dridex | 0e16f533d18ae86ab8cadc43a44e9ff7fd6586658939b6c60d6ed9201c31f33a

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
26-06-2022 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

s7yzrmv13.dll
Size

476KB
MD5

b9df50a14d692e7aac5cf697462379f0
SHA1

0ac013a74fa5f75313774fb1c5294a4e0b9a3a75
SHA256

0e16f533d18ae86ab8cadc43a44e9ff7fd6586658939b6c60d6ed9201c31f33a
SHA512

eeb54214a759e8daef83d0197495b6985db5f37a5a6d8ba3ab941157ded0c149eb6ae3ee930fe7ec5fd22aaee009d0a33c419a9557d4db53c1077c10cb070a9b

Score

10^/10

dridex 10444 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

10444

23.246.204.126:443

151.106.39.36:8116

103.124.144.123:6891

172.105.78.60:4664

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1700-56-0x0000000074D70000-0x0000000074DE9000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

952 1700 WerFault.exe rundll32.exe

pid	pid_target	process	target process
952	1700	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1564 wrote to memory of 1700	1564	rundll32.exe	rundll32.exe
PID 1564 wrote to memory of 1700	1564	rundll32.exe	rundll32.exe
PID 1564 wrote to memory of 1700	1564	rundll32.exe	rundll32.exe
PID 1564 wrote to memory of 1700	1564	rundll32.exe	rundll32.exe
PID 1564 wrote to memory of 1700	1564	rundll32.exe	rundll32.exe
PID 1564 wrote to memory of 1700	1564	rundll32.exe	rundll32.exe
PID 1564 wrote to memory of 1700	1564	rundll32.exe	rundll32.exe
PID 1700 wrote to memory of 952	1700	rundll32.exe	WerFault.exe
PID 1700 wrote to memory of 952	1700	rundll32.exe	WerFault.exe
PID 1700 wrote to memory of 952	1700	rundll32.exe	WerFault.exe
PID 1700 wrote to memory of 952	1700	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\s7yzrmv13.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\s7yzrmv13.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 344
3⤵
- Program crash
PID:952

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/952-58-0x0000000000000000-mapping.dmp

Download
memory/1700-54-0x0000000000000000-mapping.dmp

Download
memory/1700-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/1700-56-0x0000000074D70000-0x0000000074DE9000-memory.dmp

Filesize
484KB

Download
memory/1700-59-0x00000000000D0000-0x00000000000D6000-memory.dmp

Filesize
24KB

Download