dridex | 6e55ab79e0a14740041f56c7db73e134944440c38406c38fd5fd0c9800972a54

Analysis

Target

6e55ab79e0a14740041f56c7db73e134944440c38406c38fd5fd0c9800972a54.dll
Size

163KB
MD5

df73b66b18f35ff68a262275a2f6e6d8
SHA1

613aae3c1a7beb2f00da74c3c6495df2c8b54355
SHA256

6e55ab79e0a14740041f56c7db73e134944440c38406c38fd5fd0c9800972a54
SHA512

a704f237f454860772b69b504d315fa0bb2ac83a9d79f4e01f1b05393ac45ed59dbfbffb0df109d84650e8052ebaf7f305539e8dcb54471ed2918aef77ac6a5d

Score

10^/10

Family

dridex

Botnet

22201

43.229.206.212:443

82.209.17.209:8172

162.241.209.225:4125

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/1884-115-0x0000000010000000-0x000000001002E000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3644 1884 WerFault.exe rundll32.exe

pid	pid_target	process	target process
3644	1884	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3644 WerFault.exe
Token: SeBackupPrivilege 3644 WerFault.exe
Token: SeDebugPrivilege 3644 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3988 wrote to memory of 1884	3988	rundll32.exe	rundll32.exe
PID 3988 wrote to memory of 1884	3988	rundll32.exe	rundll32.exe
PID 3988 wrote to memory of 1884	3988	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e55ab79e0a14740041f56c7db73e134944440c38406c38fd5fd0c9800972a54.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e55ab79e0a14740041f56c7db73e134944440c38406c38fd5fd0c9800972a54.dll,#1
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 712
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3644

memory/1884-114-0x0000000000000000-mapping.dmp

Download
memory/1884-115-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/1884-117-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download