dridex | 4cfc722887833a0e81a58c3ef14d6f262f547458c42d132cf81550908e2a883a

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ded4851735984eaea3703d99ff5bce5f.dll
Size

184KB
MD5

ded4851735984eaea3703d99ff5bce5f
SHA1

cb0c7324feb4b352c173e37ca2c3d531b6aebfd0
SHA256

4cfc722887833a0e81a58c3ef14d6f262f547458c42d132cf81550908e2a883a
SHA512

a24be884b23f38c6d588471831d625e0d3ebea19c6598e651c0d2c20de8ba6f0d439b30f18e2ab2c8042ffa48b672d95a9631577521ac78188b743b5890ba085
SSDEEP

3072:7hd6lp2ffOeP3gv+i4W63iFfKfXM9mQltYwgO226+f33JKVQcY:73fOeIv54W6SFKfc9me9v9/JKV

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

51.79.50.122:443

222.124.142.67:10443

138.201.222.158:4664

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/2472-0-0x0000000074990000-0x00000000749C0000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2248 2472 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2248	2472	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1464 wrote to memory of 2472	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 2472	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 2472	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 2472	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 2472	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 2472	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 2472	1464	rundll32.exe	rundll32.exe
PID 2472 wrote to memory of 2248	2472	rundll32.exe	WerFault.exe
PID 2472 wrote to memory of 2248	2472	rundll32.exe	WerFault.exe
PID 2472 wrote to memory of 2248	2472	rundll32.exe	WerFault.exe
PID 2472 wrote to memory of 2248	2472	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ded4851735984eaea3703d99ff5bce5f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ded4851735984eaea3703d99ff5bce5f.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 288
3⤵
- Program crash
PID:2248

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2472-0-0x0000000074990000-0x00000000749C0000-memory.dmp

Filesize
192KB

Download
memory/2472-1-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download