dridex | fa6aea596a04b6bd957babd156bbd40cafa2b0662390cc2fd30953fb48ec61fc

Analysis

Target

ow571qp9x.dll
Size

476KB
MD5

edd5e7e742a9cf2c2b410d9208278042
SHA1

f1db2c4189850281f2fa163903750e7e549ee165
SHA256

fa6aea596a04b6bd957babd156bbd40cafa2b0662390cc2fd30953fb48ec61fc
SHA512

1c550da3d70359464b1082c93f76bad93aaa0bd059d6d5c3a80bd5808352b68e3be34b6574ae5a569f54cdbb120619cbede08ebfbb7ba455482159d80b400b73

Score

10^/10

Family

dridex

Botnet

10444

23.246.204.126:443

151.106.39.36:8116

103.124.144.123:6891

172.105.78.60:4664

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/1460-56-0x0000000074DF0000-0x0000000074E69000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

112 1460 WerFault.exe rundll32.exe

pid	pid_target	process	target process
112	1460	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 748 wrote to memory of 1460	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 1460	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 1460	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 1460	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 1460	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 1460	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 1460	748	rundll32.exe	rundll32.exe
PID 1460 wrote to memory of 112	1460	rundll32.exe	WerFault.exe
PID 1460 wrote to memory of 112	1460	rundll32.exe	WerFault.exe
PID 1460 wrote to memory of 112	1460	rundll32.exe	WerFault.exe
PID 1460 wrote to memory of 112	1460	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ow571qp9x.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ow571qp9x.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 344
3⤵
- Program crash
PID:112

memory/112-59-0x0000000000000000-mapping.dmp

Download
memory/1460-54-0x0000000000000000-mapping.dmp

Download
memory/1460-55-0x0000000076811000-0x0000000076813000-memory.dmp

Filesize
8KB

Download
memory/1460-56-0x0000000074DF0000-0x0000000074E69000-memory.dmp

Filesize
484KB

Download
memory/1460-58-0x00000000000C0000-0x00000000000C6000-memory.dmp

Filesize
24KB

Download