dridex | e63419700590e021c61e68cfaccfbe5be4f31aba7fdf703d323c8b14365658e5

Analysis

Target

7d99e955a5f92c1f7809bb6a6609af70.exe.dll
Size

425KB
MD5

7d99e955a5f92c1f7809bb6a6609af70
SHA1

a9eae703e5b501bd0ab767782ee4cfad467b736e
SHA256

e63419700590e021c61e68cfaccfbe5be4f31aba7fdf703d323c8b14365658e5
SHA512

e935fad23dc862daf1c55677d255b142f112ac1a6102614c672dd1e75f9c64a54e7266a8a1d45cc5de9b31e85db2281200d5cdb551d0dd544e8d08dddf2641b6

Score

10^/10

Family

dridex

Botnet

10555

77.220.64.132:443

212.227.53.240:5037

192.241.174.45:8172

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral2/memory/1216-4-0x0000000000690000-0x00000000006CD000-memory.dmp	dridex_ldr
behavioral2/memory/1216-6-0x0000000000690000-0x000000000077E000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3116 wrote to memory of 1216	3116	regsvr32.exe	regsvr32.exe
PID 3116 wrote to memory of 1216	3116	regsvr32.exe	regsvr32.exe
PID 3116 wrote to memory of 1216	3116	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7d99e955a5f92c1f7809bb6a6609af70.exe.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\7d99e955a5f92c1f7809bb6a6609af70.exe.dll
2⤵
PID:1216

memory/1216-2-0x0000000000000000-mapping.dmp

Download
memory/1216-3-0x0000000000691000-0x0000000000699000-memory.dmp

Filesize
32KB

Download
memory/1216-4-0x0000000000690000-0x00000000006CD000-memory.dmp

Filesize
244KB

Download
memory/1216-6-0x0000000000690000-0x000000000077E000-memory.dmp

Filesize
952KB

Download
memory/1216-5-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download