dridex | 6891a8b37cf49a8043bc1ad9f2ec41f89d5d1564361c8b2f307d83ef01fcd13c

Analysis

Target

6891a8b37cf49a8043bc1ad9f2ec41f89d5d1564361c8b2f307d83ef01fcd13c.dll
Size

174KB
MD5

3e13ffece405b4f0516b8605ae386d66
SHA1

b10ac007e701454a083d1b16e252b9ebd598f22b
SHA256

6891a8b37cf49a8043bc1ad9f2ec41f89d5d1564361c8b2f307d83ef01fcd13c
SHA512

97f05fac6454b8620940056b4d95824707b9ff1b62eb0ba83c473f23057158e4f3820abbc6185447866a0bee0eab6180f7b8320ba25479dcfde69c461aea3a94

Score

10^/10

Family

dridex

Botnet

22201

178.128.220.64:30333

45.79.91.89:9987

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/3636-115-0x00000000755E0000-0x0000000075610000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3980 3636 WerFault.exe rundll32.exe

pid	pid_target	process	target process
3980	3636	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3980 WerFault.exe
Token: SeBackupPrivilege 3980 WerFault.exe
Token: SeDebugPrivilege 3980 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1696 wrote to memory of 3636	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 3636	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 3636	1696	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6891a8b37cf49a8043bc1ad9f2ec41f89d5d1564361c8b2f307d83ef01fcd13c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6891a8b37cf49a8043bc1ad9f2ec41f89d5d1564361c8b2f307d83ef01fcd13c.dll,#1
  2⤵
  PID:3636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 644
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3980

memory/3636-114-0x0000000000000000-mapping.dmp

Download
memory/3636-115-0x00000000755E0000-0x0000000075610000-memory.dmp

Filesize
192KB

Download
memory/3636-117-0x0000000000530000-0x000000000067A000-memory.dmp

Filesize
1.3MB

Download