dridex | ea3300223c459fe18bac3cf852030fb16d2439b842e4fa4ef6a2dcf7a52b8344

Analysis

max time kernel
142s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-03-2024 05:56

Target

dadc592cb18b079b0257928fd637e531.dll
Size

188KB
MD5

dadc592cb18b079b0257928fd637e531
SHA1

895328b01b7c25ff3eb36ad6876c277be7387f49
SHA256

ea3300223c459fe18bac3cf852030fb16d2439b842e4fa4ef6a2dcf7a52b8344
SHA512

903b571f7c52616e2d3f9fe9b63aaabea65b65e49c2717d4cc4a94888e8cdcf44febf8a81582f131ba6cdd1df1edaf5c5e0e13bbb31445f58951fec536f31b61
SSDEEP

3072:SA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoHo:SzIqATVfQeV2FZalKq6jtGJWuTmd

Score

10^/10

Family

dridex

Botnet

22201

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral1/memory/2164-0-0x0000000074F50000-0x0000000074F80000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2912 2164 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2912	2164	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2108 wrote to memory of 2164	2108	rundll32.exe	rundll32.exe
PID 2108 wrote to memory of 2164	2108	rundll32.exe	rundll32.exe
PID 2108 wrote to memory of 2164	2108	rundll32.exe	rundll32.exe
PID 2108 wrote to memory of 2164	2108	rundll32.exe	rundll32.exe
PID 2108 wrote to memory of 2164	2108	rundll32.exe	rundll32.exe
PID 2108 wrote to memory of 2164	2108	rundll32.exe	rundll32.exe
PID 2108 wrote to memory of 2164	2108	rundll32.exe	rundll32.exe
PID 2164 wrote to memory of 2912	2164	rundll32.exe	WerFault.exe
PID 2164 wrote to memory of 2912	2164	rundll32.exe	WerFault.exe
PID 2164 wrote to memory of 2912	2164	rundll32.exe	WerFault.exe
PID 2164 wrote to memory of 2912	2164	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dadc592cb18b079b0257928fd637e531.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\dadc592cb18b079b0257928fd637e531.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 308
    3⤵
    - Program crash
    PID:2912

memory/2164-0-0x0000000074F50000-0x0000000074F80000-memory.dmp

Filesize
192KB

Download
memory/2164-1-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download