dridex | 16f4fa5968f86bbfdb94ba56fea46f8a0825750c16e024062515515e5f5c2109

Analysis

max time kernel
142s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b0450b1e3a5837d47187e40f2600ffa.dll
Size

188KB
MD5

3b0450b1e3a5837d47187e40f2600ffa
SHA1

7b2e9842258eb2eb8f6ba0addf9e4cf2406a5516
SHA256

16f4fa5968f86bbfdb94ba56fea46f8a0825750c16e024062515515e5f5c2109
SHA512

0b0ab9751bd2dff29b379558c59a8ae8865389dc22fc717a5906ad5faa0e50667cb19cbbdfb9a0afecc46086bc3d05c77ed18fe34ba92b1182c9280b0d63a031
SSDEEP

3072:+A8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoMo:+zIqATVfQeV2FZalKq6jtGJWuTmd

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

resource	yara_rule
behavioral1/memory/2912-0-0x00000000751C0000-0x00000000751F0000-memory.dmp	dridex_ldr

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2932	2912	WerFault.exe	16

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2912	2824	rundll32.exe	16
PID 2824 wrote to memory of 2912	2824	rundll32.exe	16
PID 2824 wrote to memory of 2912	2824	rundll32.exe	16
PID 2824 wrote to memory of 2912	2824	rundll32.exe	16
PID 2824 wrote to memory of 2912	2824	rundll32.exe	16
PID 2824 wrote to memory of 2912	2824	rundll32.exe	16
PID 2824 wrote to memory of 2912	2824	rundll32.exe	16
PID 2912 wrote to memory of 2932	2912	rundll32.exe	29
PID 2912 wrote to memory of 2932	2912	rundll32.exe	29
PID 2912 wrote to memory of 2932	2912	rundll32.exe	29
PID 2912 wrote to memory of 2932	2912	rundll32.exe	29

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b0450b1e3a5837d47187e40f2600ffa.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 300
  2⤵
  - Program crash
  PID:2932

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b0450b1e3a5837d47187e40f2600ffa.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2912-0-0x00000000751C0000-0x00000000751F0000-memory.dmp

Filesize
192KB

Download
memory/2912-2-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download