dridex | ac228de57dd2b0f554b350b97664c682681be76e372a32c2a130c819539b9b0f

Analysis

max time kernel
18s
max time network
124s
platform
windows10_x64
resource
win10v20210410
submitted
11-06-2021 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac228de57dd2b0f554b350b97664c682681be76e372a32c2a130c819539b9b0f.dll
Size

174KB
MD5

a4a8cb379b3a40014fa35635b3c5bcb3
SHA1

78ff459cb487e65319d445d32b5c7b70558fdeb8
SHA256

ac228de57dd2b0f554b350b97664c682681be76e372a32c2a130c819539b9b0f
SHA512

49835c6033bef20095016adfa6cd59fc70e04efe61e8ce461dbd506ad240f576c8de30d878cbe7057060e0c2e3c3327d2213a3e957cd42d5caf1f55763fe1355

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

178.128.220.64:30333

45.79.91.89:9987

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/3872-115-0x0000000073A10000-0x0000000073A40000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3076 3872 WerFault.exe rundll32.exe

pid	pid_target	process	target process
3076	3872	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3076 WerFault.exe
Token: SeBackupPrivilege 3076 WerFault.exe
Token: SeDebugPrivilege 3076 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	3076	WerFault.exe
Token: SeBackupPrivilege	3076	WerFault.exe
Token: SeDebugPrivilege	3076	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3892 wrote to memory of 3872	3892	rundll32.exe	rundll32.exe
PID 3892 wrote to memory of 3872	3892	rundll32.exe	rundll32.exe
PID 3892 wrote to memory of 3872	3892	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ac228de57dd2b0f554b350b97664c682681be76e372a32c2a130c819539b9b0f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ac228de57dd2b0f554b350b97664c682681be76e372a32c2a130c819539b9b0f.dll,#1
2⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 648
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3872-114-0x0000000000000000-mapping.dmp

Download
memory/3872-115-0x0000000073A10000-0x0000000073A40000-memory.dmp

Filesize
192KB

Download
memory/3872-117-0x0000000000E10000-0x0000000000F5A000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads