dridex | 67c1e48e17bc9e35b50e642ac99e475e1a6faee03ca671cea409bed644287580

Analysis

Target

67c1e48e17bc9e35b50e642ac99e475e1a6faee03ca671cea409bed644287580.dll
Size

538KB
MD5

8f83a5eaed1994d1a87fa16d77ad7833
SHA1

0f3da89a227960d1a87065f02428857c32a39b89
SHA256

67c1e48e17bc9e35b50e642ac99e475e1a6faee03ca671cea409bed644287580
SHA512

25d0a2c0f3d2885ce3f21a26f7a8b9e1e75aec5cc69f42dc4f9314805e900dd5f0f9149cee750489bb6aeac06dfdf2b7dd15d6fbfeab08c25d183d64257188ad

Score

10^/10

Family

dridex

Botnet

10444

77.220.64.146:443

85.25.134.43:8172

213.208.134.178:6516

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/1256-5-0x0000000073FA0000-0x0000000073FDD000-memory.dmp	dridex_ldr
behavioral1/memory/1256-6-0x0000000073FA0000-0x0000000073FDD000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1932 wrote to memory of 1256	1932	regsvr32.exe	regsvr32.exe
PID 1932 wrote to memory of 1256	1932	regsvr32.exe	regsvr32.exe
PID 1932 wrote to memory of 1256	1932	regsvr32.exe	regsvr32.exe
PID 1932 wrote to memory of 1256	1932	regsvr32.exe	regsvr32.exe
PID 1932 wrote to memory of 1256	1932	regsvr32.exe	regsvr32.exe
PID 1932 wrote to memory of 1256	1932	regsvr32.exe	regsvr32.exe
PID 1932 wrote to memory of 1256	1932	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\67c1e48e17bc9e35b50e642ac99e475e1a6faee03ca671cea409bed644287580.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\67c1e48e17bc9e35b50e642ac99e475e1a6faee03ca671cea409bed644287580.dll
  2⤵
  PID:1256

memory/304-8-0x000007FEF6E90000-0x000007FEF710A000-memory.dmp

Filesize
2.5MB

Download
memory/1256-3-0x0000000000000000-mapping.dmp

Download
memory/1256-4-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1256-5-0x0000000073FA0000-0x0000000073FDD000-memory.dmp

Filesize
244KB

Download
memory/1256-6-0x0000000073FA0000-0x0000000073FDD000-memory.dmp

Filesize
244KB

Download
memory/1256-7-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1932-2-0x000007FEFB541000-0x000007FEFB543000-memory.dmp

Filesize
8KB

Download