dridex | af8cc3de3c7c149a1f8e0d5d7530762cf75754547866f2da550f2d350ec315c7

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-01-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ac4d91bc412bcaa719b91ee5a63c33b.dll
Size

184KB
MD5

6ac4d91bc412bcaa719b91ee5a63c33b
SHA1

ea6810f38b109606d1661296118f7f68fa6432ac
SHA256

af8cc3de3c7c149a1f8e0d5d7530762cf75754547866f2da550f2d350ec315c7
SHA512

125778d3d38c1f0ac65e3eb26ffffc9f68d0402892ac0a3a93d81ef2489c7bdcf0ff8b42259ef1a505fbc21de995a6d1c05645abdb66690b75ad6f13d8721ff6
SSDEEP

3072:QcYhzpn9z75jWpmrL3gA99hXkKsorn+AOr4RFjvaT:QcIntom33RDvn+RrOr

Score

10^/10

dridex 22203 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22203

137.74.112.43:443

216.108.227.55:6225

94.177.176.51:5723

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/2124-0-0x0000000075150000-0x0000000075180000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2808 2124 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2808	2124	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2428 wrote to memory of 2124	2428	rundll32.exe	rundll32.exe
PID 2428 wrote to memory of 2124	2428	rundll32.exe	rundll32.exe
PID 2428 wrote to memory of 2124	2428	rundll32.exe	rundll32.exe
PID 2428 wrote to memory of 2124	2428	rundll32.exe	rundll32.exe
PID 2428 wrote to memory of 2124	2428	rundll32.exe	rundll32.exe
PID 2428 wrote to memory of 2124	2428	rundll32.exe	rundll32.exe
PID 2428 wrote to memory of 2124	2428	rundll32.exe	rundll32.exe
PID 2124 wrote to memory of 2808	2124	rundll32.exe	WerFault.exe
PID 2124 wrote to memory of 2808	2124	rundll32.exe	WerFault.exe
PID 2124 wrote to memory of 2808	2124	rundll32.exe	WerFault.exe
PID 2124 wrote to memory of 2808	2124	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ac4d91bc412bcaa719b91ee5a63c33b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ac4d91bc412bcaa719b91ee5a63c33b.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 220
3⤵
- Program crash
PID:2808

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2124-0-0x0000000075150000-0x0000000075180000-memory.dmp

Filesize
192KB

Download
memory/2124-2-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download