dridex | c2815092125b55e73ef6e7375c7e4f5f9bf16711a754641bbad86a373e1e2de1

Analysis

Target

c2815092125b55e73ef6e7375c7e4f5f9bf16711a754641bbad86a373e1e2de1.dll
Size

174KB
MD5

11b154fa73d59fc17d7ac437ebd0d52f
SHA1

5855e87e044fd013009d4a06f09137d46917310b
SHA256

c2815092125b55e73ef6e7375c7e4f5f9bf16711a754641bbad86a373e1e2de1
SHA512

22d0c15844f1d35e15887e73e18991d9a9e761c12ffaeda9c04f2fa13b97d87db1e83de4f6e62b988a819c1b1a2e153ed3b276565d93d5950f318c7fdff624b4

Score

10^/10

Family

dridex

Botnet

22201

178.128.220.64:30333

45.79.91.89:9987

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/416-115-0x0000000073860000-0x0000000073890000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3536 416 WerFault.exe rundll32.exe

pid	pid_target	process	target process
3536	416	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3536 WerFault.exe
Token: SeBackupPrivilege 3536 WerFault.exe
Token: SeDebugPrivilege 3536 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2204 wrote to memory of 416	2204	rundll32.exe	rundll32.exe
PID 2204 wrote to memory of 416	2204	rundll32.exe	rundll32.exe
PID 2204 wrote to memory of 416	2204	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c2815092125b55e73ef6e7375c7e4f5f9bf16711a754641bbad86a373e1e2de1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c2815092125b55e73ef6e7375c7e4f5f9bf16711a754641bbad86a373e1e2de1.dll,#1
  2⤵
  PID:416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 644
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3536

memory/416-114-0x0000000000000000-mapping.dmp

Download
memory/416-115-0x0000000073860000-0x0000000073890000-memory.dmp

Filesize
192KB

Download
memory/416-117-0x0000000002F70000-0x0000000002F76000-memory.dmp

Filesize
24KB

Download