dridex | 8c5dd910e17d1e866cabb0cbfb1da8f54ee330640becc2962934003193156cb1

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0ce63a140df443f3ec90da8ead8343c.dll
Size

188KB
MD5

e0ce63a140df443f3ec90da8ead8343c
SHA1

63b0d35bcdc2e596590244c028367fd28ec36700
SHA256

8c5dd910e17d1e866cabb0cbfb1da8f54ee330640becc2962934003193156cb1
SHA512

a836c974a99da0f59c8155d4830ddc6f44f49933e5f0ed779a3f351119bc4a604a10b68b5b6bc172d27cc3c40b92c322ce713e0fe580ab0c5f1c02c8ffdf6649
SSDEEP

3072:hA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoXo:hzIqATVfQeV2FZalKq6jtGJWuTmd

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/2868-0-0x0000000075350000-0x0000000075380000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2084 2868 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2084	2868	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2296 wrote to memory of 2868	2296	rundll32.exe	rundll32.exe
PID 2296 wrote to memory of 2868	2296	rundll32.exe	rundll32.exe
PID 2296 wrote to memory of 2868	2296	rundll32.exe	rundll32.exe
PID 2296 wrote to memory of 2868	2296	rundll32.exe	rundll32.exe
PID 2296 wrote to memory of 2868	2296	rundll32.exe	rundll32.exe
PID 2296 wrote to memory of 2868	2296	rundll32.exe	rundll32.exe
PID 2296 wrote to memory of 2868	2296	rundll32.exe	rundll32.exe
PID 2868 wrote to memory of 2084	2868	rundll32.exe	WerFault.exe
PID 2868 wrote to memory of 2084	2868	rundll32.exe	WerFault.exe
PID 2868 wrote to memory of 2084	2868	rundll32.exe	WerFault.exe
PID 2868 wrote to memory of 2084	2868	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e0ce63a140df443f3ec90da8ead8343c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e0ce63a140df443f3ec90da8ead8343c.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 308
3⤵
- Program crash
PID:2084

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2868-0-0x0000000075350000-0x0000000075380000-memory.dmp

Filesize
192KB

Download
memory/2868-1-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download