dridex | c1ce670b7ef5fa9a7de5a0009f618fe8aa66f4ce4dfe71b43557a8b1f0b73e16

Analysis

max time kernel
143s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0d6378566342a725b5ec723f85b5084.dll
Size

188KB
MD5

e0d6378566342a725b5ec723f85b5084
SHA1

ea32588f2e222aed82b11ab9547c8ca52a3118f8
SHA256

c1ce670b7ef5fa9a7de5a0009f618fe8aa66f4ce4dfe71b43557a8b1f0b73e16
SHA512

4d80b7c136b1175e7ac2665e3deec13f5403aef02b404f3461d16b5bd5b8d3ecb77916560257bb9e6de8afc3bd824b9f21b9bf6899194704f62c0ad1ce988706
SSDEEP

3072:FA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoBo:FzIqATVfQeV2FZalKq6jtGJWuTmd

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/848-0-0x0000000074DF0000-0x0000000074E20000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2192 848 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2192	848	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1408 wrote to memory of 848	1408	rundll32.exe	rundll32.exe
PID 1408 wrote to memory of 848	1408	rundll32.exe	rundll32.exe
PID 1408 wrote to memory of 848	1408	rundll32.exe	rundll32.exe
PID 1408 wrote to memory of 848	1408	rundll32.exe	rundll32.exe
PID 1408 wrote to memory of 848	1408	rundll32.exe	rundll32.exe
PID 1408 wrote to memory of 848	1408	rundll32.exe	rundll32.exe
PID 1408 wrote to memory of 848	1408	rundll32.exe	rundll32.exe
PID 848 wrote to memory of 2192	848	rundll32.exe	WerFault.exe
PID 848 wrote to memory of 2192	848	rundll32.exe	WerFault.exe
PID 848 wrote to memory of 2192	848	rundll32.exe	WerFault.exe
PID 848 wrote to memory of 2192	848	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e0d6378566342a725b5ec723f85b5084.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e0d6378566342a725b5ec723f85b5084.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 308
3⤵
- Program crash
PID:2192

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/848-0-0x0000000074DF0000-0x0000000074E20000-memory.dmp

Filesize
192KB

Download
memory/848-1-0x0000000000160000-0x0000000000166000-memory.dmp

Filesize
24KB

Download