Analysis

  • max time kernel
    141s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2024, 14:36

General

  • Target

    8c94384f909a7c116ef7a8445b8da93e.dll

  • Size

    188KB

  • MD5

    8c94384f909a7c116ef7a8445b8da93e

  • SHA1

    0d6d5a8520f4750274966cdfce5fd7724fb0365a

  • SHA256

    2dfac9e680722bd56ac2cae9cf8a514a55dc36e63a0cc87c74631f280257a580

  • SHA512

    8356fd5a85d52ecbaa36697556706526b2bdf1d3b40f835826e0a7476202f4ed13c9871dec8ce4be08dd9be22d7dd64264807f8b9a5cd5ff60f7ba052368d904

  • SSDEEP

    3072:dA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoro:dzIqATVfQeV2FZalKq6jtGJWuTmd

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8c94384f909a7c116ef7a8445b8da93e.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8c94384f909a7c116ef7a8445b8da93e.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 300
        3⤵
        • Program crash
        PID:2992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1660-0-0x0000000075460000-0x0000000075490000-memory.dmp

    Filesize

    192KB

  • memory/1660-2-0x0000000000260000-0x0000000000266000-memory.dmp

    Filesize

    24KB