dridex | 7a77b516c563c8bbe904af3b90cfb89148b879b807aa34d93be3b1a2eb93a016

Analysis

max time kernel
128s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2022 05:10

Target

fn58ds.dll
Size

725KB
MD5

aa7ad8fdea021577637b6e0520046686
SHA1

f847d66c48d910ec01127d5e188ceaf4919d418f
SHA256

7a77b516c563c8bbe904af3b90cfb89148b879b807aa34d93be3b1a2eb93a016
SHA512

cd0744f471cbf9fa880ed16dc6d56a55a683f8d85fd5988f6532280c054200a8d83304a4e43d9801325925b81d4532d1cd25a5ec8c476159dc1c53049b9d5e9f

Score

10^/10

Family

dridex

Botnet

10444

146.164.126.197:443

69.16.193.166:9443

193.90.12.122:3098

157.245.103.132:14043

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 'dmod' strings 1 IoCs

Detects 'dmod' strings in Dridex loader.

Processes:

resource	yara_rule
behavioral2/memory/4108-132-0x0000000000B30000-0x0000000000B6A000-memory.dmp	dridex_ldr_dmod

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2064 wrote to memory of 4108	2064	rundll32.exe	rundll32.exe
PID 2064 wrote to memory of 4108	2064	rundll32.exe	rundll32.exe
PID 2064 wrote to memory of 4108	2064	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fn58ds.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fn58ds.dll,#1
2⤵
PID:4108

memory/4108-130-0x0000000000000000-mapping.dmp

Download
memory/4108-131-0x0000000000950000-0x000000000099B000-memory.dmp

Filesize
300KB

Download
memory/4108-132-0x0000000000B30000-0x0000000000B6A000-memory.dmp

Filesize
232KB

Download