dridex | fe0c930569fcd78494353879f7c5aceaec69cf7ea44f184d4e7f3c9d7573ad1e

Analysis

max time kernel
39s
max time network
106s
platform
windows10_x64
resource
win10v20201028
submitted
14-01-2021 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

huR9GcNBnM6.dll
Size

236KB
MD5

09e6a4f78487634f1aaf4ffb5f1f9291
SHA1

417d5c51bcdda9a2efc5e9336b00dc1f8e4d015a
SHA256

fe0c930569fcd78494353879f7c5aceaec69cf7ea44f184d4e7f3c9d7573ad1e
SHA512

64d1f45520ca83f22fc18990e43260acb8a6a6fb4d9f8816126866ee42e8a633e647b50fba309b24c89d6654e4dc199d48cb15ab2ba0d493cf8ffdec4ab5a27a

Score

10^/10

dridex 111 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

111

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/1596-3-0x00000000736F0000-0x000000007370F000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1112 wrote to memory of 1596	1112	rundll32.exe	rundll32.exe
PID 1112 wrote to memory of 1596	1112	rundll32.exe	rundll32.exe
PID 1112 wrote to memory of 1596	1112	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\huR9GcNBnM6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\huR9GcNBnM6.dll,#1
2⤵
PID:1596

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-2-0x0000000000000000-mapping.dmp

Download
memory/1596-3-0x00000000736F0000-0x000000007370F000-memory.dmp

Filesize
124KB

Download