dridex | b98be8d2e7d160dacbd6cf682aa3fa9f0a0a68ae2d0f89b25376519f0883e495

Analysis

Target

wisr1qas.dll
Size

476KB
MD5

f7703084b13482c646f3851e18d8951a
SHA1

939ff0c3db869fa5656b6905f824fdb69050e43c
SHA256

b98be8d2e7d160dacbd6cf682aa3fa9f0a0a68ae2d0f89b25376519f0883e495
SHA512

1c9e8a129bf0a634582343f14283d5bf152adc58f51230bf288482f49c5605c62b320ae1577571faf039a2b6c070985c251fa0f4a804e1dc98e287f087273498

Score

10^/10

Family

dridex

Botnet

10444

23.246.204.126:443

151.106.39.36:8116

103.124.144.123:6891

172.105.78.60:4664

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral2/memory/4456-132-0x0000000075630000-0x00000000756A9000-memory.dmp	dridex_ldr

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

388 4456 WerFault.exe rundll32.exe
2176 4456 WerFault.exe rundll32.exe

pid	pid_target	process	target process
388	4456	WerFault.exe	rundll32.exe
2176	4456	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3980 wrote to memory of 4456	3980	rundll32.exe	rundll32.exe
PID 3980 wrote to memory of 4456	3980	rundll32.exe	rundll32.exe
PID 3980 wrote to memory of 4456	3980	rundll32.exe	rundll32.exe
PID 4456 wrote to memory of 388	4456	rundll32.exe	WerFault.exe
PID 4456 wrote to memory of 388	4456	rundll32.exe	WerFault.exe
PID 4456 wrote to memory of 388	4456	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\wisr1qas.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\wisr1qas.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 700
3⤵
- Program crash
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 700
3⤵
- Program crash
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4456 -ip 4456
1⤵
PID:528

memory/388-135-0x0000000000000000-mapping.dmp

Download
memory/4456-130-0x0000000000000000-mapping.dmp

Download
memory/4456-131-0x0000000002E70000-0x0000000002E76000-memory.dmp

Filesize
24KB

Download
memory/4456-132-0x0000000075630000-0x00000000756A9000-memory.dmp

Filesize
484KB

Download
memory/4456-134-0x0000000002E70000-0x0000000002E76000-memory.dmp

Filesize
24KB

Download