dridex | a5baf577e5e63b9fb3a07ab4a19bec2fcf328d1830e01e8820d03bd5be05ad9e

Analysis

max time kernel
141s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20-03-2024 20:50

Target

d9ca82405ae71b174f07de2f049ca432.dll
Size

188KB
MD5

d9ca82405ae71b174f07de2f049ca432
SHA1

67b5a67688cad18f188c982d8c6aa2cc894fbfb9
SHA256

a5baf577e5e63b9fb3a07ab4a19bec2fcf328d1830e01e8820d03bd5be05ad9e
SHA512

e5a93fc6c0225be0aa77d3d45debde337e7286b006a364d70e99438dd5fa2038a4e4ab8fe03ddbdd5f3f00245410353d63eec97296abca1db63524bc7d44688e
SSDEEP

3072:8A8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoWo:8zIqATVfQeV2FZalKq6jtGJWuTmd

Score

10^/10

Family

dridex

Botnet

22201

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/2748-0-0x0000000074BD0000-0x0000000074C00000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3020 2748 WerFault.exe rundll32.exe

pid	pid_target	process	target process
3020	2748	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2024 wrote to memory of 2748	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 2748	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 2748	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 2748	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 2748	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 2748	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 2748	2024	rundll32.exe	rundll32.exe
PID 2748 wrote to memory of 3020	2748	rundll32.exe	WerFault.exe
PID 2748 wrote to memory of 3020	2748	rundll32.exe	WerFault.exe
PID 2748 wrote to memory of 3020	2748	rundll32.exe	WerFault.exe
PID 2748 wrote to memory of 3020	2748	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d9ca82405ae71b174f07de2f049ca432.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d9ca82405ae71b174f07de2f049ca432.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 300
    3⤵
    - Program crash
    PID:3020

memory/2748-0-0x0000000074BD0000-0x0000000074C00000-memory.dmp

Filesize
192KB

Download
memory/2748-1-0x0000000000150000-0x0000000000156000-memory.dmp

Filesize
24KB

Download