Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-03-2024 12:19

General

  • Target

    b21ab010650622a98ddb2884260f5d59.dll

  • Size

    184KB

  • MD5

    b21ab010650622a98ddb2884260f5d59

  • SHA1

    1beeb79e8a85555804ad2fec07feae4561119818

  • SHA256

    57b447e662295400352d20ecf1a8e93345e4c38b28ecdd49b05c331a90e9462f

  • SHA512

    551c68976676c1a9408862ff27cf07fa2749c388eafe9045cbd793d665339d6e602d69924c322bc11adc1592b0e051f114881b02016335e83bba2e100452a755

  • SSDEEP

    3072:Ghd6lp2ffOeP3gv+i4W63iFfKfXM9mQltYwgO226+f33J4VQcY:G3fOeIv54W6SFKfc9me9v9/J4V

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

51.79.50.122:443

222.124.142.67:10443

138.201.222.158:4664

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b21ab010650622a98ddb2884260f5d59.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b21ab010650622a98ddb2884260f5d59.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 280
        3⤵
        • Program crash
        PID:2184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2760-0-0x0000000075110000-0x0000000075140000-memory.dmp

    Filesize

    192KB

  • memory/2760-1-0x0000000000140000-0x0000000000146000-memory.dmp

    Filesize

    24KB