dridex | 9821c69b65ad19be7bc96581caa4ae5f17c3f639f6b8d523adb90790b03c8e61

Analysis

max time kernel
141s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-03-2023 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d66304251f3407d1840065b40662280acc909c3972fb93f99fa07a47c3221b77.dll
Size

492KB
MD5

b07b51f2aaec02e2b4200e028a726442
SHA1

fb3d5e9fc43aea2f11748a7ea214b0f95e61a7bd
SHA256

d66304251f3407d1840065b40662280acc909c3972fb93f99fa07a47c3221b77
SHA512

d9295f4550b8a71f2e7cd66e983620e2c4974c27fc60bfa49bda76de31ae74a05a889c8c6f5c2d93a1faeb4c2f0318ff0e778a6291bbc9bbf283e5106f50a51e
SSDEEP

12288:zlJId4XKBKjWgm1dLnROcuDgxrPwTPwf5w3Nw9PAv:z/uMGtnRzx0sK2iv

Score

10^/10

dridex 22202 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22202

51.83.47.27:443

82.98.180.154:6602

159.65.88.10:4664

91.121.146.47:10443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/2012-54-0x0000000074D90000-0x0000000074E0D000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

920 2012 WerFault.exe rundll32.exe

pid	pid_target	process	target process
920	2012	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1696 wrote to memory of 2012	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 2012	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 2012	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 2012	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 2012	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 2012	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 2012	1696	rundll32.exe	rundll32.exe
PID 2012 wrote to memory of 920	2012	rundll32.exe	WerFault.exe
PID 2012 wrote to memory of 920	2012	rundll32.exe	WerFault.exe
PID 2012 wrote to memory of 920	2012	rundll32.exe	WerFault.exe
PID 2012 wrote to memory of 920	2012	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d66304251f3407d1840065b40662280acc909c3972fb93f99fa07a47c3221b77.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d66304251f3407d1840065b40662280acc909c3972fb93f99fa07a47c3221b77.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 324
3⤵
- Program crash
PID:920

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2012-54-0x0000000074D90000-0x0000000074E0D000-memory.dmp

Filesize
500KB

Download
memory/2012-55-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download