dridex | 16a1cdadc7b848ef3f557291f69889de040d20ecd5c750cea1e8ad1561fcd10c | Triage

Analysis

max time kernel
81s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-04-2022 13:17

Sharing

Report Analysis Logs

General

Target

16a1cdadc7b848ef3f557291f69889de040d20ecd5c750cea1e8ad1561fcd10c.dll
Size

391KB
MD5

b685d1ae9a1038148e31396c43ab7498
SHA1

cba868c11941d356c6ad245efd2f3a6a0630cfc7
SHA256

16a1cdadc7b848ef3f557291f69889de040d20ecd5c750cea1e8ad1561fcd10c
SHA512

81ddd7fb4daa5bca490ec413fe07fa8b3349849d763aa21860b1b99de1ea1e71ae78f1f30c5f6e227ee81142211527d03d7ee5bdcb8968bb826ebeb00d0bb3ef

Score

10^/10

dridex 10555 botnet

Malware Config

Extracted

Family

dridex

Botnet

10555

C2

194.150.118.7:443

45.77.154.161:1688

45.56.127.75:49160

62.171.142.179:4664

rc4.plain

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4112 wrote to memory of 1792	4112	rundll32.exe	rundll32.exe
PID 4112 wrote to memory of 1792	4112	rundll32.exe	rundll32.exe
PID 4112 wrote to memory of 1792	4112	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\16a1cdadc7b848ef3f557291f69889de040d20ecd5c750cea1e8ad1561fcd10c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\16a1cdadc7b848ef3f557291f69889de040d20ecd5c750cea1e8ad1561fcd10c.dll,#1
2⤵
PID:1792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1792-130-0x0000000000000000-mapping.dmp

Download
memory/1792-131-0x00000000021A0000-0x00000000021DD000-memory.dmp

Filesize
244KB

Download
memory/1792-132-0x0000000002260000-0x000000000229D000-memory.dmp

Filesize
244KB

Download