dridex | 0f2404288ec2d5a8fd318b6169644b686d6a61e23f9952884b255e6d0845c064

General

Target

0f2404288ec2d5a8fd318b6169644b686d6a61e23f9952884b255e6d0845c064.dll
Size

538KB
MD5

d76d0aae2bc54602ebfce443aa4f06a3
SHA1

425b105cbe970b3d38212ebf06b233f61de7fdb9
SHA256

0f2404288ec2d5a8fd318b6169644b686d6a61e23f9952884b255e6d0845c064
SHA512

262637fab6707b1d5d20aef6b51e172eb9b80a04ee5617a7aa556dd744f3f373b05af9b0d5729f9ed8e13eb019986cf75178741a70027c23bd62ced7a83fd4ef

Score

10^/10

dridex 10555 botnet

Malware Config

Extracted

Family

dridex

Botnet

10555

C2

169.255.216.36:443

138.201.138.91:3389

89.174.36.41:4643

87.106.89.36:3389

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Drops file in Windows directory 12 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BIT9DBE.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BIT9E9A.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\a3f602ea4d534d006919a2613d91f9506b383314	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT8178.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BIT891B.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\e1a85885fd4453165061351651289cce8f8590c4	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\5ondRmJ90JlkPETuN535TWk=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT960D.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\LZOCjtiHKk8=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\f3535a3b47819a04c6d5ee18905493be086e801e	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\Cmn5TH6S2lFFnfMN8MLr2EoNUIAGzQo2UUjHGMEC99A=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT84C5.tmp	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1392 wrote to memory of 1424	1392	rundll32.exe	rundll32.exe
PID 1392 wrote to memory of 1424	1392	rundll32.exe	rundll32.exe
PID 1392 wrote to memory of 1424	1392	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f2404288ec2d5a8fd318b6169644b686d6a61e23f9952884b255e6d0845c064.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f2404288ec2d5a8fd318b6169644b686d6a61e23f9952884b255e6d0845c064.dll,#1
2⤵
PID:1424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Drops file in Windows directory
PID:2352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1424-134-0x0000000001190000-0x00000000011CD000-memory.dmp

Filesize
244KB

Download
memory/1424-135-0x0000000002A20000-0x0000000002A5D000-memory.dmp

Filesize
244KB

Download
memory/2352-136-0x000001DF48360000-0x000001DF48370000-memory.dmp

Filesize
64KB

Download
memory/2352-137-0x000001DF48C60000-0x000001DF48C70000-memory.dmp

Filesize
64KB

Download
memory/2352-138-0x000001DF48FD0000-0x000001DF48FD4000-memory.dmp

Filesize
16KB

Download
memory/2352-139-0x000001DF4B580000-0x000001DF4B584000-memory.dmp

Filesize
16KB

Download
memory/2352-140-0x000001DF4B580000-0x000001DF4B584000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing