dridex | af8cc3de3c7c149a1f8e0d5d7530762cf75754547866f2da550f2d350ec315c7 | Triage

Analysis

max time kernel
91s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2024 15:16

Sharing

Report Analysis Logs

General

Target

6ac4d91bc412bcaa719b91ee5a63c33b.dll
Size

184KB
MD5

6ac4d91bc412bcaa719b91ee5a63c33b
SHA1

ea6810f38b109606d1661296118f7f68fa6432ac
SHA256

af8cc3de3c7c149a1f8e0d5d7530762cf75754547866f2da550f2d350ec315c7
SHA512

125778d3d38c1f0ac65e3eb26ffffc9f68d0402892ac0a3a93d81ef2489c7bdcf0ff8b42259ef1a505fbc21de995a6d1c05645abdb66690b75ad6f13d8721ff6
SSDEEP

3072:QcYhzpn9z75jWpmrL3gA99hXkKsorn+AOr4RFjvaT:QcIntom33RDvn+RrOr

Score

10^/10

dridex 22203 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22203

C2

137.74.112.43:443

216.108.227.55:6225

94.177.176.51:5723

rc4.plain

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral2/memory/2312-1-0x0000000074B90000-0x0000000074BC0000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2408 2312 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2488 wrote to memory of 2312	2488	rundll32.exe	rundll32.exe
PID 2488 wrote to memory of 2312	2488	rundll32.exe	rundll32.exe
PID 2488 wrote to memory of 2312	2488	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ac4d91bc412bcaa719b91ee5a63c33b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ac4d91bc412bcaa719b91ee5a63c33b.dll,#1
2⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 612
3⤵
- Program crash
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2312 -ip 2312
1⤵
PID:4908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2312-0-0x0000000000ED0000-0x0000000000ED6000-memory.dmp

Filesize
24KB

Download
memory/2312-1-0x0000000074B90000-0x0000000074BC0000-memory.dmp

Filesize
192KB

Download