Analysis

  • max time kernel
    140s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    04-03-2024 02:10

General

  • Target

    b0f65a63dd08f3977dc1bedaf30aaec5.dll

  • Size

    184KB

  • MD5

    b0f65a63dd08f3977dc1bedaf30aaec5

  • SHA1

    1d9428fe595de912eb087a568144a2e5e90fb545

  • SHA256

    84335aac46b5b746dbcace6e04e4d3af2e7f7bda72da361a6777091ad9dfc09f

  • SHA512

    634fd7189f848bdee1860567f319a9711cfdedb892b668bfa52f781e9483036af20a1de841bcad43dbe84e082d8fc606ef139ee0657054701e53f51de65692d1

  • SSDEEP

    3072:nqJs2vTNBtg6SSiP2uPGub071f8eWdwBIZ2qSeOVg2f0LhSLl8Vaci2+e2f2:nqbNfaScP47aeWdWqgj0LI86b

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

134.209.182.12:443

188.40.100.254:4664

103.109.247.9:10443

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0f65a63dd08f3977dc1bedaf30aaec5.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0f65a63dd08f3977dc1bedaf30aaec5.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 252
        3⤵
        • Program crash
        PID:2852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2704-0-0x0000000074820000-0x000000007484F000-memory.dmp

    Filesize

    188KB

  • memory/2704-1-0x00000000000E0000-0x00000000000E6000-memory.dmp

    Filesize

    24KB