dridex | b3f2455dbdfadfdb76026bff37d4180f90b8dcfed7ce84043e2fcef4ae33b5e1

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
11-06-2022 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ilfwuakkklgbtq.dll
Size

512KB
MD5

27f58c2668429c235febd5c29f758476
SHA1

0fff55d66836ecf56fd32036bb0bfb841dd4d66d
SHA256

b3f2455dbdfadfdb76026bff37d4180f90b8dcfed7ce84043e2fcef4ae33b5e1
SHA512

a0ed29de49dda034b27e73345b5e1dee59e6c965637726afabef72432450f4bd3ebed8bcd3983807d5cc07ce9899cc28e379223f7693620ef0fff17c9e38a94b

Score

10^/10

dridex 22203 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22203

51.159.52.196:443

134.209.247.135:6602

194.233.68.48:5228

89.31.56.58:593

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1948-56-0x00000000746D0000-0x0000000074751000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1968 1948 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1968	1948	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1668 wrote to memory of 1948	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1948	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1948	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1948	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1948	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1948	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1948	1668	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1968	1948	rundll32.exe	WerFault.exe
PID 1948 wrote to memory of 1968	1948	rundll32.exe	WerFault.exe
PID 1948 wrote to memory of 1968	1948	rundll32.exe	WerFault.exe
PID 1948 wrote to memory of 1968	1948	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ilfwuakkklgbtq.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ilfwuakkklgbtq.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 300
3⤵
- Program crash
PID:1968

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1948-54-0x0000000000000000-mapping.dmp

Download
memory/1948-55-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1948-56-0x00000000746D0000-0x0000000074751000-memory.dmp

Filesize
516KB

Download
memory/1948-59-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/1968-58-0x0000000000000000-mapping.dmp

Download