dridex | f61f9a3bc273cd7d621676204a17172d7909e0b159467b3285e3f0dc3c92878c

Analysis

max time kernel
142s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-03-2024 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de9499d5980769c0882dadc573e995a2.dll
Size

188KB
MD5

de9499d5980769c0882dadc573e995a2
SHA1

2e305eb42debebf4a61ece60faab4d67546557d9
SHA256

f61f9a3bc273cd7d621676204a17172d7909e0b159467b3285e3f0dc3c92878c
SHA512

56c0b5be3875773932186ce2a32d78d6a9b2f46c76c2304bb9ef9a919790755d4ff548332a371a1bb02806b5aac4811cf4084f7b85ee4a3e625854f249696abd
SSDEEP

3072:2A8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAobo:2zIqATVfQeV2FZalKq6jtGJWuTmd

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/2924-0-0x0000000075350000-0x0000000075380000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1132 2924 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1132	2924	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2880 wrote to memory of 2924	2880	rundll32.exe	rundll32.exe
PID 2880 wrote to memory of 2924	2880	rundll32.exe	rundll32.exe
PID 2880 wrote to memory of 2924	2880	rundll32.exe	rundll32.exe
PID 2880 wrote to memory of 2924	2880	rundll32.exe	rundll32.exe
PID 2880 wrote to memory of 2924	2880	rundll32.exe	rundll32.exe
PID 2880 wrote to memory of 2924	2880	rundll32.exe	rundll32.exe
PID 2880 wrote to memory of 2924	2880	rundll32.exe	rundll32.exe
PID 2924 wrote to memory of 1132	2924	rundll32.exe	WerFault.exe
PID 2924 wrote to memory of 1132	2924	rundll32.exe	WerFault.exe
PID 2924 wrote to memory of 1132	2924	rundll32.exe	WerFault.exe
PID 2924 wrote to memory of 1132	2924	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\de9499d5980769c0882dadc573e995a2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\de9499d5980769c0882dadc573e995a2.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 308
3⤵
- Program crash
PID:1132

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2924-0-0x0000000075350000-0x0000000075380000-memory.dmp

Filesize
192KB

Download
memory/2924-1-0x00000000000C0000-0x00000000000C6000-memory.dmp

Filesize
24KB

Download