dridex | 9a1a4ad36d0cea923e44d4fae1326ec2b4fd7b6a422731ec8c3264eb9077b33a

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-01-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f59d7d39073990f4fe6c3095a4cf307.dll
Size

188KB
MD5

7f59d7d39073990f4fe6c3095a4cf307
SHA1

d1f59e158d6220485c397762703863b5cd66b090
SHA256

9a1a4ad36d0cea923e44d4fae1326ec2b4fd7b6a422731ec8c3264eb9077b33a
SHA512

f0d9f96319d7d625ac49bf0c21bd0241f316d0c9b278017a882fbe50ba87cbbd3e08a5fac14158bdac7704bc3f821798b4d39b684395f0ae0f1cc4acd63094e7
SSDEEP

3072:PA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAovo:PzIqATVfQeV2FZalKq6jtGJWuTmd

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

resource	yara_rule
behavioral1/memory/2328-0-0x0000000075340000-0x0000000075370000-memory.dmp	dridex_ldr

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2656	2328	WerFault.exe	28

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2328	1032	rundll32.exe	28
PID 1032 wrote to memory of 2328	1032	rundll32.exe	28
PID 1032 wrote to memory of 2328	1032	rundll32.exe	28
PID 1032 wrote to memory of 2328	1032	rundll32.exe	28
PID 1032 wrote to memory of 2328	1032	rundll32.exe	28
PID 1032 wrote to memory of 2328	1032	rundll32.exe	28
PID 1032 wrote to memory of 2328	1032	rundll32.exe	28
PID 2328 wrote to memory of 2656	2328	rundll32.exe	31
PID 2328 wrote to memory of 2656	2328	rundll32.exe	31
PID 2328 wrote to memory of 2656	2328	rundll32.exe	31
PID 2328 wrote to memory of 2656	2328	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f59d7d39073990f4fe6c3095a4cf307.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f59d7d39073990f4fe6c3095a4cf307.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 308
    3⤵
    - Program crash
    PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2328-0-0x0000000075340000-0x0000000075370000-memory.dmp

Filesize
192KB

Download
memory/2328-1-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download