dridex | b9bb671587f2dad8a3df83d6bd0b7b8327edf93fadbefe8b6aa7eabe6698ae88

Analysis

Target

by9zwa7p1zip.dll
Size

522KB
MD5

bb8cc78abb3842b7ca959a37d1654402
SHA1

e55142f154e399bd9a96558f8b660702d4429d9d
SHA256

b9bb671587f2dad8a3df83d6bd0b7b8327edf93fadbefe8b6aa7eabe6698ae88
SHA512

330a383dd1d361940d2a578a1769e2acdb25bccbc4f0d25f62150f6b8b2621bb3b3dee7cf583b3d26913cb929b665bd516d252e3e31af6628cf654a1d2737db0

Score

10^/10

Family

dridex

Botnet

10444

194.225.58.214:443

211.110.44.63:5353

69.164.207.140:3388

198.57.200.100:3786

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 3 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral2/memory/4960-3-0x00000000737B0000-0x00000000737ED000-memory.dmp	dridex_ldr
behavioral2/memory/4960-4-0x00000000737B0000-0x00000000737ED000-memory.dmp	dridex_ldr
behavioral2/memory/4960-6-0x00000000737B0000-0x00000000737ED000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4692 wrote to memory of 4960	4692	regsvr32.exe	regsvr32.exe
PID 4692 wrote to memory of 4960	4692	regsvr32.exe	regsvr32.exe
PID 4692 wrote to memory of 4960	4692	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\by9zwa7p1zip.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\by9zwa7p1zip.dll
2⤵
PID:4960

memory/4960-2-0x0000000000000000-mapping.dmp

Download
memory/4960-3-0x00000000737B0000-0x00000000737ED000-memory.dmp

Filesize
244KB

Download
memory/4960-4-0x00000000737B0000-0x00000000737ED000-memory.dmp

Filesize
244KB

Download
memory/4960-5-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/4960-6-0x00000000737B0000-0x00000000737ED000-memory.dmp

Filesize
244KB

Download