Analysis

  • max time kernel
    116s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    21-04-2021 18:18

General

  • Target

    66aaf5adbefdf266b5b1a944d0c9c4d6da0df4caa88312d34d913e3bd3bc7ef3.dll

  • Size

    154KB

  • MD5

    84b4b1075b9d2cbf5145d4254beb601e

  • SHA1

    50140d262469e2c8b90ae8c18e16f5a9917d0a7e

  • SHA256

    66aaf5adbefdf266b5b1a944d0c9c4d6da0df4caa88312d34d913e3bd3bc7ef3

  • SHA512

    29100274b9559234a65520d7dc10456cb933b770fd7c388f594e5e90286f9fe81343db7234dd4ac1143050dfdc73205bbcef5cdfa666d14be88921ef6ff2c7d0

Malware Config

Extracted

Family

dridex

Botnet

40111

C2

159.8.59.82:443

51.91.156.39:2303

67.196.50.240:8172

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\66aaf5adbefdf266b5b1a944d0c9c4d6da0df4caa88312d34d913e3bd3bc7ef3.dll,#1
    1⤵
    • Checks whether UAC is enabled
    PID:3056
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\66aaf5adbefdf266b5b1a944d0c9c4d6da0df4caa88312d34d913e3bd3bc7ef3.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3100

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3056-114-0x0000000000000000-mapping.dmp

  • memory/3056-115-0x0000000073F20000-0x0000000073F4D000-memory.dmp

    Filesize

    180KB

  • memory/3056-117-0x00000000004F0000-0x00000000004F6000-memory.dmp

    Filesize

    24KB