dridex | e023351c103b63084b21d7d0051001caab0643fc7b39f2a5b168c5e923af6430

Analysis

Target

be5c2a86e8203b713825079b800b6d7c.dll
Size

476KB
MD5

be5c2a86e8203b713825079b800b6d7c
SHA1

3394ed014d307d5e8258bcac2dc7136900f42b66
SHA256

e023351c103b63084b21d7d0051001caab0643fc7b39f2a5b168c5e923af6430
SHA512

f599d4d00e3bc84dd103809acf93428b9568abe85a9ca106e34f112bbf9b012bf9355ee47e395187afbb0145ff2480acd472597bee6f3856ee744b7f22a7d6ad

Score

10^/10

Family

dridex

Botnet

10444

23.246.204.126:443

151.106.39.36:8116

103.124.144.123:6891

172.105.78.60:4664

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

resource	yara_rule
behavioral1/memory/1136-57-0x0000000075050000-0x00000000750C9000-memory.dmp	dridex_ldr

Program crash 1 IoCs

pid	pid_target	Process	procid_target
276	1136	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
276	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	276	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 1136	572	rundll32.exe	28
PID 572 wrote to memory of 1136	572	rundll32.exe	28
PID 572 wrote to memory of 1136	572	rundll32.exe	28
PID 572 wrote to memory of 1136	572	rundll32.exe	28
PID 572 wrote to memory of 1136	572	rundll32.exe	28
PID 572 wrote to memory of 1136	572	rundll32.exe	28
PID 572 wrote to memory of 1136	572	rundll32.exe	28
PID 1136 wrote to memory of 276	1136	rundll32.exe	29
PID 1136 wrote to memory of 276	1136	rundll32.exe	29
PID 1136 wrote to memory of 276	1136	rundll32.exe	29
PID 1136 wrote to memory of 276	1136	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\be5c2a86e8203b713825079b800b6d7c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\be5c2a86e8203b713825079b800b6d7c.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 344
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:276

memory/276-62-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1136-56-0x0000000075971000-0x0000000075973000-memory.dmp

Filesize
8KB

Download
memory/1136-57-0x0000000075050000-0x00000000750C9000-memory.dmp

Filesize
484KB

Download
memory/1136-61-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download