dridex | ff277a5e33ec98ad5f0945834f731e39fa2113ac0369ade14fc690a9d1a7cc31

General

Target

3c2244956646acde36ff20732eb63071.dll
Size

176KB
MD5

3c2244956646acde36ff20732eb63071
SHA1

f218a9c08cb26388223600bf3691a90be4cdfb7b
SHA256

ff277a5e33ec98ad5f0945834f731e39fa2113ac0369ade14fc690a9d1a7cc31
SHA512

ae79358315583a248575d4471144c9c0441758502c5c4cba1dc92d68403912c3c6e6c3b109a607f0d9539892f5d4fa845c13a382c3c71d0b2d3335ecc1fd13e6

Score

10^/10

dridex 22202 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22202

C2

178.238.236.59:443

104.245.52.73:5007

81.0.236.93:13786

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1852-62-0x00000000751E0000-0x0000000075211000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1680 1852 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1680 WerFault.exe
1680 WerFault.exe
1680 WerFault.exe
1680 WerFault.exe
1680 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1680 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1680 WerFault.exe

pid	pid_target	process	target process
1680	1852	WerFault.exe	rundll32.exe

pid	process
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe

pid	process
1680	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1680	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1080 wrote to memory of 1852	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1852	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1852	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1852	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1852	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1852	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1852	1080	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 1680	1852	rundll32.exe	WerFault.exe
PID 1852 wrote to memory of 1680	1852	rundll32.exe	WerFault.exe
PID 1852 wrote to memory of 1680	1852	rundll32.exe	WerFault.exe
PID 1852 wrote to memory of 1680	1852	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c2244956646acde36ff20732eb63071.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c2244956646acde36ff20732eb63071.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 224
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1680

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1680-64-0x0000000000000000-mapping.dmp

Download
memory/1680-66-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1852-60-0x0000000000000000-mapping.dmp

Download
memory/1852-61-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/1852-62-0x00000000751E0000-0x0000000075211000-memory.dmp

Filesize
196KB

Download
memory/1852-65-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing