dridex | fa6aea596a04b6bd957babd156bbd40cafa2b0662390cc2fd30953fb48ec61fc

Analysis

max time kernel
39s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
11-06-2022 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ow571qp9x.dll
Size

476KB
MD5

edd5e7e742a9cf2c2b410d9208278042
SHA1

f1db2c4189850281f2fa163903750e7e549ee165
SHA256

fa6aea596a04b6bd957babd156bbd40cafa2b0662390cc2fd30953fb48ec61fc
SHA512

1c550da3d70359464b1082c93f76bad93aaa0bd059d6d5c3a80bd5808352b68e3be34b6574ae5a569f54cdbb120619cbede08ebfbb7ba455482159d80b400b73

Score

10^/10

dridex 10444 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

10444

23.246.204.126:443

151.106.39.36:8116

103.124.144.123:6891

172.105.78.60:4664

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1644-56-0x0000000074620000-0x0000000074699000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1140 1644 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1140	1644	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1480 wrote to memory of 1644	1480	rundll32.exe	rundll32.exe
PID 1480 wrote to memory of 1644	1480	rundll32.exe	rundll32.exe
PID 1480 wrote to memory of 1644	1480	rundll32.exe	rundll32.exe
PID 1480 wrote to memory of 1644	1480	rundll32.exe	rundll32.exe
PID 1480 wrote to memory of 1644	1480	rundll32.exe	rundll32.exe
PID 1480 wrote to memory of 1644	1480	rundll32.exe	rundll32.exe
PID 1480 wrote to memory of 1644	1480	rundll32.exe	rundll32.exe
PID 1644 wrote to memory of 1140	1644	rundll32.exe	WerFault.exe
PID 1644 wrote to memory of 1140	1644	rundll32.exe	WerFault.exe
PID 1644 wrote to memory of 1140	1644	rundll32.exe	WerFault.exe
PID 1644 wrote to memory of 1140	1644	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ow571qp9x.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ow571qp9x.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 344
3⤵
- Program crash
PID:1140

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1140-59-0x0000000000000000-mapping.dmp

Download
memory/1644-54-0x0000000000000000-mapping.dmp

Download
memory/1644-55-0x0000000075871000-0x0000000075873000-memory.dmp

Filesize
8KB

Download
memory/1644-56-0x0000000074620000-0x0000000074699000-memory.dmp

Filesize
484KB

Download
memory/1644-58-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download