dridex | b18028ac07b48288dd041e9b3e29f4fd459f70b8a3e4ca81d37aee68a9711115

Analysis

max time kernel
44s
max time network
46s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b18028ac07b48288dd041e9b3e29f4fd459f70b8a3e4ca81d37aee68a9711115.dll
Size

312KB
MD5

1ce34090fcf71f9238fd09c5e8e1812b
SHA1

cb64a6a8f52e7aec11cba5828622823b0ea09013
SHA256

b18028ac07b48288dd041e9b3e29f4fd459f70b8a3e4ca81d37aee68a9711115
SHA512

685e9879ec156c3b8c3ae9aca2d9deda0fdc31f64f9c59e609fac3896bff3ba976684c3e6423137c5c55be318bca087b60e3e04859ade5934ef349bbf39759e4

Score

10^/10

dridex botnet loader

Malware Config

Extracted

Family

dridex

194.99.22.193:443

178.63.67.20:691

75.127.14.171:3389

134.213.221.29:8443

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 3 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1092-57-0x00000000733F0000-0x0000000073411000-memory.dmp	dridex_ldr
behavioral1/memory/1092-58-0x00000000733F0000-0x0000000073D53000-memory.dmp	dridex_ldr
behavioral1/memory/1092-61-0x00000000733F0000-0x0000000073D53000-memory.dmp	dridex_ldr

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2008 wrote to memory of 1092	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1092	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1092	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1092	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1092	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1092	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1092	2008	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b18028ac07b48288dd041e9b3e29f4fd459f70b8a3e4ca81d37aee68a9711115.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b18028ac07b48288dd041e9b3e29f4fd459f70b8a3e4ca81d37aee68a9711115.dll,#1
2⤵
PID:1092

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-54-0x0000000000000000-mapping.dmp

Download
memory/1092-55-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1092-56-0x00000000733F0000-0x0000000073D53000-memory.dmp

Filesize
9.4MB

Download
memory/1092-57-0x00000000733F0000-0x0000000073411000-memory.dmp

Filesize
132KB

Download
memory/1092-58-0x00000000733F0000-0x0000000073D53000-memory.dmp

Filesize
9.4MB

Download
memory/1092-59-0x00000000733F0000-0x0000000073D53000-memory.dmp

Filesize
9.4MB

Download
memory/1092-61-0x00000000733F0000-0x0000000073D53000-memory.dmp

Filesize
9.4MB

Download