dridex | 68843237aa3cfac06e0efd55e445a0197ddb119bca4e7ffc0ae6abf8861fa428

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 13:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aca8927996a4d591c16162b84a4a09ca.dll
Size

184KB
MD5

aca8927996a4d591c16162b84a4a09ca
SHA1

1530f49b6675ab7a84a1d50a8e5e9113acc29802
SHA256

68843237aa3cfac06e0efd55e445a0197ddb119bca4e7ffc0ae6abf8861fa428
SHA512

7e8085376e13be16b30d84de7de5f45879bbe5ed9ab4e104a5b112bcf8793133ef5d69699674cf74902463e06be8a4eb3c8dac354757858fbb12f15e03206ce2
SSDEEP

3072:ngkQz1PuOprc+kq6VNOe3qbarVEpZlcbBacS9nOdgpdA4l:iPFkq6zOe5ilSanOWd

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

103.75.201.2:443

158.223.1.108:6225

165.22.28.242:4664

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

resource	yara_rule
behavioral1/memory/2928-0-0x0000000074DC0000-0x0000000074DF0000-memory.dmp	dridex_ldr

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3004	2928	WerFault.exe	16

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2928	2924	rundll32.exe	16
PID 2924 wrote to memory of 2928	2924	rundll32.exe	16
PID 2924 wrote to memory of 2928	2924	rundll32.exe	16
PID 2924 wrote to memory of 2928	2924	rundll32.exe	16
PID 2924 wrote to memory of 2928	2924	rundll32.exe	16
PID 2924 wrote to memory of 2928	2924	rundll32.exe	16
PID 2924 wrote to memory of 2928	2924	rundll32.exe	16
PID 2928 wrote to memory of 3004	2928	rundll32.exe	29
PID 2928 wrote to memory of 3004	2928	rundll32.exe	29
PID 2928 wrote to memory of 3004	2928	rundll32.exe	29
PID 2928 wrote to memory of 3004	2928	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aca8927996a4d591c16162b84a4a09ca.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\aca8927996a4d591c16162b84a4a09ca.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 220
    3⤵
    - Program crash
    PID:3004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2928-0-0x0000000074DC0000-0x0000000074DF0000-memory.dmp

Filesize
192KB

Download
memory/2928-2-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download