dridex | cbcbd8b53748cac59ad0d253ca10baf051e0fb8168d65d1f0e7eb15bff5d074f

Analysis

max time kernel
28s
max time network
124s
platform
windows10_x64
resource
win10v20210410
submitted
23-06-2021 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbcbd8b53748cac59ad0d253ca10baf051e0fb8168d65d1f0e7eb15bff5d074f.dll
Size

158KB
MD5

e7ac89e26c5b8f0d2a019df83f0bf429
SHA1

6b2f2310f04271dc762e327f8546c161ca4719e0
SHA256

cbcbd8b53748cac59ad0d253ca10baf051e0fb8168d65d1f0e7eb15bff5d074f
SHA512

d04e89e509048ff0ba44b4f12d1bd7e7ea7f583a3dcdf7614a6e826b168b211865f0cf26db8520b2ab2270da6a098b092b1aa7ac1d14a6f75bd19dbdb9b6136c

Score

10^/10

dridex 40111 botnet evasion loader trojan

Malware Config

Extracted

Family

dridex

Botnet

40111

8.210.53.215:443

72.249.22.245:2303

188.40.137.206:8172

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/4444-115-0x0000000074290000-0x00000000742BD000-memory.dmp	dridex_ldr

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4428 wrote to memory of 4444	4428	rundll32.exe	rundll32.exe
PID 4428 wrote to memory of 4444	4428	rundll32.exe	rundll32.exe
PID 4428 wrote to memory of 4444	4428	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cbcbd8b53748cac59ad0d253ca10baf051e0fb8168d65d1f0e7eb15bff5d074f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cbcbd8b53748cac59ad0d253ca10baf051e0fb8168d65d1f0e7eb15bff5d074f.dll,#1
2⤵
- Checks whether UAC is enabled
PID:4444

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4444-114-0x0000000000000000-mapping.dmp

Download
memory/4444-115-0x0000000074290000-0x00000000742BD000-memory.dmp

Filesize
180KB

Download
memory/4444-117-0x0000000000910000-0x0000000000916000-memory.dmp

Filesize
24KB

Download