dridex | 176d3e38c6782bf313d6d5f23a14f2e7692181ee50a7b2a2b130caae82e46148

Analysis

Target

HLYbnfSQpxkkklgbtq.dll
Size

512KB
MD5

cc810495ba0d64d3b6081d6006607bc2
SHA1

1aee22f98f546977d0df7c36e8c583915d003a6c
SHA256

176d3e38c6782bf313d6d5f23a14f2e7692181ee50a7b2a2b130caae82e46148
SHA512

edbea012640ef80b2430946321e6a62ee5b907df7f28deb23a43b64f0b6833e3efbcb100ce1400fef2aa4d37881f0365962c0846171c2af92f2fccf17c4f2410

Score

10^/10

Family

dridex

Botnet

22203

51.159.52.196:443

134.209.247.135:6602

194.233.68.48:5228

89.31.56.58:593

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/1492-56-0x0000000075000000-0x0000000075081000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1128 1492 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1128	1492	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1668 wrote to memory of 1492	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1492	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1492	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1492	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1492	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1492	1668	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1492	1668	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1128	1492	rundll32.exe	WerFault.exe
PID 1492 wrote to memory of 1128	1492	rundll32.exe	WerFault.exe
PID 1492 wrote to memory of 1128	1492	rundll32.exe	WerFault.exe
PID 1492 wrote to memory of 1128	1492	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HLYbnfSQpxkkklgbtq.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HLYbnfSQpxkkklgbtq.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 300
3⤵
- Program crash
PID:1128

memory/1128-58-0x0000000000000000-mapping.dmp

Download
memory/1492-54-0x0000000000000000-mapping.dmp

Download
memory/1492-55-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/1492-56-0x0000000075000000-0x0000000075081000-memory.dmp

Filesize
516KB

Download
memory/1492-59-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download