dridex | 9be19f07e2a06af1c622c9c6b7f139b4328f6baf971a7964844447bcff7e1814

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
26-06-2022 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZKMEkleQqDEiaJkkklgbtq.dll
Size

512KB
MD5

2af8d90b7f3fac6170869de920b2df72
SHA1

7376431005032f186e6c6909e31c1399a6c171d5
SHA256

9be19f07e2a06af1c622c9c6b7f139b4328f6baf971a7964844447bcff7e1814
SHA512

c58941f4e5634ffb913d15d97e8b869e1e365fed5d408ecf73c0539f00a25c4ea2959c11d819ccea71da855dbf83daf1b40d83d71d286f2ecb3b51cc2d01fee2

Score

10^/10

dridex 22203 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22203

51.159.52.196:443

134.209.247.135:6602

194.233.68.48:5228

89.31.56.58:593

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/904-56-0x0000000074D50000-0x0000000074DD1000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

956 904 WerFault.exe rundll32.exe

pid	pid_target	process	target process
956	904	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1320 wrote to memory of 904	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 904	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 904	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 904	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 904	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 904	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 904	1320	rundll32.exe	rundll32.exe
PID 904 wrote to memory of 956	904	rundll32.exe	WerFault.exe
PID 904 wrote to memory of 956	904	rundll32.exe	WerFault.exe
PID 904 wrote to memory of 956	904	rundll32.exe	WerFault.exe
PID 904 wrote to memory of 956	904	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ZKMEkleQqDEiaJkkklgbtq.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ZKMEkleQqDEiaJkkklgbtq.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 300
3⤵
- Program crash
PID:956

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-54-0x0000000000000000-mapping.dmp

Download
memory/904-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/904-56-0x0000000074D50000-0x0000000074DD1000-memory.dmp

Filesize
516KB

Download
memory/904-59-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/956-58-0x0000000000000000-mapping.dmp

Download