Analysis
-
max time kernel
98s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-06-2022 05:50
General
-
Target
OfaKFkkklgbtq.dll
-
Size
512KB
-
MD5
3e17c7d3afa01e26d7f56215da2472ed
-
SHA1
0195707de8e8b383c779e898b346cd8612ead5bb
-
SHA256
5dc64df3cca54165dc493a27a09243962a8c52c3f2a4118b24f620914f2a9f38
-
SHA512
d555c9a761213492af7bdf1eb3ec37191715f40c23a3e2f3883c117c719c77c680b7e1550c689d04bd371656327e3d74c16ac0487d388c84c265879063182834
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
22203
C2
51.159.52.196:443
134.209.247.135:6602
194.233.68.48:5228
89.31.56.58:593
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Loader 1 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Program crash 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\OfaKFkkklgbtq.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\OfaKFkkklgbtq.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 6523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4536 -ip 45361⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4536-130-0x0000000000000000-mapping.dmp
-
memory/4536-131-0x0000000074F60000-0x0000000074FE1000-memory.dmpFilesize
516KB
-
memory/4536-133-0x00000000003E0000-0x00000000003E6000-memory.dmpFilesize
24KB