dridex | 7971753826c00e8e009154c86e228c2f15fc58a843bdc8e440ed40ae9e44252d

Analysis

max time kernel
171s
max time network
314s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-10-2021 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8_hp8500at.dll
Size

180KB
MD5

f8c801f32b822d210bbb788407ed29cf
SHA1

bc6b2888442a55b42d4aadf563a7383cafe20de5
SHA256

adbd74fa44708c118685b0798bc9e27e0fd50d027a22bbf6328da02875cb18de
SHA512

e5b03e1638ab04fb014683848fd4f4fb417e371b6c182c07e7f9c9589f5c95f774e8d47ad2411c71f1b9027598f10fd4c405539ef1e026953f1a3e9c5612e72f

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

212.237.17.99:443

176.28.17.160:6602

51.254.140.238:8333

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral6/memory/3564-116-0x0000000074160000-0x000000007418F000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

436 3564 WerFault.exe rundll32.exe

pid	pid_target	process	target process
436	3564	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
436	WerFault.exe
436	WerFault.exe
436	WerFault.exe
436	WerFault.exe
436	WerFault.exe
436	WerFault.exe
436	WerFault.exe
436	WerFault.exe
436	WerFault.exe
436	WerFault.exe
436	WerFault.exe
436	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 436 WerFault.exe
Token: SeBackupPrivilege 436 WerFault.exe
Token: SeDebugPrivilege 436 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	436	WerFault.exe
Token: SeBackupPrivilege	436	WerFault.exe
Token: SeDebugPrivilege	436	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2608 wrote to memory of 3564	2608	rundll32.exe	rundll32.exe
PID 2608 wrote to memory of 3564	2608	rundll32.exe	rundll32.exe
PID 2608 wrote to memory of 3564	2608	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8_hp8500at.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8_hp8500at.dll,#1
2⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 624
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3564-115-0x0000000000000000-mapping.dmp

Download
memory/3564-116-0x0000000074160000-0x000000007418F000-memory.dmp

Filesize
188KB

Download
memory/3564-118-0x0000000000FF0000-0x0000000000FF6000-memory.dmp

Filesize
24KB

Download