dridex | 7319faf4a324a7aec6b898b06f822b59f24a2c702929a146908829c5ddccfe83

Analysis

Target

ApFhLhTicsyXRYxkkklgbtq.dll
Size

512KB
MD5

1eb320594f3068a85f3f207d46917950
SHA1

d10ca727d9113e25db4f26ae616af68ca9d2fc25
SHA256

7319faf4a324a7aec6b898b06f822b59f24a2c702929a146908829c5ddccfe83
SHA512

ceb958e62039725b1a47bf07fcc65ffe37024a975515acffe2b022998e3531facf452147da61dd33d3c76bd63b1ce0b3da399e511336a05a11963e1083c13850

Score

10^/10

Family

dridex

Botnet

22203

51.159.52.196:443

134.209.247.135:6602

194.233.68.48:5228

89.31.56.58:593

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/1632-56-0x0000000074650000-0x00000000746D1000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1424 1632 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1424	1632	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1972 wrote to memory of 1632	1972	rundll32.exe	rundll32.exe
PID 1972 wrote to memory of 1632	1972	rundll32.exe	rundll32.exe
PID 1972 wrote to memory of 1632	1972	rundll32.exe	rundll32.exe
PID 1972 wrote to memory of 1632	1972	rundll32.exe	rundll32.exe
PID 1972 wrote to memory of 1632	1972	rundll32.exe	rundll32.exe
PID 1972 wrote to memory of 1632	1972	rundll32.exe	rundll32.exe
PID 1972 wrote to memory of 1632	1972	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1424	1632	rundll32.exe	WerFault.exe
PID 1632 wrote to memory of 1424	1632	rundll32.exe	WerFault.exe
PID 1632 wrote to memory of 1424	1632	rundll32.exe	WerFault.exe
PID 1632 wrote to memory of 1424	1632	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ApFhLhTicsyXRYxkkklgbtq.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ApFhLhTicsyXRYxkkklgbtq.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 300
3⤵
- Program crash
PID:1424

memory/1424-58-0x0000000000000000-mapping.dmp

Download
memory/1632-54-0x0000000000000000-mapping.dmp

Download
memory/1632-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1632-56-0x0000000074650000-0x00000000746D1000-memory.dmp

Filesize
516KB

Download
memory/1632-59-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download