dridex | 31941fb34777d7a4bb354acaca47998611385a7b8aa8a90c4e467443ff0eac82

Analysis

Target

hwdWR7DS.dll
Size

236KB
MD5

39c3f4eb55f7523b1345c6c45153f0e1
SHA1

96a601a5010f8d736e064c986bf072c3f9a77dbb
SHA256

31941fb34777d7a4bb354acaca47998611385a7b8aa8a90c4e467443ff0eac82
SHA512

bbbe144a4d222b6c0638ad86213bbdcc9f12425d0ccf2d00379c8b3fcb83ba00732e47230c50364053ae634c50a803b7b0a27431ffd1eff4d8843d1b9cb125a6

Score

10^/10

Family

dridex

Botnet

111

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/1748-3-0x0000000074AE0000-0x0000000074AFF000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1424 wrote to memory of 1748	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1748	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1748	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1748	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1748	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1748	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1748	1424	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\hwdWR7DS.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\hwdWR7DS.dll,#1
  2⤵
  PID:1748

memory/1748-2-0x0000000000000000-mapping.dmp

Download
memory/1748-3-0x0000000074AE0000-0x0000000074AFF000-memory.dmp

Filesize
124KB

Download