dridex | edab7c43f27e58e898ecfa5e10cc600f459e89996fa6a5b87901f67fcb4ace8a

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

741155854786e7c4184a20f7f58cc34e.dll
Size

184KB
MD5

741155854786e7c4184a20f7f58cc34e
SHA1

2ef218a4a8b622a49b747b8c29cf8ac7fe28bb6f
SHA256

edab7c43f27e58e898ecfa5e10cc600f459e89996fa6a5b87901f67fcb4ace8a
SHA512

0ad4afe3cf592cbd8e711e29ede83d34ee4596d38192e88d50b05fdf1a10bfdaa7eddf650ee70cb38797d88b1d92839a8a4c242810597c9922b7dc9652fed02f
SSDEEP

3072:LgkQz1PuOprc+kq6VNOe3qbarVEpZlcbBacS9nOdgjdA4l:OPFkq6zOe5ilSanOYd

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

103.75.201.2:443

158.223.1.108:6225

165.22.28.242:4664

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

resource	yara_rule
behavioral2/memory/3600-1-0x00000000753D0000-0x0000000075400000-memory.dmp	dridex_ldr

Program crash 1 IoCs

pid	pid_target	Process	procid_target
920	3600	WerFault.exe	88

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 3600	404	rundll32.exe	88
PID 404 wrote to memory of 3600	404	rundll32.exe	88
PID 404 wrote to memory of 3600	404	rundll32.exe	88

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\741155854786e7c4184a20f7f58cc34e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\741155854786e7c4184a20f7f58cc34e.dll,#1
  2⤵
  PID:3600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 616
    3⤵
    - Program crash
    PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3600 -ip 3600
1⤵
PID:4284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3600-0-0x0000000001540000-0x0000000001546000-memory.dmp

Filesize
24KB

Download
memory/3600-1-0x00000000753D0000-0x0000000075400000-memory.dmp

Filesize
192KB

Download
memory/3600-3-0x0000000001540000-0x0000000001546000-memory.dmp

Filesize
24KB

Download