dridex | 83c390d82e19beec14d007b7350f4296c23ce9b3d131a3670ebb7424ad917410

Analysis

Target

rc62n0.dll
Size

500KB
MD5

06888708e24aa2bad5f12b668063e0d8
SHA1

ccdd7e12587ce16013fe5cbf5b3ac7ba9c7bd910
SHA256

83c390d82e19beec14d007b7350f4296c23ce9b3d131a3670ebb7424ad917410
SHA512

12a2306584678b9d39211945e162cc6af2ee12d6a82fec9e743f86f3d4b849086f50bd834dbc9cbb770d3ff0ec0aee027e63e67353552690bbb896c3cb57f1e2

Score

10^/10

dridex 10444 botnet

Family

dridex

Botnet

10444

162.241.44.26:9443

192.232.229.53:4443

77.220.64.34:443

193.90.12.121:3098

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1100 wrote to memory of 1836	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1836	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1836	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1836	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1836	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1836	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1836	1100	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\rc62n0.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\rc62n0.dll
2⤵
PID:1836

memory/1100-54-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/1836-55-0x0000000000000000-mapping.dmp

Download
memory/1836-56-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1836-57-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1836-58-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/1836-60-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download