Analysis
-
max time kernel
114s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-06-2022 06:19
General
-
Target
YPLRekkklgbtq.dll
-
Size
512KB
-
MD5
00f420f88d53dca440288d6ff4958124
-
SHA1
df18658f05cb9b0331b36ffbc6738a3bf86b7904
-
SHA256
99b02ee3c8256eb95c745119609a976ced1d887e6475f6bd3768fb9711e75554
-
SHA512
cbd3f2a60a51a8139837e3f0c2f5193d5e58a1e04e1aa0c7ee74a722e6e2f4fc75ed4f5d0e069eff96a42fc11483d0ed42781a9f443d58fa75d9f179395bbf98
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
22203
C2
51.159.52.196:443
134.209.247.135:6602
194.233.68.48:5228
89.31.56.58:593
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Loader 1 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Program crash 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\YPLRekkklgbtq.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\YPLRekkklgbtq.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 6563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2772 -ip 27721⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2772-130-0x0000000000000000-mapping.dmp
-
memory/2772-131-0x0000000074BC0000-0x0000000074C41000-memory.dmpFilesize
516KB
-
memory/2772-133-0x00000000006C0000-0x00000000006C6000-memory.dmpFilesize
24KB