Analysis
-
max time kernel
63s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
19-04-2021 13:09
General
-
Target
gu5xr9o.tar.dll
-
Size
734KB
-
MD5
498341ae19f9aa4dbed0d2f81b4409a3
-
SHA1
a2c2fff5f561a5a64644f7250405c5c2a04fd10e
-
SHA256
d8ab2cd6839646c2bfcb6d74a1eb4d35de975dcc457a19716f89cac6f553c658
-
SHA512
84359a2f2fd1b3fbc7f3db16b45c31e2ae6cca96c137dd4c803d079381ca782239f091cbddc2f9fe8907818664ae4528d9e1d79f69fb56a3a6c0cd63b170e733
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
146.185.170.249:443
62.75.251.60:6601
185.148.168.25:2303
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Loader 2 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Blocklisted process makes network request 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\gu5xr9o.tar.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\gu5xr9o.tar.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2004-60-0x0000000000000000-mapping.dmp
-
memory/2004-61-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/2004-63-0x0000000075050000-0x000000007512A000-memory.dmpFilesize
872KB
-
memory/2004-62-0x0000000075050000-0x000000007508D000-memory.dmpFilesize
244KB
-
memory/2004-64-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB