dridex | e023351c103b63084b21d7d0051001caab0643fc7b39f2a5b168c5e923af6430

Analysis

Target

be5c2a86e8203b713825079b800b6d7c.dll
Size

476KB
MD5

be5c2a86e8203b713825079b800b6d7c
SHA1

3394ed014d307d5e8258bcac2dc7136900f42b66
SHA256

e023351c103b63084b21d7d0051001caab0643fc7b39f2a5b168c5e923af6430
SHA512

f599d4d00e3bc84dd103809acf93428b9568abe85a9ca106e34f112bbf9b012bf9355ee47e395187afbb0145ff2480acd472597bee6f3856ee744b7f22a7d6ad

Score

10^/10

Family

dridex

Botnet

10444

23.246.204.126:443

151.106.39.36:8116

103.124.144.123:6891

172.105.78.60:4664

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

resource	yara_rule
behavioral2/memory/3020-116-0x00000000738E0000-0x0000000073959000-memory.dmp	dridex_ldr

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2996	3020	WerFault.exe	68

Suspicious behavior: EnumeratesProcesses 12 IoCs

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 3020	2708	rundll32.exe	68
PID 2708 wrote to memory of 3020	2708	rundll32.exe	68
PID 2708 wrote to memory of 3020	2708	rundll32.exe	68

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\be5c2a86e8203b713825079b800b6d7c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\be5c2a86e8203b713825079b800b6d7c.dll,#1
  2⤵
  PID:3020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 728
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2996

memory/3020-116-0x00000000738E0000-0x0000000073959000-memory.dmp

Filesize
484KB

Download
memory/3020-118-0x0000000002C00000-0x0000000002D4A000-memory.dmp

Filesize
1.3MB

Download