dridex | 36330ee3c38ae53b19a77429e8b13c005735c93b764c0c195ee8fa5da8668017

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dffb4d62fbc51e0908bd909733ec293.dll
Size

174KB
MD5

7dffb4d62fbc51e0908bd909733ec293
SHA1

fecfcac87bb791163ed48f7882263bd8a6654dc8
SHA256

36330ee3c38ae53b19a77429e8b13c005735c93b764c0c195ee8fa5da8668017
SHA512

bc8d2aa03a4664ed94c704ec61f62c3a1f3cc019dccbd38b51ea101401916b8d45542704bfea49f8fb798b861421a07949c1afe69218508920d6204702128c0c
SSDEEP

3072:ZolIRLWS5rOfQ326KRrXV2h2+lMNnTZuFw7Qz+Bf1QmeQmuv5K0N+VbU:+lIRLW1m27rXVs2+SNnTZrUz+B9vpvXN

Score

10^/10

dridex 22202 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22202

46.55.222.10:443

104.248.178.90:4664

173.212.243.155:7002

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

resource	yara_rule
behavioral1/memory/2320-0-0x0000000075300000-0x0000000075330000-memory.dmp	dridex_ldr
behavioral1/memory/2320-2-0x0000000075300000-0x0000000075330000-memory.dmp	dridex_ldr

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1640	2320	WerFault.exe	28

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2320	2256	rundll32.exe	28
PID 2256 wrote to memory of 2320	2256	rundll32.exe	28
PID 2256 wrote to memory of 2320	2256	rundll32.exe	28
PID 2256 wrote to memory of 2320	2256	rundll32.exe	28
PID 2256 wrote to memory of 2320	2256	rundll32.exe	28
PID 2256 wrote to memory of 2320	2256	rundll32.exe	28
PID 2256 wrote to memory of 2320	2256	rundll32.exe	28
PID 2320 wrote to memory of 1640	2320	rundll32.exe	29
PID 2320 wrote to memory of 1640	2320	rundll32.exe	29
PID 2320 wrote to memory of 1640	2320	rundll32.exe	29
PID 2320 wrote to memory of 1640	2320	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7dffb4d62fbc51e0908bd909733ec293.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7dffb4d62fbc51e0908bd909733ec293.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 224
    3⤵
    - Program crash
    PID:1640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2320-0-0x0000000075300000-0x0000000075330000-memory.dmp

Filesize
192KB

Download
memory/2320-1-0x0000000000160000-0x0000000000166000-memory.dmp

Filesize
24KB

Download
memory/2320-2-0x0000000075300000-0x0000000075330000-memory.dmp

Filesize
192KB

Download