Overview

overview

10

Static

static

1_FXSMON.dll

windows7_x64

10

1_FXSMON.dll

windows10_x64

10

2_System.W...ni.dll

windows7_x64

10

2_System.W...ni.dll

windows10_x64

10

5_System.dll

windows7_x64

10

5_System.dll

windows10_x64

10

Analysis

  • max time kernel
    123s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    18-10-2021 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2_System.Windows.Forms.DataVisualization.Design.ni.dll

  • Size

    180KB

  • MD5

    d08861f67ff78ce290400918bef9d6d3

  • SHA1

    84fa96bab75c39763e98cae598d66bc2e0372cc5

  • SHA256

    8321ba3134a0517c02ddf3b26163afa155aeb6aa606a2825618671372679c4a2

  • SHA512

    e502f2e8ed1c45a1de6d8a9fb3f610cf97adf71f2504284bbccd42dd436e08d483536ac031e022526c951a21b7521322cc5f78863e1cea40003e5c4b8c912bd5

Score
10/10
dridex22203botnetloader

Malware Config

Extracted

Family

dridex

Botnet

22203

C2

195.154.146.84:443

45.56.121.87:8116

157.245.222.44:5723
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2_System.Windows.Forms.DataVisualization.Design.ni.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2_System.Windows.Forms.DataVisualization.Design.ni.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 252
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/268-57-0x0000000000000000-mapping.dmp
    Download
  • memory/268-59-0x0000000000290000-0x0000000000291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1600-53-0x0000000000000000-mapping.dmp
    Download
  • memory/1600-54-0x0000000076201000-0x0000000076203000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1600-55-0x0000000074950000-0x000000007497F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1600-58-0x0000000000130000-0x0000000000136000-memory.dmp
    Filesize

    24KB

    Download