dridex | e16fe86e0744baffec12cff0c66d3aed58b2c97c39578afee41572f503e20c4c

Analysis

max time kernel
88s
max time network
123s
platform
windows7_x64
resource
win7v20201028
submitted
14-01-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SlyOzj2S7kfU8q.dll
Size

236KB
MD5

99cf857dc9bf366da1cc363b0890f442
SHA1

038be0efc724a12be21a96c8a8b8a60fb8079a70
SHA256

e16fe86e0744baffec12cff0c66d3aed58b2c97c39578afee41572f503e20c4c
SHA512

54fd7dd8aadf96f342a9945ef9b7e597fe7ccb58170243a2687484a0c7a1e7994a117c76609a51a98a57f20748ebe59d145c600555bc93d10004aada2ec6caf4

Score

10^/10

dridex 111 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

111

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1320-3-0x00000000749D0000-0x00000000749EF000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1864 wrote to memory of 1320	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1320	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1320	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1320	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1320	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1320	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1320	1864	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SlyOzj2S7kfU8q.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SlyOzj2S7kfU8q.dll,#1
2⤵
PID:1320

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1320-2-0x0000000000000000-mapping.dmp

Download
memory/1320-3-0x00000000749D0000-0x00000000749EF000-memory.dmp

Filesize
124KB

Download