Analysis

  • max time kernel
    18s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    26-06-2021 17:38

General

  • Target

    5085e767c5654dd845a4cad6f48606a6c887eaaf1fed09748fec3e1234907431.dll

  • Size

    160KB

  • MD5

    47568eb6ae4a754b747179d850079518

  • SHA1

    7a598049a63889fff94bb17370fca4fd7362d6da

  • SHA256

    5085e767c5654dd845a4cad6f48606a6c887eaaf1fed09748fec3e1234907431

  • SHA512

    05d1895d3fc8b0c9cf639b1911f5253282220ebc4060d134d8fccdf1840ff19db760b27b7078829eccdf237bf0600ed8d821047f836f6a253e663116aa8f4196

Malware Config

Extracted

Family

dridex

Botnet

40111

C2

94.247.168.64:443

159.203.93.122:8172

50.116.27.97:2303

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5085e767c5654dd845a4cad6f48606a6c887eaaf1fed09748fec3e1234907431.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5085e767c5654dd845a4cad6f48606a6c887eaaf1fed09748fec3e1234907431.dll,#1
      2⤵
      • Checks whether UAC is enabled
      PID:476

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/476-114-0x0000000000000000-mapping.dmp

  • memory/476-115-0x00000000739B0000-0x00000000739DE000-memory.dmp

    Filesize

    184KB

  • memory/476-117-0x0000000002FF0000-0x0000000002FF6000-memory.dmp

    Filesize

    24KB