dridex | 3b7954976c70e78a7be2e9d5e8a8c63097e293bf24b720c9809653011d26ee1b

Analysis

Target

3b7954976c70e78a7be2e9d5e8a8c63097e293bf24b720c9809653011d26ee1b.dll
Size

174KB
MD5

d402f80162ab024c07cdc1ef39d3dc2c
SHA1

3373476cfe58879b46b09102f0f98bada9ef3c7f
SHA256

3b7954976c70e78a7be2e9d5e8a8c63097e293bf24b720c9809653011d26ee1b
SHA512

e9cc115da7474d2e93ca6b00b819998c5a0a9d3bd1d948cf531fae3365c40be65e4cd66fc6f1ca4b4bc2646b077cb6e027e0d14b46a2cf2a04021dbb7978b3f8

Score

10^/10

Family

dridex

Botnet

22201

178.128.220.64:30333

45.79.91.89:9987

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/3872-115-0x0000000073A10000-0x0000000073A40000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3784 3872 WerFault.exe rundll32.exe

pid	pid_target	process	target process
3784	3872	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3784 WerFault.exe
Token: SeBackupPrivilege 3784 WerFault.exe
Token: SeDebugPrivilege 3784 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3892 wrote to memory of 3872	3892	rundll32.exe	rundll32.exe
PID 3892 wrote to memory of 3872	3892	rundll32.exe	rundll32.exe
PID 3892 wrote to memory of 3872	3892	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b7954976c70e78a7be2e9d5e8a8c63097e293bf24b720c9809653011d26ee1b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b7954976c70e78a7be2e9d5e8a8c63097e293bf24b720c9809653011d26ee1b.dll,#1
  2⤵
  PID:3872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 644
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3784

memory/3872-114-0x0000000000000000-mapping.dmp

Download
memory/3872-115-0x0000000073A10000-0x0000000073A40000-memory.dmp

Filesize
192KB

Download
memory/3872-117-0x0000000003270000-0x0000000003276000-memory.dmp

Filesize
24KB

Download