dridex | 36800c7345fe7b9fe77d8828a6a539bebe845eab1c071258b004367d45428a2a

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20-03-2024 12:24

Target

d8cb8ea5f37cde6a0ecd69e11fb3a988.dll
Size

188KB
MD5

d8cb8ea5f37cde6a0ecd69e11fb3a988
SHA1

997e9086061b7d7ba0747468dc2d034e749c9fd5
SHA256

36800c7345fe7b9fe77d8828a6a539bebe845eab1c071258b004367d45428a2a
SHA512

43c07cd8d375e39c0d3980c18b40db9236202207a396cfa327391e5c0dd33e2cac4b488c1cafe3d4c17abbc394c96d8300200f38c229515e1066f264ca384573
SSDEEP

3072:KH0uyjZqEpAK+Gf78TBdrXkTM5vhRg9Esf0DwvtyMpVnpA+z6tX8sxKViWZ7dU:KUua/Pv7YNhRIEZDeXVpAxtMsxK

Score

10^/10

Family

dridex

Botnet

22201

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/2156-0-0x0000000074E10000-0x0000000074E40000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1988 2156 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1988	2156	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1656 wrote to memory of 2156	1656	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 2156	1656	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 2156	1656	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 2156	1656	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 2156	1656	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 2156	1656	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 2156	1656	rundll32.exe	rundll32.exe
PID 2156 wrote to memory of 1988	2156	rundll32.exe	WerFault.exe
PID 2156 wrote to memory of 1988	2156	rundll32.exe	WerFault.exe
PID 2156 wrote to memory of 1988	2156	rundll32.exe	WerFault.exe
PID 2156 wrote to memory of 1988	2156	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d8cb8ea5f37cde6a0ecd69e11fb3a988.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d8cb8ea5f37cde6a0ecd69e11fb3a988.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 300
    3⤵
    - Program crash
    PID:1988

memory/2156-0-0x0000000074E10000-0x0000000074E40000-memory.dmp

Filesize
192KB

Download
memory/2156-2-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download