrote to memory of 1864	1008	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\V701kINZ491h.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\V701kINZ491h.dll,#1
2⤵
PID:1864

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1864-2-0x0000000000000000-mapping.dmp

Download
memory/1864-3-0x00000000749B0000-0x00000000749CF000-memory.dmp

Filesize
124KB

Download