dridex | 019e4a2eaa89bbc5dd4dd542baa34e32fde1bd36038b3761aad409dec278e528

Analysis

max time kernel
121s
max time network
124s
platform
windows10_x64
resource
win10-en-20211208
submitted
31-12-2021 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

019e4a2eaa89bbc5dd4dd542baa34e32fde1bd36038b3761aad409dec278e528.dll
Size

512KB
MD5

e21ad7f48cf6448cb847a955b511374e
SHA1

046cae3fb14e2c40d13fba3c03a0e71c52b1ff4c
SHA256

019e4a2eaa89bbc5dd4dd542baa34e32fde1bd36038b3761aad409dec278e528
SHA512

4775e1dc2de8d00407ba010a21d51bda9a96a988978710350993ba0d480d91d0d066c8a42ead823fd7f7e45b758b9f197a394018965f0f159bb662d408c4408b

Score

10^/10

dridex 22203 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22203

51.159.52.196:443

134.209.247.135:6602

194.233.68.48:5228

89.31.56.58:593

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/2776-116-0x0000000073C30000-0x0000000073CB1000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3340 2776 WerFault.exe rundll32.exe

pid	pid_target	process	target process
3340	2776	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3340 WerFault.exe
Token: SeBackupPrivilege 3340 WerFault.exe
Token: SeDebugPrivilege 3340 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	3340	WerFault.exe
Token: SeBackupPrivilege	3340	WerFault.exe
Token: SeDebugPrivilege	3340	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2728 wrote to memory of 2776	2728	rundll32.exe	rundll32.exe
PID 2728 wrote to memory of 2776	2728	rundll32.exe	rundll32.exe
PID 2728 wrote to memory of 2776	2728	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\019e4a2eaa89bbc5dd4dd542baa34e32fde1bd36038b3761aad409dec278e528.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\019e4a2eaa89bbc5dd4dd542baa34e32fde1bd36038b3761aad409dec278e528.dll,#1
2⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 684
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2776-115-0x0000000000000000-mapping.dmp

Download
memory/2776-116-0x0000000073C30000-0x0000000073CB1000-memory.dmp

Filesize
516KB

Download
memory/2776-118-0x0000000000B10000-0x0000000000B16000-memory.dmp

Filesize
24KB

Download