dridex | 2c54438f5d99d15e5df3965397e25a0fa17ca7f08d317eb4bf31d1268e10f020

Analysis

Target

2c54438f5d99d15e5df3965397e25a0fa17ca7f08d317eb4bf31d1268e10f020.dll
Size

176KB
MD5

397b799c357562c5a8061a39514d7785
SHA1

80d3d5366f47d3462ea9e688f444066d7fce2a24
SHA256

2c54438f5d99d15e5df3965397e25a0fa17ca7f08d317eb4bf31d1268e10f020
SHA512

bbec10e5d321ee33184cb2b450296103333196e0d9b71c7066bdf6ef5ea011210f6c28ada19532cff1ad22df577e7b40a39b2fa1adabb525b91a1b19e097f70b

Score

10^/10

Family

dridex

Botnet

22202

178.238.236.59:443

104.245.52.73:5007

81.0.236.93:13786

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/3680-115-0x00000000742F0000-0x0000000074321000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2696 3680 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2696	3680	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2696 WerFault.exe
Token: SeBackupPrivilege 2696 WerFault.exe
Token: SeDebugPrivilege 2696 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 500 wrote to memory of 3680	500	rundll32.exe	rundll32.exe
PID 500 wrote to memory of 3680	500	rundll32.exe	rundll32.exe
PID 500 wrote to memory of 3680	500	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c54438f5d99d15e5df3965397e25a0fa17ca7f08d317eb4bf31d1268e10f020.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:500
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c54438f5d99d15e5df3965397e25a0fa17ca7f08d317eb4bf31d1268e10f020.dll,#1
  2⤵
  PID:3680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 636
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2696

memory/3680-114-0x0000000000000000-mapping.dmp

Download
memory/3680-115-0x00000000742F0000-0x0000000074321000-memory.dmp

Filesize
196KB

Download
memory/3680-117-0x00000000010F0000-0x00000000010F6000-memory.dmp

Filesize
24KB

Download