Analysis

  • max time kernel
    144s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    11-06-2022 16:51

General

  • Target

    OfaKFkkklgbtq.dll

  • Size

    512KB

  • MD5

    3e17c7d3afa01e26d7f56215da2472ed

  • SHA1

    0195707de8e8b383c779e898b346cd8612ead5bb

  • SHA256

    5dc64df3cca54165dc493a27a09243962a8c52c3f2a4118b24f620914f2a9f38

  • SHA512

    d555c9a761213492af7bdf1eb3ec37191715f40c23a3e2f3883c117c719c77c680b7e1550c689d04bd371656327e3d74c16ac0487d388c84c265879063182834

Malware Config

Extracted

Family

dridex

Botnet

22203

C2

51.159.52.196:443

134.209.247.135:6602

194.233.68.48:5228

89.31.56.58:593

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\OfaKFkkklgbtq.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:984
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\OfaKFkkklgbtq.dll,#1
      2⤵
        PID:1160
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 652
          3⤵
          • Program crash
          PID:4996
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1160 -ip 1160
      1⤵
        PID:1968

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1160-131-0x0000000000000000-mapping.dmp

      • memory/1160-132-0x0000000074EC0000-0x0000000074F41000-memory.dmp

        Filesize

        516KB

      • memory/1160-134-0x00000000013F0000-0x00000000013F6000-memory.dmp

        Filesize

        24KB