dridex | 9a1a4ad36d0cea923e44d4fae1326ec2b4fd7b6a422731ec8c3264eb9077b33a

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f59d7d39073990f4fe6c3095a4cf307.dll
Size

188KB
MD5

7f59d7d39073990f4fe6c3095a4cf307
SHA1

d1f59e158d6220485c397762703863b5cd66b090
SHA256

9a1a4ad36d0cea923e44d4fae1326ec2b4fd7b6a422731ec8c3264eb9077b33a
SHA512

f0d9f96319d7d625ac49bf0c21bd0241f316d0c9b278017a882fbe50ba87cbbd3e08a5fac14158bdac7704bc3f821798b4d39b684395f0ae0f1cc4acd63094e7
SSDEEP

3072:PA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAovo:PzIqATVfQeV2FZalKq6jtGJWuTmd

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

resource	yara_rule
behavioral2/memory/3272-0-0x0000000075000000-0x0000000075030000-memory.dmp	dridex_ldr
behavioral2/memory/3272-2-0x0000000075000000-0x0000000075030000-memory.dmp	dridex_ldr

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4180	3272	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 3272	3056	rundll32.exe	83
PID 3056 wrote to memory of 3272	3056	rundll32.exe	83
PID 3056 wrote to memory of 3272	3056	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f59d7d39073990f4fe6c3095a4cf307.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f59d7d39073990f4fe6c3095a4cf307.dll,#1
  2⤵
  PID:3272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 688
    3⤵
    - Program crash
    PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3272 -ip 3272
1⤵
PID:1444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3272-0-0x0000000075000000-0x0000000075030000-memory.dmp

Filesize
192KB

Download
memory/3272-1-0x0000000001040000-0x0000000001046000-memory.dmp

Filesize
24KB

Download
memory/3272-2-0x0000000075000000-0x0000000075030000-memory.dmp

Filesize
192KB

Download