Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-03-2021 11:53
General
-
Target
h1tzuto.tar.dll
-
Size
425KB
-
MD5
7d99e955a5f92c1f7809bb6a6609af70
-
SHA1
a9eae703e5b501bd0ab767782ee4cfad467b736e
-
SHA256
e63419700590e021c61e68cfaccfbe5be4f31aba7fdf703d323c8b14365658e5
-
SHA512
e935fad23dc862daf1c55677d255b142f112ac1a6102614c672dd1e75f9c64a54e7266a8a1d45cc5de9b31e85db2281200d5cdb551d0dd544e8d08dddf2641b6
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
77.220.64.132:443
212.227.53.240:5037
192.241.174.45:8172
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Loader 2 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\h1tzuto.tar.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\h1tzuto.tar.dll2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/624-8-0x000007FEF6460000-0x000007FEF66DA000-memory.dmpFilesize
2.5MB
-
memory/1340-3-0x0000000000000000-mapping.dmp
-
memory/1340-4-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/1340-5-0x00000000009A0000-0x00000000009DD000-memory.dmpFilesize
244KB
-
memory/1340-6-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1340-7-0x00000000009A0000-0x0000000000A8E000-memory.dmpFilesize
952KB
-
memory/1676-2-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmpFilesize
8KB