dridex | 14cf7f5e94dba384b0e31ad0917b6825b9f9791625059cc8b3c0db43931c9cc9

Analysis

Target

jdfggo.dll
Size

328KB
MD5

6e6533fa01c0c32dac8c1cab8dc73dbc
SHA1

44c67e51fbeb6b0c8bc26cf7d21223403cac4215
SHA256

14cf7f5e94dba384b0e31ad0917b6825b9f9791625059cc8b3c0db43931c9cc9
SHA512

270bdf93dbd36c946fbc45020619c3ed31d46e659c7ff9d8cb28d9d713a30bb78e7d3d2fed4069a5420ecbea61d4cbeff44bd7d0b6afb6caeb43fb5ff12c8a24

Score

10^/10

Family

dridex

Botnet

10444

45.79.8.25:443

185.201.9.197:9443

217.160.78.166:4664

108.175.9.22:33443

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 'dmod' strings 1 IoCs

Detects 'dmod' strings in Dridex loader.

Processes:

resource	yara_rule
behavioral2/memory/868-131-0x0000000074CF0000-0x0000000074D42000-memory.dmp	dridex_ldr_dmod

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1736 wrote to memory of 868	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 868	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 868	1736	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jdfggo.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jdfggo.dll,#1
2⤵
PID:868

memory/868-130-0x0000000000000000-mapping.dmp

Download
memory/868-131-0x0000000074CF0000-0x0000000074D42000-memory.dmp

Filesize
328KB

Download
memory/868-134-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download