c916448e0e655e1c5bccf452efb7604772ee816c9b5f9c11b0a89c17e2942e35

General
Target

c916448e0e655e1c5bccf452efb7604772ee816c9b5f9c11b0a89c17e2942e35.dll

Filesize

161KB

Completed

04-05-2021 15:22

Score
10 /10
MD5

27bfb49d003b0285b1077e8dc57c8323

SHA1

45caa2793e1bcf1d1fa63e6f74e03d6d6ce22829

SHA256

c916448e0e655e1c5bccf452efb7604772ee816c9b5f9c11b0a89c17e2942e35

Malware Config

Extracted

Family dridex
Botnet 40111
C2

107.172.227.10:443

172.93.133.123:2303

108.168.61.147:8172

rc4.plain
rc4.plain
Signatures 4

Filter: none

Discovery
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader

    Description

    Detects Dridex both x86 and x64 loader in memory.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/3212-115-0x0000000073860000-0x000000007388E000-memory.dmpdridex_ldr
  • Checks whether UAC is enabled
    rundll32.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2208 wrote to memory of 32122208rundll32.exerundll32.exe
    PID 2208 wrote to memory of 32122208rundll32.exerundll32.exe
    PID 2208 wrote to memory of 32122208rundll32.exerundll32.exe
Processes 2
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c916448e0e655e1c5bccf452efb7604772ee816c9b5f9c11b0a89c17e2942e35.dll,#1
    Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c916448e0e655e1c5bccf452efb7604772ee816c9b5f9c11b0a89c17e2942e35.dll,#1
      Checks whether UAC is enabled
      PID:3212
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/3212-114-0x0000000000000000-mapping.dmp

                        • memory/3212-115-0x0000000073860000-0x000000007388E000-memory.dmp

                        • memory/3212-117-0x0000000002AB0000-0x0000000002AB6000-memory.dmp