dridex | 9a6b8921a9d015f0d9d5787b6c5deea2aaec7102a2069ea1b31698da91bb5c49

Analysis

max time kernel
142s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c5bb8b12a65098b81b0bfa93b32739f.dll
Size

188KB
MD5

3c5bb8b12a65098b81b0bfa93b32739f
SHA1

ea6784b62ff77fe1b63ea7c3e770d4d1b82cbac2
SHA256

9a6b8921a9d015f0d9d5787b6c5deea2aaec7102a2069ea1b31698da91bb5c49
SHA512

ee95d8d988fb6e166fe32aa029f98df17aa6f33b8a13894502a0baa267943a9a4d10ffb8ff30dc45bcd5d8d364649a6fe9105fc28a6edb82e9fbf360d41d68c9
SSDEEP

3072:UA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAo/o:UzIqATVfQeV2FZalKq6jtGJWuTmd

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

resource	yara_rule
behavioral1/memory/2152-0-0x0000000074FE0000-0x0000000075010000-memory.dmp	dridex_ldr

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2144	2152	WerFault.exe	16

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2152	2196	rundll32.exe	16
PID 2196 wrote to memory of 2152	2196	rundll32.exe	16
PID 2196 wrote to memory of 2152	2196	rundll32.exe	16
PID 2196 wrote to memory of 2152	2196	rundll32.exe	16
PID 2196 wrote to memory of 2152	2196	rundll32.exe	16
PID 2196 wrote to memory of 2152	2196	rundll32.exe	16
PID 2196 wrote to memory of 2152	2196	rundll32.exe	16
PID 2152 wrote to memory of 2144	2152	rundll32.exe	29
PID 2152 wrote to memory of 2144	2152	rundll32.exe	29
PID 2152 wrote to memory of 2144	2152	rundll32.exe	29
PID 2152 wrote to memory of 2144	2152	rundll32.exe	29

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c5bb8b12a65098b81b0bfa93b32739f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 300
  2⤵
  - Program crash
  PID:2144

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c5bb8b12a65098b81b0bfa93b32739f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2152-2-0x00000000001A0000-0x00000000001A6000-memory.dmp

Filesize
24KB

Download
memory/2152-0-0x0000000074FE0000-0x0000000075010000-memory.dmp

Filesize
192KB

Download