dridex | d3b9306ca7604ecd7f220ff26892500e298e600f81928745153a4ea47116f1cc

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20-03-2024 16:37

Target

d94886c8a6847552a845953b509750f8.dll
Size

184KB
MD5

d94886c8a6847552a845953b509750f8
SHA1

818662c5a632656bcec1b82844d52e95aa07e3aa
SHA256

d3b9306ca7604ecd7f220ff26892500e298e600f81928745153a4ea47116f1cc
SHA512

b764f103c6148d158daf29be26b452d4b18878a6a820337c89eeab48e74cc35ac652af45301680423d1c42126b7640d354874956bd1d78995323298d18c8ce25
SSDEEP

3072:yhd6lp2ffOeP3gv+i4W63iFfKfXM9mQltYwgO226+f33JWVQcY:y3fOeIv54W6SFKfc9me9v9/JWV

Score

10^/10

Family

dridex

Botnet

22201

51.79.50.122:443

222.124.142.67:10443

138.201.222.158:4664

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/2088-0-0x0000000074E80000-0x0000000074EB0000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2888 2088 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2888	2088	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1636 wrote to memory of 2088	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 2088	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 2088	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 2088	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 2088	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 2088	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 2088	1636	rundll32.exe	rundll32.exe
PID 2088 wrote to memory of 2888	2088	rundll32.exe	WerFault.exe
PID 2088 wrote to memory of 2888	2088	rundll32.exe	WerFault.exe
PID 2088 wrote to memory of 2888	2088	rundll32.exe	WerFault.exe
PID 2088 wrote to memory of 2888	2088	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d94886c8a6847552a845953b509750f8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d94886c8a6847552a845953b509750f8.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 280
    3⤵
    - Program crash
    PID:2888

memory/2088-0-0x0000000074E80000-0x0000000074EB0000-memory.dmp

Filesize
192KB

Download
memory/2088-2-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download