dridex | eea8515a729717bea0a995407687a829e0bd3daa3115032946b76e7071db7580

Analysis

max time kernel
134s
max time network
125s
platform
windows7_x64
resource
win7-en-20211014
submitted
21-10-2021 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6_System.Data.Services.Client.dll
Size

180KB
MD5

c3c91aab11ef219ec03c45850a793306
SHA1

6b86858e92932f11debd8b0e969ac31e140f5abb
SHA256

eea8515a729717bea0a995407687a829e0bd3daa3115032946b76e7071db7580
SHA512

8da9972693467d4d180a489fdf0a014d161b70e630845816fd4a4c5e435b59657dd5966c4e7428b5796d38a54234d1900b037074985ac69878bb0a2c65ca4e2c

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

212.237.17.99:443

176.28.17.160:6602

51.254.140.238:8333

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/772-57-0x0000000074960000-0x000000007498F000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1496 772 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1496 WerFault.exe
1496 WerFault.exe
1496 WerFault.exe
1496 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1496 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1496 WerFault.exe

pid	pid_target	process	target process
1496	772	WerFault.exe	rundll32.exe

pid	process
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe

pid	process
1496	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1496	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 908 wrote to memory of 772	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 772	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 772	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 772	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 772	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 772	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 772	908	rundll32.exe	rundll32.exe
PID 772 wrote to memory of 1496	772	rundll32.exe	WerFault.exe
PID 772 wrote to memory of 1496	772	rundll32.exe	WerFault.exe
PID 772 wrote to memory of 1496	772	rundll32.exe	WerFault.exe
PID 772 wrote to memory of 1496	772	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6_System.Data.Services.Client.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6_System.Data.Services.Client.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 252
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1496

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/772-55-0x0000000000000000-mapping.dmp

Download
memory/772-56-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/772-57-0x0000000074960000-0x000000007498F000-memory.dmp

Filesize
188KB

Download
memory/772-60-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download
memory/1496-59-0x0000000000000000-mapping.dmp

Download
memory/1496-61-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download